Re: Failure Audit Event ID: 18456 SQL Server Error

I'd work with the network admin to find where these IP packets are from
instead of just ignoring them.

If indeed they are harmless, you can always turn off failed login audit.
Right click on the SQL instance in Enterprise Manager or SQL Management
Studio, go to the Security tab, and select None under login Auditing. I'd
generally recommend against turning this off as you shouldn't really see a
lot of failed logins, and if you do, something is not quite right and you may
want to know.

Linchi

"Anand Ganesh" wrote:

Hi Linchi,

I am seeing many entries.

In fact it looks like they have tried sa, root, user and everyday I am
seeing more than 60 entries logged.

Is this a sign of hacking ? The server has a public domain name.

Is there any services or setting in SQL Server 2005 I should turn off so
such attempts are ignored and not even logged as errors

Thank you for your time.

Regards
Anand


"Linchi Shea" <LinchiShea@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E012AA3A-EE0A-4DA0-AF92-CFB32546F30D@xxxxxxxxxxxxxxxx
How many of this error are you getting? If you get one or very few, the
chances are somebody just mis-typed the password.

Linchi

"Anand Ganesh" wrote:

Hello Everybody,

I am getting the following error in MS SQL SERVER 2005 Enterprise
Edition.

The IP reported does not even belong to our domain.

Does it means someone is trying to hack into our system or something
else?

Any suggestions please?

Thanks
Anand

Event Type: Failure Audit
Event Source: MSSQLSERVER
Event Category: (4)
Event ID: 18456
Date: 2/20/2008
Time: 8:37:20 AM
User: N/A
Computer: TESTSERVER
Description:
Login failed for user 'sa'. [CLIENT: 74.218.89.234]

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 18 48 00 00 0e 00 00 00 .H......
0008: 0b 00 00 00 54 00 45 00 ....T.E.
0010: 53 00 54 00 53 00 45 00 S.T.S.E.
0018: 52 00 56 00 45 00 52 00 R.V.E.R.
0020: 00 00 07 00 00 00 6d 00 ......m.
0028: 61 00 73 00 74 00 65 00 a.s.t.e.
0030: 72 00 00 00 r...








.

Relevant Pages

  • Re: Failure Audit Event ID: 18456 SQL Server Error
    ... you can always turn off failed login audit. ... "Anand Ganesh" wrote: ... The server has a public domain name. ... I am getting the following error in MS SQL SERVER 2005 Enterprise ...
    (microsoft.public.sqlserver.connect)
  • Re: failed login attempts
    ... but how do you setup profiler to return the PC name or IP ... I have used network monitor and setup a pattern match, which works, ... Microsoft SQL Server doesn't have built-in failed logins auditing ... >> support, including failed login attempts. ...
    (microsoft.public.sqlserver.security)
  • Re: How trace logon failed
    ... You'd have to capture the host name (which may not ... >> SQL Server supports four kinds of Audit levels to record the user accesses ... All - successful and failed login attempts are both audited. ...
    (microsoft.public.sqlserver.security)
  • Re: Tracing sql server user logins
    ... GroupName sysname NULL, ... FAQ from Neil & others at: http://www.sqlserverfaq.com ... SQL Server does not audit by ... >Failure causes only failed login attempts to be audited. ...
    (microsoft.public.sqlserver.security)
  • Re: Failure Audit Event ID: 18456 SQL Server Error
    ... In fact it looks like they have tried sa, root, user and everyday I am ... The server has a public domain name. ... "Anand Ganesh" wrote: ... I am getting the following error in MS SQL SERVER 2005 Enterprise ...
    (microsoft.public.sqlserver.connect)