Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
piki
Starting Member
1 Post |
 Posted - 2010-06-22 : 12:35:59
|
| I thought all was well and checked the SQL server log for fun and it had hundreds of error messages. Major freakoutTo find out more, I read http://blogs.msdn.com/b/sql_protocols/archive/2006/02/21/536201.aspx but I am sure that the login attempts were not created by anyone here. It must be a machine error. Can anyone point me to a place where I can find out how to solve this?06/20/2010 12:36:59,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 192.168.1.2]06/20/2010 12:36:59,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.06/20/2010 11:57:59,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 192.168.1.2]06/20/2010 11:57:59,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.06/20/2010 11:18:59,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 192.168.1.2]06/20/2010 11:18:59,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8. |
|
|
GilaMonster
Master Smack Fu Yak Hacker
4507 Posts |
Posted - 2010-06-22 : 14:34:25
|
| Hack attempt? What's got that IP address?--Gail ShawSQL Server MVP |
 |
|
|
Kristen
Test
22859 Posts |
Posted - 2010-06-22 : 15:32:05
|
| Are they not all for "SA" - e.g. some for "ADMIN" and so on as well? Are there any continuous attempts several-per-second over a period of time? Those would be the hallmarks of a hack-attack to me.192.168.1.2 is local (firewall? - low number may indicate a fixed-IP machine such as gateway / firewall) so if all of them are for "SA" and they run regularly (the sample you show has a couple of attempts at 20-30 minute intervals, I doubt that is a hack-attempt - then it is most likely something trying desperately to connect! But it should be changed so it does not use SA to login with! |
|
|
|
|
|
|
|
|
error filled SQL server log