SQL Server Forums
Profile | Register | Active Topics | Members | Search | Forum FAQ
 
Register Now and get your question answered!
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Old Forums
 CLOSED - General SQL Server
 Brute Force Attack or Something Else??
 Forum Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

cre8tor
Starting Member

7 Posts

Posted - 05/31/2002 :  11:22:56  Show Profile

I administer a public SQL 2k server that stores and serves dynamic content as well as customer account information. After our migration to a new server I've been monitoring the log files (the audit level is set for failure) and I now see multiple continuous logon failures for the sa account and I'm concerned that there is some kind of brute force attack being tried on the sql server.

Authentication is set to SQL server and Windows since I have to remotely administer the server. SQL agent is running fine and hasn't produced any errors (it's using NT authentication).

Does anyone have any ideas - I searched the knowledge base but came up with nothing. I'm a "casual" SQL user just starting to get into the more advanced areas of SQL 2k.

My first post please go easy. :)

Thanks in advance,





MichaelP
Jedi Yak

USA
2489 Posts

Posted - 05/31/2002 :  11:25:58  Show Profile  Visit MichaelP's Homepage
There is a SQL worm going around that attacks SQL Servers that are on the Internet with blank SA passwords.

Read about it here:
http://www.sqlteam.com/redir.asp?ItemID=9392

Go to Top of Page

cre8tor
Starting Member

7 Posts

Posted - 05/31/2002 :  11:29:41  Show Profile
I'm familure with the worm, I'm curious if that's what's trying to crack the password - where is it running from and how the hell do I stop it?

She's never had a blank password.


Go to Top of Page

macka
Posting Yak Master

United Kingdom
162 Posts

Posted - 05/31/2002 :  11:44:47  Show Profile
As I understand it Enterprise Manager polls the server every 10 seconds (by default) to obtain the current state of the server. Is it possible that somebody has registered this server through EM, with the incorrect password ?

Go to Top of Page

MichaelP
Jedi Yak

USA
2489 Posts

Posted - 05/31/2002 :  11:48:37  Show Profile  Visit MichaelP's Homepage
Well, I'm not sure that they are trying to brute force attack your SA passowrd, but it's probably lots of servers trying to log in with a blank password.

To make it stop, don't put your SQL server on the outside world. It sounds like you can't do this though.

Michael

Go to Top of Page

graz
Chief SQLTeam Crack Dealer

USA
4137 Posts

Posted - 05/31/2002 :  12:07:40  Show Profile  Visit graz's Homepage
According to an article on the worm it checks for servers with blank passwords AND tries a limited brute force attack. I think that comment was in the CNET article.

===============================================
Creating tomorrow's legacy systems today.
One crisis at a time.
Go to Top of Page

cre8tor
Starting Member

7 Posts

Posted - 05/31/2002 :  12:39:19  Show Profile
quote:

As I understand it Enterprise Manager polls the server every 10 seconds (by default) to obtain the current state of the server. Is it possible that somebody has registered this server through EM, with the incorrect password ?




Good try but I'm the only one that administer's the server.

Go to Top of Page

setbasedisthetruepath
Used SQL Salesman

USA
992 Posts

Posted - 05/31/2002 :  13:02:52  Show Profile
So you think ...

setBasedIsTheTruepath
<O>
Go to Top of Page

cre8tor
Starting Member

7 Posts

Posted - 05/31/2002 :  13:17:21  Show Profile
lol -

I just put a super-long super-duper complicated password on the sa account. I have to write it down to remember it. j/k

Go to Top of Page

Merkin
Funky Drop Bear Fearing SQL Dude!

Australia
4970 Posts

Posted - 06/01/2002 :  01:20:16  Show Profile  Visit Merkin's Homepage
Hi

Here are a few other ideas that might help you sleep better at night.

First up, change the port that sql server uses. Pick another one and use that, I am assuming the worm is only trying 1433.

Another thing you might be able to do, is firewall off access to your SQL server but set up a VPN. This way you need to authenticate with the VPN before you can log in to your server. That is a little more work, but it will stop random scans from being successful.

Good luck

Damian

Edited by - merkin on 06/01/2002 01:22:40
Go to Top of Page

cre8tor
Starting Member

7 Posts

Posted - 06/03/2002 :  16:12:53  Show Profile
It would be nice if the logs contained IP address information. Does anyone know if there is a way to do this?

Go to Top of Page

Merkin
Funky Drop Bear Fearing SQL Dude!

Australia
4970 Posts

Posted - 06/03/2002 :  19:15:55  Show Profile  Visit Merkin's Homepage
You might want to look at getting an Intrusion Detection System (IDS) as well. It will log all of that goodness.

You can get the open source Snort or go and spend some megabucks on an enterprise solution from CA or someone like that.

Damian
Go to Top of Page

cre8tor
Starting Member

7 Posts

Posted - 06/04/2002 :  18:01:15  Show Profile
Merkin,

I owe you one bud. - Snort is absolutely fantastic!

Within 10 minutes it has logged port scans, the sa logon attempts and attacks on the iis server.

The netblock of the sa logon attempts is from Bell South so I shot out an email to their network admin.

Thanks again,
I owe you one

Go to Top of Page
  Previous Topic Topic Next Topic  
 Forum Locked
 Printer Friendly
Jump To:
SQL Server Forums © 2000-2009 SQLTeam Publishing, LLC Go To Top Of Page
This page was generated in 0.09 seconds. Powered By: Snitz Forums 2000