If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

 
Go Back  dBforums > Database Server Software > Microsoft SQL Server > Login failed for user sa [CLIENT: <ip addr>]

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old
Registered User
 
Join Date: Mar 2007
Posts: 86
Login failed for user sa [CLIENT: <ip addr>]

I'm getting this msg spammed to the sql server log, and to the windows event log multiple times per second. This is a dev edition server on my standalone PC, and is fully functional. I use it to test DBA scripts prior to QA. The sa login and pswd are fine, I can login as sa whenever I need to. I've setup a lot of sql servers, but never experienced this. Does anyone have any idea why there appears to be a heartbeat attempt to login as sa with an invalid pswd ?? How do I resolve the error? Where is it coming from?

SQL Server 2005 Dev Edtion/SP3 on WIN/XP/SP3 32-bit.
Reply With Quote
  #2 (permalink)  
Old
King of Understatement
 
Join Date: Feb 2004
Location: One Flump in One Place
Posts: 14,910
Ok - until I saw it was dev edition then I was going to suggest it could be an attack. This is not connected to anything internet facing right?
Reply With Quote
  #3 (permalink)  
Old
Registered User
 
Join Date: Mar 2007
Posts: 86
sa login in log

no .. it is not on the web per se' .. no one knows it exists, and it is a domain behind the coporate firewall.
Reply With Quote
  #4 (permalink)  
Old
King of Understatement
 
Join Date: Feb 2004
Location: One Flump in One Place
Posts: 14,910
Is that the actual error or have you omitted the IP address?
This is certainly not normal and I would still be erring towards considering this malicious until proved otherwise.
You should run a profiler trace and track Failed Login attempts. I would stick in all columns though the main ones you are interested in are host machine and application.
Reply With Quote
  #5 (permalink)  
Old
Registered User
 
Join Date: Jan 2003
Location: Massachusetts
Posts: 5,459
Track down the machine at the other end of that IP Address, and smack whoever is working on that machine.
Reply With Quote
  #6 (permalink)  
Old
Registered User
 
Join Date: Mar 2007
Posts: 86
sa login in log

I've requested the sysadmins track the ip addr.
sql profiler does not show any attempt to login.
This appears to be internal. I've shut all relavant services, and it persists.

Very strange. I've found some mention of this on google. When I resolve it I'll post to the blog.

Thanks to everyone who chimed in.

(i'd like to remove the spam in the log .. any ideas?)
Reply With Quote
  #7 (permalink)  
Old
Registered User
 
Join Date: Mar 2007
Posts: 86
ip addr

yes .. i left out the ip addr .. it was not relevant to the discussion.
it appears to be an internal ip

A few of these, are from the host machine itself, which is very strange indeed. Like I said, I shut all the services (Idera Sqlsafe, and monitors) when I saw that, but those still persist. I'm stumped for now. If it was prod I'd be worried, but on a standalone Pc, I'm more concrned with the spamming.
Reply With Quote
  #8 (permalink)  
Old
King of Understatement
 
Join Date: Feb 2004
Location: One Flump in One Place
Posts: 14,910
Quote:
Originally Posted by stuarta View Post
sql profiler does not show any attempt to login.
Nah - this can't be right. Please double check you have connected to the correct server, the trace is running and you have selected the Event Class "Audit Login Failed" from the "Security Audit" Events. Text Data will be like:
Quote:
Originally Posted by profiler
Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: <ip address>]
Definitely failed logon attempts can be trapped and you will get the Hostname and application.
Reply With Quote
  #9 (permalink)  
Old
Registered User
 
Join Date: Jan 2003
Location: Massachusetts
Posts: 5,459
There is an outside chance that if the security is not mixed mode, then the SQL Authenticated login attempts will just get tossed unceremoniously.
Reply With Quote
  #10 (permalink)  
Old
King of Understatement
 
Join Date: Feb 2004
Location: One Flump in One Place
Posts: 14,910
Quote:
Originally Posted by MCrowley View Post
There is an outside chance that if the security is not mixed mode, then the SQL Authenticated login attempts will just get tossed unceremoniously.
Quote:
Originally Posted by stuarta View Post
The sa login and pswd are fine, I can login as sa whenever I need to.
Do please keep up
Reply With Quote
  #11 (permalink)  
Old
Registered User
 
Join Date: Aug 2009
Posts: 262
Quote:
Originally Posted by MCrowley View Post
There is an outside chance that if the security is not mixed mode, then the SQL Authenticated login attempts will just get tossed unceremoniously.
i did every thing to screwup the authentication at win2003 terminal server .. mixed / named /tcpip/ active directory / dns / multiple ips ..

also at sql server 2005 /2008 i tried to screwup sa and its password . tried to trace and trace and trace ...

i have been doing it since i first read this question and i did because i fully agree to pootle flump .


terminating services ? what does it do ? i have only one service running and that is sqlserver and i can reach my database from another mechine . ...




check your coworkers ... some jokey is killing his spare time
Reply With Quote
  #12 (permalink)  
Old
King of Understatement
 
Join Date: Feb 2004
Location: One Flump in One Place
Posts: 14,910
Quote:
Originally Posted by mishaalsy View Post
i fully agree to pootle flump
We get on better every day eh

Quote:
Originally Posted by mishaalsy View Post
check your coworkers ... some jokey is killing his spare time
I agree this is the most likely problem but I still think it is best to treat this as malicious. Put it another way, treating it as malicious and getting it wrong will make you look silly. Treating it as a joke and getting it wrong could cost you your job.
Reply With Quote
  #13 (permalink)  
Old
Registered User
 
Join Date: Aug 2009
Posts: 262
Quote:
Originally Posted by pootle flump View Post
We get on better every day eh
i dont say for the past , but i will not be shy/ashamed to admit when i will be wrong.


I got married last month
Reply With Quote
  #14 (permalink)  
Old
Registered User
 
Join Date: Mar 2007
Posts: 86
sa issue resolved

I did an nslookup and got the remote server whoch was heartbeatin my test machne.
It seams that an evaluation copy of White Sands monitoring for tool SQL Server was installed, and later removed. It deploys an agent as a service on the remote server. When the eval was removed from the remote server (about 8 months ago), the service was left on windows, still running it's heartbeat. In the interim I rebuilt my test server, 2 weeks ago, to current release level, and changed the sa password. I had no idea that agent was pinging my server for the past 8 months successfully. It wasn't until I rebuilt it, that it started failing. I disabled the service on the remote server .. No idea how to remove it, and it's not mine anyway. Problem is resolved. Thanks for all the suggestions.
Reply With Quote
  #15 (permalink)  
Old
Registered User
 
Join Date: Aug 2009
Posts: 262
google ... how to remove a service in windows2003


how to remove a service in windows2003 - Google Search
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On