| Author |
Topic |
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
 Posted - 2006-12-07 : 11:52:31
|
| This afternoon there has been a small spate of attempted logins showing in our logs for our SQL Server7.First it was a few Login failed for user (null)'s then "sa" then my SQL login name (I was away from my computer and it was locked) then from my Windows account. mixed with sa again. This is over a 45 minute period.My question is - does anyone know a way of tracing these attempts or of trying to work out the source? I presume I won't be able to do it for these attempts but would like to put something in place should there be further ones.Many thanks in advancesteve-----------Don't worry head. The computer will do all the thinking from now on. |
|
|
Page47
Master Smack Fu Yak Hacker
2878 Posts |
Posted - 2006-12-07 : 11:58:20
|
| You should be able to track some additional information with profiler.Jayto here knows when |
 |
|
|
Kristen
Test
22859 Posts |
Posted - 2006-12-07 : 14:09:21
|
| Move SQL to a non-standard port number ...IME once people have enough access to try post scanning they will bring the server to its knees.Yours might be internal though ... someone on the LAN with some Virus thingie that is running "within" only, and once you've found it and killed it you are sorted.Kristen |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2006-12-07 : 14:23:35
|
| What does Windows Security Log tell you? The one on the same machine as the SQL Server.If you have set the option to log failed logins, you can easily see from which machine the attempts were made.I have used this before to track down an employee with a grudge.Peter LarssonHelsingborg, Sweden |
|
|
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
Posted - 2006-12-08 : 03:17:43
|
Many thanks guys I'll look at all your suggestions. quote:
You should be able to track some additional information with profiler.
Jay, wouldn't profiler have had to be running at the time?It wasn't and it isn't run as a matter of course. Should I change that? quote:
Yours might be internal though
That's my suspicion because of the Windows Authentication quote:
What does Windows Security Log tell you?
Thanks Peso am about to look at that. As I recall it is setup to monitor failed loginsOne of the things I am wondering is if we should also monitor successful logins. It was switched off in SQL server partly because of the volume of data it generated. What do others do? Is there a "best practice" for this?steve-----------Don't worry head. The computer will do all the thinking from now on. |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2006-12-08 : 04:14:13
|
| "As I recall it is setup to monitor failed logins"You referring to the SQL Server Log? That will tell you what UserID login was attempted, but that's all. I think Peso was referring to the Security tab in Windows Event LogKristen |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2006-12-08 : 08:10:28
|
| Yes I was.This way we pinpointed an employee who secretely tried to steal information about our customers, before starting his own business.We never charged him. We just let him go with no severence pay.Peter LarssonHelsingborg, Sweden |
|
|
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
Posted - 2006-12-11 : 03:42:21
|
| The windows security log is completely empty. I get the impression that may not be a good thing!steve-----------Don't worry head. The computer will do all the thinking from now on. |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2006-12-11 : 03:58:12
|
| Open Enterprise Manager.Right-click the Server in question.Choose Properties and click Security Tab.In Audit Level area, click Failure.Restart SQL service. Now, whenever a bad attempt to login is made, information about remote workstation, user name and so on is logged in the Windows Security Log.Peter LarssonHelsingborg, Sweden |
|
|
|
eyechart
Master Smack Fu Yak Hacker
3575 Posts |
Posted - 2006-12-11 : 04:00:57
|
quote:
Originally posted by elwoos
The windows security log is completely empty. I get the impression that may not be a good thing!
the OS security log is disabled by default. Search microsoft for how to enable, it is a security policy setting. you should also enable the SQL server login auditing. You can do that with Enterprise Manager.If you continue to have unidentfied login attempts to your system you may want to use a sniffer to see exactly what is going on. We use wireshark (it used to be called ethereal). It is free, opensource and extremely powerful. You should be able to start a packet capture and narrow down the communications by correlating the login failure times in the event logs. good luck.-ecEDIT:fixed typo |
|
|
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
Posted - 2006-12-11 : 11:13:53
|
| Many thanks to all who responded, much appreciated. Lets hope I don't have to use wireshark - it sounds very useful to know about.I am off to enable the OS security logs. steve-----------Don't worry head. The computer will do all the thinking from now on. |
|
|
|
ToddNelson
Starting Member
2 Posts |
Posted - 2006-12-12 : 15:10:08
|
| "I am off to enable the OS security logs."Me too now that I read this topic. Thanks All. |
|
|
|
|
Hacking?