RE: SQL Server attack
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 6 Sep 2005 12:23:50 -0700
There's an acronym missing that could help you here - "ISA".
Why are you publishing your SQL to the Internet?
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
<http://isaserver.org/Jim_Harrison/>
http://isatools.org <http://isatools.org/>
Read the help / books / articles!
-------------------------------------------------------
________________________________
From: Peter W. Merner [mailto:pmerner@xxxxxxxxxxxxx]
Sent: Tuesday, September 06, 2005 12:13
To: [ISAserver.org Discussion List]
Subject: [isalist] SQL Server attack
http://www.ISAserver.org
The short version of the story is that an external attacker is
attempting to log on to the instance of SQL Server that runs on my
SBS2000 server more than once per second using brute force to try to
guess the password for the sa or admin accounts. These fail because SQL
is set only to use integrated security but the attempt fills up the
Security log to the point that the server shuts down when the NT
Security log overflows. I need help in blocking any external access to
SQL Server. Here are the details:
Platform: W2K sp4 with all MS updates and patches running SBS2000 with
all updates and patches. Runs well with rarely a problem other than the
one mentioned. SBS is configured to run in integrated mode. Server has
an internal NIC for the LAN and an external one pointing to my ISP.
Clients are Firewall Clients but client IE is configured to use Web
Proxy. No problems with client access to the Internet. Clients are all
XP Pro using the SBS Server as the DHCP server. No known DNS problems,
internally or externally.
Components: SQL Server 2000, ISA Server 2000, IIS. Exchange, Outlook and
shared fax are NOT installed.
The exact notice that appears in the server Security log is as follows:
Event Type: Information
Event Source: MSSQLSERVER
Event Category: (4)
Event ID: 17055
Date: 9/6/2005
Time: 7:03:11 AM
User: N/A
Computer: PCC1
Description:
18456 :
Login failed for user 'sa'.
Data:
0000: 18 48 00 00 00 00 00 00 .H......
0008: 05 00 00 00 50 00 43 00 ....P.C.
0010: 43 00 31 00 00 00 07 00 C.1.....
0018: 00 00 6d 00 61 00 73 00 ..m.a.s.
0020: 74 00 65 00 72 00 00 00 t.e.r... Event Type:
Information
Event Source: MSSQLSERVER
Event Category: (4)
Event ID: 17055
Date: 9/6/2005
Time: 7:03:11 AM
User: N/A
Computer: PCC1
Description:
18456 :
Login failed for user 'sql'.
Data:
0000: 18 48 00 00 00 00 00 00 .H......
0008: 05 00 00 00 50 00 43 00 ....P.C.
0010: 43 00 31 00 00 00 07 00 C.1.....
0018: 00 00 6d 00 61 00 73 00 ..m.a.s.
0020: 74 00 65 00 72 00 00 00 t.e.r...
I note that SQL Server is configured to listen to the two external IP
addresses bound to the external NIC. I am going to see if the SQL Server
Admin program will allow me to change this to listen only to internal
addresses. If this can be done it should solve the problem. But does
anyone have a better idea based on ISA.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
