locked
Multiple "Login failed for user 'sa'" messages in profiler - is it hacker? RRS feed

  • Question

  • Hello,

    I've recently faced with a situation that I need some help with. I have SQL Server 2005 installed on machine on the default port. Everything was ok until previous week: my database email sent me message with error 'SQL Server Alert System: 'Demo: Sev. 20 Errors' occurred on <servername>'. I found some links on the internet (hardware failure, etc) but that didn't help. I started SQL Server Profiler in order to find out more information and after some time found the following error: Login failed for user 'sa'. There were multiple errors per second and ApplicationName was 'OSQL-32'. I'm sure that 'sa' login is not available to users of SQL Server as they use different login. So I suppose that this is hacker attack. In addition, I checked hacker IP and found that none of my users have such IP. 

    What do you think about this situation? Could anyone help me to configure my server security properly? Here are possible solutions that I see

    1) Block hacker IPs

    2) Disable 'sa' login and use another administrator login

    3) Lower user login privileges

    4) Move SQL Server to another port

    What are the best practices in this situation? Please advise.

     

    Tuesday, September 27, 2011 7:13 AM

Answers

  • Hi,

    You should certainly block the hackers IP Address.

    Are any of your users actually using SQL Authentication, or is everybody using Windows Authentication to log in? If all using Windows Authentication (which is best practise) then you should change the server's authentication mode to Windows Authentication Only.

    If you do need SQL Auth, change the name of the sa account, and give it a new strong password, 25+ chars, 4/4 complexity.

    Moving the server to another port may be required, but could cause issues for your own internal applications.

    Also, review your Firewall strategy. You should have 2 firewalls between SQL Server and the internet. An internal firewall, which allows access to your SQL Port, and a perimetter firewall, which stops interbnet traffic on that port, and instead allows access to the port your application is using.

    Hope that makes sense and helps. Let me know if you need any clarification.

    Pete


    Peter Carter http://sqlserverdownanddirty.blogspot.com/
    • Proposed as answer by Peja Tao Thursday, September 29, 2011 2:14 AM
    • Marked as answer by Peja Tao Thursday, October 6, 2011 9:19 AM
    Tuesday, September 27, 2011 9:13 AM
  • To start with you can disable SA untill you are sure that there are no more unknown access tries.

    I would recommend you to discuss with internal application teams and decide to change the default port on which SQL listen.Normally its easy for a hacker to reach your server which listens on default port.

    A very strong SA password can be choosen once you decide to turn it ON.

    Firewall strategy is already mentioned by Pete and that is your best bet going forward protecting your SQL Server.

    Thank you,

     


    Anup | Forum Support| If you think my suggestion is useful, please rate it as helpful. If it has helped you to resolve the problem, please Mark it as Answer.
    • Proposed as answer by Peja Tao Thursday, September 29, 2011 2:20 AM
    • Marked as answer by Peja Tao Thursday, October 6, 2011 9:19 AM
    Tuesday, September 27, 2011 5:44 PM
  • If this is a hacker attack and it comes from the outside, the most important question is: why is the server exposed on the Internet at all? There should be a firewall to prevent someone from coming in that way.

    If you already are on a corporate network behind a network, I would guess that this is a job of some sort which maybe has been pointed to the wrong server. That should be possible to deduce from the IP-address. If it starts with 10.*.*.*., 172.*.*.* or 192.168.*.* it's likely to be internal.

    Of course, even if it comes from within your organisation, it could be an intruder or a malicious user.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    • Proposed as answer by Peja Tao Thursday, September 29, 2011 2:21 AM
    • Marked as answer by Peja Tao Thursday, October 6, 2011 9:19 AM
    Tuesday, September 27, 2011 9:42 PM
  • Hi,

    Thanks for your answers.

    Users access SQL Server via desktop tool (ADO.net) and they login using SQL Auth. To start from I will disable 'sa' account and block hacker IPs. Do you know if it's possible to get information that hacker is trying to use for login? I'd like to check what passwords are being sent to SQL Server.


    You can enable logging for successful logins on SQL Server; failed logins are logged by default (hope nobody changed that). You cannot capture password information even if you run SQL trace; that's by design.

    As mentioned by others, work with your network admin and internet service provider to figure out the source of the intrusion attempt. However, I wouldn't spend all my time here. If it really were an intentional attack, an expert would not be doing it from home. A wannabe will be easy for the network specialists to trace. Either way, not much you can do so fill the others in and let them get to work.

    Make sure nothing actually got through, including your users' machines. What you saw may just be one of many attempts that have taken place over a period of time and you need verify that there were no successful penetrations so far. Else, all the blocking you do internally won't be of much help if they've already dropped a backdoor on one or more of your machines.

    Finally, work on hardening your environment, again include your users' machines. Some good suggestions here already. Check out the SQL Server security page for more guidance/ideas.

     


    No great genius has ever existed without some touch of madness. - Aristotle
    • Proposed as answer by Peja Tao Thursday, September 29, 2011 2:23 AM
    • Marked as answer by Peja Tao Thursday, October 6, 2011 9:19 AM
    Wednesday, September 28, 2011 3:41 PM

All replies

  • Hi,

    You should certainly block the hackers IP Address.

    Are any of your users actually using SQL Authentication, or is everybody using Windows Authentication to log in? If all using Windows Authentication (which is best practise) then you should change the server's authentication mode to Windows Authentication Only.

    If you do need SQL Auth, change the name of the sa account, and give it a new strong password, 25+ chars, 4/4 complexity.

    Moving the server to another port may be required, but could cause issues for your own internal applications.

    Also, review your Firewall strategy. You should have 2 firewalls between SQL Server and the internet. An internal firewall, which allows access to your SQL Port, and a perimetter firewall, which stops interbnet traffic on that port, and instead allows access to the port your application is using.

    Hope that makes sense and helps. Let me know if you need any clarification.

    Pete


    Peter Carter http://sqlserverdownanddirty.blogspot.com/
    • Proposed as answer by Peja Tao Thursday, September 29, 2011 2:14 AM
    • Marked as answer by Peja Tao Thursday, October 6, 2011 9:19 AM
    Tuesday, September 27, 2011 9:13 AM
  • All of them are good, you can even change the 'sa' login to something else. Is it web application connects to the server?
    Best Regards, Uri Dimant SQL Server MVP http://dimantdatabasesolutions.blogspot.com/ http://sqlblog.com/blogs/uri_dimant/
    Tuesday, September 27, 2011 9:13 AM
  • Hi,

    Thanks for your answers.

    Users access SQL Server via desktop tool (ADO.net) and they login using SQL Auth. To start from I will disable 'sa' account and block hacker IPs. Do you know if it's possible to get information that hacker is trying to use for login? I'd like to check what passwords are being sent to SQL Server.

    Tuesday, September 27, 2011 10:11 AM
  • No, I think  you need talk to the internet provider or something

     


    Best Regards, Uri Dimant SQL Server MVP http://dimantdatabasesolutions.blogspot.com/ http://sqlblog.com/blogs/uri_dimant/
    Tuesday, September 27, 2011 10:38 AM
  • To start with you can disable SA untill you are sure that there are no more unknown access tries.

    I would recommend you to discuss with internal application teams and decide to change the default port on which SQL listen.Normally its easy for a hacker to reach your server which listens on default port.

    A very strong SA password can be choosen once you decide to turn it ON.

    Firewall strategy is already mentioned by Pete and that is your best bet going forward protecting your SQL Server.

    Thank you,

     


    Anup | Forum Support| If you think my suggestion is useful, please rate it as helpful. If it has helped you to resolve the problem, please Mark it as Answer.
    • Proposed as answer by Peja Tao Thursday, September 29, 2011 2:20 AM
    • Marked as answer by Peja Tao Thursday, October 6, 2011 9:19 AM
    Tuesday, September 27, 2011 5:44 PM
  • If this is a hacker attack and it comes from the outside, the most important question is: why is the server exposed on the Internet at all? There should be a firewall to prevent someone from coming in that way.

    If you already are on a corporate network behind a network, I would guess that this is a job of some sort which maybe has been pointed to the wrong server. That should be possible to deduce from the IP-address. If it starts with 10.*.*.*., 172.*.*.* or 192.168.*.* it's likely to be internal.

    Of course, even if it comes from within your organisation, it could be an intruder or a malicious user.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    • Proposed as answer by Peja Tao Thursday, September 29, 2011 2:21 AM
    • Marked as answer by Peja Tao Thursday, October 6, 2011 9:19 AM
    Tuesday, September 27, 2011 9:42 PM
  • Hi,

    Thanks for your answers.

    Users access SQL Server via desktop tool (ADO.net) and they login using SQL Auth. To start from I will disable 'sa' account and block hacker IPs. Do you know if it's possible to get information that hacker is trying to use for login? I'd like to check what passwords are being sent to SQL Server.


    You can enable logging for successful logins on SQL Server; failed logins are logged by default (hope nobody changed that). You cannot capture password information even if you run SQL trace; that's by design.

    As mentioned by others, work with your network admin and internet service provider to figure out the source of the intrusion attempt. However, I wouldn't spend all my time here. If it really were an intentional attack, an expert would not be doing it from home. A wannabe will be easy for the network specialists to trace. Either way, not much you can do so fill the others in and let them get to work.

    Make sure nothing actually got through, including your users' machines. What you saw may just be one of many attempts that have taken place over a period of time and you need verify that there were no successful penetrations so far. Else, all the blocking you do internally won't be of much help if they've already dropped a backdoor on one or more of your machines.

    Finally, work on hardening your environment, again include your users' machines. Some good suggestions here already. Check out the SQL Server security page for more guidance/ideas.

     


    No great genius has ever existed without some touch of madness. - Aristotle
    • Proposed as answer by Peja Tao Thursday, September 29, 2011 2:23 AM
    • Marked as answer by Peja Tao Thursday, October 6, 2011 9:19 AM
    Wednesday, September 28, 2011 3:41 PM