| Author |
Topic |
|
nzmike
Starting Member
21 Posts |
 Posted - 2005-12-06 : 02:10:03
|
| Hi all,I'm a .Net developer and I look after a WS 2003 machine running SS 2000 and a couple of production and test databases. Recently we were hacked (due to our hosts poor network security) and although we believed we cleaned the machine and all viruses we are now getting our SQL logs filled with thousands of failed attemptds to log in to the 'sa' account (or 'admin', 'database', 'root' etc)... then SQL Server either falls over or just stops working. Here's an extract from one of the logs (a small one!):2005-12-05 07:32:59.54 logon Login failed for user 'sa'.2005-12-05 07:33:00.25 logon Login failed for user 'sa'.2005-12-05 07:33:00.96 logon Login failed for user 'sa'.2005-12-05 07:33:01.68 logon Login failed for user 'sa'.2005-12-05 07:33:02.40 logon Login failed for user 'sa'.2005-12-05 07:33:03.12 logon Login failed for user 'sa'.2005-12-05 07:33:03.84 logon Login failed for user 'sa'.2005-12-05 07:33:04.56 logon Login failed for user 'sa'.2005-12-05 07:33:05.28 logon Login failed for user 'sa'.2005-12-05 07:33:06.00 logon Login failed for user 'sa'.2005-12-05 07:33:06.71 logon Login failed for user 'sa'.2005-12-05 07:33:07.43 logon Login failed for user 'sa'.2005-12-05 07:33:08.15 logon Login failed for user 'sa'.2005-12-05 07:33:08.87 logon Login failed for user 'sa'.2005-12-05 07:33:09.59 logon Login failed for user 'sa'.2005-12-05 07:33:10.31 logon Login failed for user 'sa'.2005-12-05 07:33:11.04 logon Login failed for user 'sa'.2005-12-05 07:33:11.81 logon Login failed for user 'sa'.2005-12-05 07:33:12.53 logon Login failed for user 'sa'.2005-12-05 07:33:13.25 logon Login failed for user 'root'.2005-12-05 07:33:14.12 logon Login failed for user 'root'.2005-12-05 07:33:14.84 logon Login failed for user 'root'.2005-12-05 07:33:15.56 logon Login failed for user 'root'.2005-12-05 07:33:16.28 logon Login failed for user 'root'.2005-12-05 07:33:17.00 logon Login failed for user 'root'.2005-12-05 07:33:17.71 logon Login failed for user 'root'.2005-12-05 07:33:18.43 logon Login failed for user 'root'.2005-12-05 07:33:19.15 logon Login failed for user 'root'.2005-12-05 07:33:19.87 logon Login failed for user 'root'.2005-12-05 07:33:20.60 logon Login failed for user 'root'.2005-12-05 07:33:21.32 logon Login failed for user 'root'.2005-12-05 07:33:22.04 logon Login failed for user 'root'.2005-12-05 07:33:22.76 logon Login failed for user 'root'.2005-12-05 07:33:23.48 logon Login failed for user 'root'.2005-12-05 07:33:24.37 logon Login failed for user 'root'.2005-12-05 07:33:25.09 logon Login failed for user 'root'.2005-12-05 07:33:25.82 logon Login failed for user 'root'.2005-12-05 07:33:26.53 logon Login failed for user 'root'.2005-12-05 07:33:27.25 logon Login failed for user 'admin'.2005-12-05 07:33:28.07 logon Login failed for user 'admin'.2005-12-05 07:33:28.79 logon Login failed for user 'admin'.2005-12-05 07:33:29.51 logon Login failed for user 'admin'.2005-12-05 07:33:30.23 logon Login failed for user 'admin'.2005-12-05 07:33:30.95 logon Login failed for user 'admin'.2005-12-05 07:33:31.67 logon Login failed for user 'admin'.2005-12-05 07:33:32.39 logon Login failed for user 'admin'.2005-12-05 07:33:33.10 logon Login failed for user 'admin'.2005-12-05 07:33:33.93 logon Login failed for user 'admin'.2005-12-05 07:33:34.68 logon Login failed for user 'admin'.2005-12-05 07:33:35.51 logon Login failed for user 'admin'.2005-12-05 07:33:36.23 logon Login failed for user 'admin'.2005-12-05 07:33:36.95 logon Login failed for user 'admin'.2005-12-05 07:33:37.67 logon Login failed for user 'admin'.2005-12-05 07:33:38.50 logon Login failed for user 'admin'.2005-12-05 07:33:39.23 logon Login failed for user 'admin'.2005-12-05 07:33:40.06 logon Login failed for user 'admin'.2005-12-05 07:33:40.78 logon Login failed for user 'admin'.2005-12-05 09:14:15.00 logon Login failed for user 'sa'.2005-12-05 09:14:15.29 logon Login failed for user 'sa'.2005-12-05 09:14:15.59 logon Login failed for user 'sa'.2005-12-05 09:14:15.90 logon Login failed for user 'sa'.2005-12-05 09:14:16.20 logon Login failed for user 'sa'.2005-12-05 09:14:16.50 logon Login failed for user 'sa'.2005-12-05 09:14:16.79 logon Login failed for user 'sa'.2005-12-05 09:14:17.09 logon Login failed for user 'sa'.2005-12-05 09:14:17.39 logon Login failed for user 'sa'.2005-12-05 09:14:18.00 logon Login failed for user 'sa'.2005-12-05 09:14:18.29 logon Login failed for user 'sa'.2005-12-05 09:14:18.59 logon Login failed for user 'sa'.2005-12-05 09:14:18.90 logon Login failed for user 'sa'.2005-12-05 09:14:19.20 logon Login failed for user 'sa'.2005-12-05 09:14:19.50 logon Login failed for user 'sa'.2005-12-05 09:14:19.79 logon Login failed for user 'sa'.2005-12-05 09:14:20.09 logon Login failed for user 'sa'.2005-12-05 09:14:25.01 logon Login failed for user 'sa'.2005-12-05 09:14:25.32 logon Login failed for user 'sa'.2005-12-05 09:14:25.92 logon Login failed for user 'sa'.2005-12-05 09:14:26.21 logon Login failed for user 'sa'.2005-12-05 09:14:26.53 logon Login failed for user 'sa'.2005-12-05 09:14:27.12 logon Login failed for user 'sa'.2005-12-05 09:14:27.42 logon Login failed for user 'sa'.2005-12-05 09:14:27.73 logon Login failed for user 'sa'.2005-12-05 09:14:28.03 logon Login failed for user 'sa'.2005-12-05 09:14:28.32 logon Login failed for user 'sa'.2005-12-05 09:14:28.62 logon Login failed for user 'sa'.2005-12-05 09:14:28.92 logon Login failed for user 'sa'.2005-12-05 09:14:29.23 logon Login failed for user 'sa'.2005-12-05 09:14:29.82 logon Login failed for user 'sa'.2005-12-05 09:14:30.12 logon Login failed for user 'sa'.2005-12-05 09:14:30.42 logon Login failed for user 'sa'.2005-12-05 09:14:30.73 logon Login failed for user 'sa'.2005-12-05 09:14:31.03 logon Login failed for user 'sa'.2005-12-05 09:14:31.35 logon Login failed for user 'sa'.2005-12-05 09:14:31.67 logon Login failed for user 'sa'.2005-12-05 09:14:31.96 logon Login failed for user 'sa'.2005-12-05 09:14:32.26 logon Login failed for user 'sa'.2005-12-05 09:14:32.56 logon Login failed for user 'sa'.2005-12-05 09:14:32.85 logon Login failed for user 'sa'.2005-12-05 09:14:33.15 logon Login failed for user 'sa'.2005-12-05 09:14:33.46 logon Login failed for user 'sa'.2005-12-05 09:14:33.76 logon Login failed for user 'sa'.2005-12-05 09:14:34.06 logon Login failed for user 'sa'.2005-12-05 09:14:34.35 logon Login failed for user 'sa'.2005-12-05 09:14:34.65 logon Login failed for user 'sa'.2005-12-05 09:14:34.95 logon Login failed for user 'sa'.2005-12-05 09:14:35.26 logon Login failed for user 'sa'.2005-12-05 09:14:35.56 logon Login failed for user 'sa'.2005-12-05 09:14:35.85 logon Login failed for user 'sa'.2005-12-05 09:14:36.15 logon Login failed for user 'sa'.2005-12-05 09:14:36.45 logon Login failed for user 'sa'.2005-12-05 09:14:36.76 logon Login failed for user 'sa'.2005-12-05 09:14:37.06 logon Login failed for user 'sa'.2005-12-05 09:14:37.35 logon Login failed for user 'sa'.2005-12-05 09:14:37.65 logon Login failed for user 'sa'.2005-12-05 09:14:37.95 logon Login failed for user 'sa'.2005-12-05 09:14:38.26 logon Login failed for user 'sa'.2005-12-05 09:14:38.56 logon Login failed for user 'sa'.2005-12-05 09:14:38.85 logon Login failed for user 'sa'.2005-12-05 09:14:39.17 logon Login failed for user 'sa'.2005-12-05 09:14:39.46 logon Login failed for user 'sa'.2005-12-05 09:14:39.76 logon Login failed for user 'sa'.2005-12-05 09:14:40.06 logon Login failed for user 'sa'.2005-12-05 09:27:55.09 logon Login failed for user 'sa'.2005-12-05 09:27:55.39 logon Login failed for user 'sa'.2005-12-05 09:27:55.68 logon Login failed for user 'sa'.2005-12-05 09:27:55.98 logon Login failed for user 'sa'.2005-12-05 09:27:56.28 logon Login failed for user 'sa'.2005-12-05 09:27:56.59 logon Login failed for user 'sa'.2005-12-05 09:27:56.89 logon Login failed for user 'sa'.2005-12-05 09:27:57.18 logon Login failed for user 'sa'.2005-12-05 09:27:57.48 logon Login failed for user 'sa'.2005-12-05 09:27:57.78 logon Login failed for user 'sa'.2005-12-05 09:27:58.07 logon Login failed for user 'sa'.2005-12-05 09:27:58.37 logon Login failed for user 'sa'.2005-12-05 09:27:58.68 logon Login failed for user 'sa'.2005-12-05 09:27:58.98 logon Login failed for user 'sa'.2005-12-05 09:27:59.28 logon Login failed for user 'sa'.2005-12-05 09:27:59.57 logon Login failed for user 'sa'.2005-12-05 09:27:59.87 logon Login failed for user 'sa'.2005-12-05 09:28:00.18 logon Login failed for user 'sa'.2005-12-05 09:28:00.48 logon Login failed for user 'sa'.2005-12-05 09:28:00.78 logon Login failed for user 'sa'.2005-12-05 09:28:01.07 logon Login failed for user 'sa'.2005-12-05 09:28:01.37 logon Login failed for user 'sa'.2005-12-05 09:28:01.67 logon Login failed for user 'sa'.2005-12-05 09:28:01.96 logon Login failed for user 'sa'.2005-12-05 09:28:02.28 logon Login failed for user 'sa'.2005-12-05 09:28:02.57 logon Login failed for user 'sa'.2005-12-05 09:28:02.87 logon Login failed for user 'sa'.2005-12-05 09:28:03.17 logon Login failed for user 'sa'.2005-12-05 09:28:03.46 logon Login failed for user 'sa'.2005-12-05 09:28:03.79 logon Login failed for user 'sa'.2005-12-05 09:28:04.09 logon Login failed for user 'sa'.2005-12-05 09:28:04.39 logon Login failed for user 'sa'.2005-12-05 09:28:04.70 logon Login failed for user 'sa'.2005-12-05 09:28:05.00 logon Login failed for user 'sa'.2005-12-05 09:28:05.29 logon Login failed for user 'sa'.2005-12-05 09:28:05.59 logon Login failed for user 'sa'.2005-12-05 09:28:05.89 logon Login failed for user 'sa'.2005-12-05 09:28:06.18 logon Login failed for user 'sa'.2005-12-05 09:28:06.51 logon Login failed for user 'sa'.2005-12-05 09:28:06.81 logon Login failed for user 'sa'.2005-12-05 09:28:07.10 logon Login failed for user 'sa'.2005-12-05 09:28:07.42 logon Login failed for user 'sa'.2005-12-05 09:28:07.71 logon Login failed for user 'sa'.2005-12-05 09:28:08.01 logon Login failed for user 'sa'.2005-12-05 09:28:08.31 logon Login failed for user 'sa'.2005-12-05 09:28:08.60 logon Login failed for user 'sa'.2005-12-05 09:28:08.90 logon Login failed for user 'sa'.2005-12-05 09:28:09.21 logon Login failed for user 'sa'.2005-12-05 09:28:09.51 logon Login failed for user 'sa'.2005-12-05 09:28:09.81 logon Login failed for user 'sa'.2005-12-05 09:28:10.10 logon Login failed for user 'sa'.2005-12-05 09:28:10.40 logon Login failed for user 'sa'.2005-12-05 09:28:10.70 logon Login failed for user 'sa'.2005-12-05 09:28:11.01 logon Login failed for user 'sa'.2005-12-05 09:28:11.31 logon Login failed for user 'sa'.2005-12-05 09:28:11.60 logon Login failed for user 'sa'.2005-12-05 09:28:11.90 logon Login failed for user 'sa'.2005-12-05 09:28:12.20 logon Login failed for user 'sa'.2005-12-05 09:28:12.50 logon Login failed for user 'sa'.2005-12-05 09:28:12.81 logon Login failed for user 'sa'.2005-12-05 09:28:13.10 logon Login failed for user 'sa'.2005-12-05 09:28:13.40 logon Login failed for user 'sa'.2005-12-05 09:28:13.70 logon Login failed for user 'sa'.2005-12-05 09:28:14.00 logon Login failed for user 'sa'.2005-12-05 09:28:14.31 logon Login failed for user 'sa'.2005-12-05 17:33:22.02 server SQL Server terminating because of system shutdown.Would the fact the attempts are so close together in time suggest an automated password guessing program? Are we being hacked or am I totally off-track here?I'm no SQL guru so any help or suggestions would be appreciated - I've strongly recommended to my client to rebuild the machine ASAP but she's wary of doing so due to cost to the business and downtime etc. Cheers,Mike |
|
|
karuna
Aged Yak Warrior
582 Posts |
Posted - 2005-12-06 : 02:27:34
|
| if you dont have a login like admin or root then mostly I think its some kind of automated program trying to hack in. If you do have those logins, see any application is trying to access the server during that time frame. ThanksKarunakaran |
 |
|
|
nzmike
Starting Member
21 Posts |
Posted - 2005-12-06 : 02:42:16
|
| Thanks Karunakaran - any idea how I'd go about doing that? ("see any application is trying to access the server during that time frame."). Is there another log (or logs) I should look at?Cheers,Mike |
|
|
|
nzmike
Starting Member
21 Posts |
Posted - 2005-12-06 : 02:43:14
|
| PS: No, we don't have any of those accounts except 'sa' which has a very strong password... which makes me think we're being hacked.Mike |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2005-12-06 : 04:45:04
|
| The load that hack attempts burden the server with can, IME, bring a server to its knees.Your best bet is to move the SQL to a different port. The scanners don't bother with them.However, all the hack attempts I've seen use accounts in addition to 'sa' - such as 'admin' and the like, so if you are only seeing 'sa' it might be something legitimately trying, but with the wrong userid/passwordKristen |
|
|
|
steamngn
Constraint Violating Yak Guru
306 Posts |
Posted - 2005-12-06 : 08:33:47
|
| Mike,this is probably a combination of both a hack and a legitamate logon attempt. If you take the server offline, does the logon issue continue? If so, you need to recheck the server for hack software. Remember to check any add ins that may be using SQL server, such as COM+ or backup software. Some backup apps like Veritas use a SQL database for backing up SQL server, and it will fill the log in a hurry if the administration password is bad. If the login errors stop when you take the server off the 'net, then do as Kristen suggests and change ports, which is not a bad idea anyway.AndyThere's never enough time to type code right, but always enough time for a hotfix... |
|
|
|
nzmike
Starting Member
21 Posts |
Posted - 2005-12-07 : 03:23:00
|
| Thanks folks... it does look like a hack to me as in some of the logs they are trying to log-in to 'admin', 'database' and 'root' id's (none of which we have).Changing the port is a good start - I'll google it anyway but can anyone tell me how I do that?Cheers for the help and advice,Mike |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2005-12-07 : 05:02:16
|
| "'admin', 'database' and 'root'"Yup, that's the old SQL Worm virus (running elsewhere and trying to hack your box)"Changing the port"Enterprise Manager : Right click the server : Properties : [Network configuration] : TCP/IP (in "Enabled Protocols") : [Properties] : Normally 1433, change it to whatever you like. I recommend a number higher than 10,000 as that's a LONG way up for port scanner to bother with. I think 32,000-odd is the limit (might be 64,000-odd)In your connection string append ",1433" to the "name" of the server [use the port number you chose, obviously!]e.g. strMyDBConnection = "Provider=sqloledb;Data Source=MyServer,1433;User Id=MyUserID;Password=MyPassword;Initial Catalog=MyDatabase;"Kristen |
|
|
|
nzmike
Starting Member
21 Posts |
Posted - 2005-12-07 : 05:20:56
|
| Thanks so much Kristen - I'll sort the port thing out right away.I'm still not sure how we have this worm as we have all the patches MS have released for WS2003 and SS2000 - guess it's just a port vulnerability. (You can tell probably I'm no server guru!)Cheers for the help... much appreciated.Mike |
|
|
|
activecrypt
Posting Yak Master
165 Posts |
|
|
Kristen
Test
22859 Posts |
Posted - 2005-12-07 : 09:35:30
|
| "I'm still not sure how we have this worm"I don't think you do - its running somewhere else (out on the web if your box is in any way open to the web without a firewall etc.), found your IP address, seen that port 1433 [i.e. SQL Server] is open, and is "having a go". It will bring your server to its knees if several such infected machines target yours simultaneously, but changing port will fix it IME.If your server is NOT open to the web then its somewhere inside your organisation and it would be a good idea to find it and disinfect that machine!Worth a Google for : virus sa admin root 1433Kristen |
|
|
|
|
Multiple logins to 'sa' failed - hackers?