| Author |
Topic |
|
Casey03
Starting Member
7 Posts |
 Posted - 2012-02-24 : 06:59:58
|
| Hello to all, First off I would like to say I don’t know anything about SQL what so ever apart from what it used for and that it exists. I currently working as a trainer engineer and been passed a support issue that has been raised. Windows: Server 2003 R2 SP 2SQL Version: 2005When looking at the event viewer we get the none stop error of,18456: Login failed for user 'sa'. Now when I am logged in as Administrator this error stops. I ran a profiler for login event fails and it only reports back the same error. I would guess it is something that is trying to login using the administrator account on the server but I can’t find what it is. Any help on this would be great! Thanks in advance |
|
|
GilaMonster
Master Smack Fu Yak Hacker
4507 Posts |
Posted - 2012-02-24 : 07:03:28
|
| Use profiler with the hostname and program name (might be application name). That'll give you the name of the machine that the login attempts are coming from and the name of the application that's trying to connect. Should be enough to start investigating.--Gail ShawSQL Server MVP |
 |
|
|
Casey03
Starting Member
7 Posts |
Posted - 2012-02-24 : 07:10:41
|
| Ok cheers. Ill give that a try now and let you know what it reports |
|
|
|
Casey03
Starting Member
7 Posts |
Posted - 2012-02-24 : 09:35:41
|
| I have done the profiler again with Hostname and ApplicationName selected. It looks like this. EventClass: Aduit Login FailedHostname: ServerTextData: Login failed for user 'sa'Application Name: OSQL-32Erm it don't mean to much to me, the server im connected to is not called server nor is anything else on the network. |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
|
|
russell
Pyro-ma-ni-yak
5072 Posts |
Posted - 2012-02-24 : 12:30:04
|
| look for scheduled sql agent jobs, and windows sceduler jobs calling osql.Is virus scan running on the box? And as Tara said, might be a hacking attempt. |
|
|
|
jackv
Master Smack Fu Yak Hacker
2179 Posts |
Posted - 2012-02-25 : 03:46:34
|
| One other thing to check is if a security probe is running. It's not unusual within organisations to have the Security dept running regular logon attempts with common logon accounts . Normally , this is done in a scheduledy way , example 4 times a dayJack Vamvas--------------------http://www.sqlserver-dba.com |
|
|
|
Casey03
Starting Member
7 Posts |
Posted - 2012-02-27 : 03:53:05
|
| We currently have an anti-virus program running on the machine. I will do a scan anyways to double check. I will also look into the other options you have said. Once all is completed i will report back |
|
|
|
Casey03
Starting Member
7 Posts |
Posted - 2012-02-27 : 03:57:50
|
| Oh forgot to add that there is no schedule to do with osql or any sql what so ever. |
|
|
|
Casey03
Starting Member
7 Posts |
Posted - 2012-02-27 : 05:47:38
|
| No Virus has been found. But i was able to locate 3 trojans on the systems. They have been removed and a restart will go ahead at some point today. I was informed that someone had all ready done these scans but it appears they couldnt have been done. Could a trojan cause this problem? |
|
|
|
Casey03
Starting Member
7 Posts |
Posted - 2012-02-29 : 04:27:05
|
| All malwar and trojans have been removed. Still getting this error.. Any more ideas ?? |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
|
|
|
"SA" Login Failure