Were We Hacked?

May 1, 2008



Hi

I am looking through our SQL SErver 2005 logs under Management | Sql Server Logs on the server in SSMS. I am seeing a ton of login failed entries in the log that say:

Date 5/1/2008 3:00:01 AM
Log SQL Server (Current - 5/1/2008 7:05:00 AM)
Source Logon
Message
Login failed for user 'sa'. [CLIENT: <local machine>]

The reason it is odd is that it has been occurring all night (many times per second) and no one accesses this sql server as sa during the night or that often at all. Only a few people access it anyway and I know no one should be accessing it at 7:05AM or 4am for that matter, but someone appears to have been.

What is troubling is the part that says:
login failed for user 'sa'. [Client: <local machine>]

Does this mean they were connecting from the local machine which means they gained access to the local machine? Right now I'm trying to just determine if they have accessed the server or not as I'm not sure. We continue to see many failed logon audits in the event log which are current so it appears they have not logged on yet successfully, but then I see entries like this in the sql server logs and then I'm not so sure.

Thanks for any suggestions. This server is locked up in a fence at a ISP's facility so no one should be accessing this server, especially in the middle of the night. Not from the local machine anyway. We did change the SA password and I think we changed all web apps, etc that connect as SA first to no longer use SA, but there may be one we missed. I use low privileged accounts, but we did find a couple using SA. But if one still was trying to connect as SA with the old passsword this would explain the failed login attempt in the log, except it says local machine for client and that is what troubles me. I don't know that we have any apps on the local machine trying to connect as SA. I don't administer the BackupExec, so I should check that, but I don't think it uses the SA account. I think, correct me if I'm wrong, that it uses the SQL Agent account which for us right now is Local System. I know, I know that is bad and I'm trying to change that now that I'm working with this server.

Anyway, I would appreciate any input or help so that I can determine if we've been hacked or not or if the hacker has not gotten in and still just trying. We have a firewall on the way which will lock things down, but once it is here I want to reformat this drive if it has been hacked and start from scratch and set things up right (no local system account for sql agent or other services, etc).

One other thing..... I also see some invalid login attempts from an ip address too. These could be our apps if we have any still trying to use sa. I need to check the ip address, but it is weird for me to see some coming from local machine and some from an ip address in the middle of the night. This could be from an app, not unlikely at all, but I thought I'd throw that in there.

Thanks in advance!!!

Chad


View 14 Replies


ADVERTISEMENT

SQL Keeps Gatting Hacked

May 13, 2008

I have a ASP website that uses SQL 2005.
For the last 2 nights someone has hacked the DB and added a url with a script to the end of my product descriptions, the script is located on another server which is infected with viruses.
For example, a field should read 'Clothing', when it gets hacked it reads 'Clothing <Script... blah blah here>'
I have restored the DB each time but I cannot find how they are doing this, the windows Firewall is blocking any ext SQL connections so I am guessing there is something local that is doing this.
Any ideas where to look for clues?

Thanks.

View 20 Replies View Related

How Can Injected Sql Be Hacked?

Mar 2, 2008

I understand that there are many advantages to using stored procedures for your application. One of these advantages is security.

What I am trying to understand is how injected sql can be hacked. I don't understand how this can be hacked if it is on the server. It seems like only someone that has access to the server can access and change this.

As I was writing this I thought of a possible way that someone could hack this. The more I think about this the more it doesn't make sense.

If someone is using injected sql then is sits in the C# file that is compiled. I don't understand how this can be accessed.

Can anyone explain how vulnerabilities are created by using injected sql?

thanks

View 3 Replies View Related

How To Avoid Credit Card Details Being Hacked In Sql...

Feb 6, 2008

Hi friends,
i got an issue on my website regarding theft of cc details...sql db contains credit card details table ... it has been hacked by someone...we have analysed that latest cards are misused.. i have tried different scenarios(sql injection) ... what are all the key things have to check and implement .can any one advise please..

thanx in advance,
raj

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved