Unanswered: Login failed for user sa [CLIENT: <ip addr>]
I'm getting this msg spammed to the sql server log, and to the windows event log multiple times per second. This is a dev edition server on my standalone PC, and is fully functional. I use it to test DBA scripts prior to QA. The sa login and pswd are fine, I can login as sa whenever I need to. I've setup a lot of sql servers, but never experienced this. Does anyone have any idea why there appears to be a heartbeat attempt to login as sa with an invalid pswd ?? How do I resolve the error? Where is it coming from?
SQL Server 2005 Dev Edtion/SP3 on WIN/XP/SP3 32-bit.
Is that the actual error or have you omitted the IP address?
This is certainly not normal and I would still be erring towards considering this malicious until proved otherwise.
You should run a profiler trace and track Failed Login attempts. I would stick in all columns though the main ones you are interested in are host machine and application.
yes .. i left out the ip addr .. it was not relevant to the discussion.
it appears to be an internal ip
A few of these, are from the host machine itself, which is very strange indeed. Like I said, I shut all the services (Idera Sqlsafe, and monitors) when I saw that, but those still persist. I'm stumped for now. If it was prod I'd be worried, but on a standalone Pc, I'm more concrned with the spamming.
Nah - this can't be right. Please double check you have connected to the correct server, the trace is running and you have selected the Event Class "Audit Login Failed" from the "Security Audit" Events. Text Data will be like:
Originally Posted by profiler
Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: <ip address>]
Definitely failed logon attempts can be trapped and you will get the Hostname and application.
check your coworkers ... some jokey is killing his spare time
I agree this is the most likely problem but I still think it is best to treat this as malicious. Put it another way, treating it as malicious and getting it wrong will make you look silly. Treating it as a joke and getting it wrong could cost you your job.
I did an nslookup and got the remote server whoch was heartbeatin my test machne.
It seams that an evaluation copy of White Sands monitoring for tool SQL Server was installed, and later removed. It deploys an agent as a service on the remote server. When the eval was removed from the remote server (about 8 months ago), the service was left on windows, still running it's heartbeat. In the interim I rebuilt my test server, 2 weeks ago, to current release level, and changed the sa password. I had no idea that agent was pinging my server for the past 8 months successfully. It wasn't until I rebuilt it, that it started failing. I disabled the service on the remote server .. No idea how to remove it, and it's not mine anyway. Problem is resolved. Thanks for all the suggestions.