Results 1 to 15 of 15
  1. #1
    Join Date
    Mar 2007
    Posts
    86

    Login failed for user sa [CLIENT: <ip addr>]

    I'm getting this msg spammed to the sql server log, and to the windows event log multiple times per second. This is a dev edition server on my standalone PC, and is fully functional. I use it to test DBA scripts prior to QA. The sa login and pswd are fine, I can login as sa whenever I need to. I've setup a lot of sql servers, but never experienced this. Does anyone have any idea why there appears to be a heartbeat attempt to login as sa with an invalid pswd ?? How do I resolve the error? Where is it coming from?

    SQL Server 2005 Dev Edtion/SP3 on WIN/XP/SP3 32-bit.

  2. #2
    Join Date
    Feb 2004
    Location
    One Flump in One Place
    Posts
    14,910
    Ok - until I saw it was dev edition then I was going to suggest it could be an attack. This is not connected to anything internet facing right?

  3. #3
    Join Date
    Mar 2007
    Posts
    86

    sa login in log

    no .. it is not on the web per se' .. no one knows it exists, and it is a domain behind the coporate firewall.

  4. #4
    Join Date
    Feb 2004
    Location
    One Flump in One Place
    Posts
    14,910
    Is that the actual error or have you omitted the IP address?
    This is certainly not normal and I would still be erring towards considering this malicious until proved otherwise.
    You should run a profiler trace and track Failed Login attempts. I would stick in all columns though the main ones you are interested in are host machine and application.

  5. #5
    Join Date
    Jan 2003
    Location
    Massachusetts
    Posts
    5,554
    Track down the machine at the other end of that IP Address, and smack whoever is working on that machine.

  6. #6
    Join Date
    Mar 2007
    Posts
    86

    sa login in log

    I've requested the sysadmins track the ip addr.
    sql profiler does not show any attempt to login.
    This appears to be internal. I've shut all relavant services, and it persists.

    Very strange. I've found some mention of this on google. When I resolve it I'll post to the blog.

    Thanks to everyone who chimed in.

    (i'd like to remove the spam in the log .. any ideas?)

  7. #7
    Join Date
    Mar 2007
    Posts
    86

    ip addr

    yes .. i left out the ip addr .. it was not relevant to the discussion.
    it appears to be an internal ip

    A few of these, are from the host machine itself, which is very strange indeed. Like I said, I shut all the services (Idera Sqlsafe, and monitors) when I saw that, but those still persist. I'm stumped for now. If it was prod I'd be worried, but on a standalone Pc, I'm more concrned with the spamming.

  8. #8
    Join Date
    Feb 2004
    Location
    One Flump in One Place
    Posts
    14,910
    Quote Originally Posted by stuarta View Post
    sql profiler does not show any attempt to login.
    Nah - this can't be right. Please double check you have connected to the correct server, the trace is running and you have selected the Event Class "Audit Login Failed" from the "Security Audit" Events. Text Data will be like:
    Quote Originally Posted by profiler
    Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: <ip address>]
    Definitely failed logon attempts can be trapped and you will get the Hostname and application.

  9. #9
    Join Date
    Jan 2003
    Location
    Massachusetts
    Posts
    5,554
    There is an outside chance that if the security is not mixed mode, then the SQL Authenticated login attempts will just get tossed unceremoniously.

  10. #10
    Join Date
    Feb 2004
    Location
    One Flump in One Place
    Posts
    14,910
    Quote Originally Posted by MCrowley View Post
    There is an outside chance that if the security is not mixed mode, then the SQL Authenticated login attempts will just get tossed unceremoniously.
    Quote Originally Posted by stuarta View Post
    The sa login and pswd are fine, I can login as sa whenever I need to.
    Do please keep up

  11. #11
    Join Date
    Aug 2009
    Posts
    262
    Quote Originally Posted by MCrowley View Post
    There is an outside chance that if the security is not mixed mode, then the SQL Authenticated login attempts will just get tossed unceremoniously.
    i did every thing to screwup the authentication at win2003 terminal server .. mixed / named /tcpip/ active directory / dns / multiple ips ..

    also at sql server 2005 /2008 i tried to screwup sa and its password . tried to trace and trace and trace ...

    i have been doing it since i first read this question and i did because i fully agree to pootle flump .


    terminating services ? what does it do ? i have only one service running and that is sqlserver and i can reach my database from another mechine . ...




    check your coworkers ... some jokey is killing his spare time

  12. #12
    Join Date
    Feb 2004
    Location
    One Flump in One Place
    Posts
    14,910
    Quote Originally Posted by mishaalsy View Post
    i fully agree to pootle flump
    We get on better every day eh

    Quote Originally Posted by mishaalsy View Post
    check your coworkers ... some jokey is killing his spare time
    I agree this is the most likely problem but I still think it is best to treat this as malicious. Put it another way, treating it as malicious and getting it wrong will make you look silly. Treating it as a joke and getting it wrong could cost you your job.

  13. #13
    Join Date
    Aug 2009
    Posts
    262
    Quote Originally Posted by pootle flump View Post
    We get on better every day eh
    i dont say for the past , but i will not be shy/ashamed to admit when i will be wrong.


    I got married last month

  14. #14
    Join Date
    Mar 2007
    Posts
    86

    sa issue resolved

    I did an nslookup and got the remote server whoch was heartbeatin my test machne.
    It seams that an evaluation copy of White Sands monitoring for tool SQL Server was installed, and later removed. It deploys an agent as a service on the remote server. When the eval was removed from the remote server (about 8 months ago), the service was left on windows, still running it's heartbeat. In the interim I rebuilt my test server, 2 weeks ago, to current release level, and changed the sa password. I had no idea that agent was pinging my server for the past 8 months successfully. It wasn't until I rebuilt it, that it started failing. I disabled the service on the remote server .. No idea how to remove it, and it's not mine anyway. Problem is resolved. Thanks for all the suggestions.

  15. #15
    Join Date
    Aug 2009
    Posts
    262
    google ... how to remove a service in windows2003


    how to remove a service in windows2003 - Google Search

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •