RE: SA login failed.....

["Esler, Joel - Contractor" <joel.esler () rcert-s army mil>]

You're seeing this as a response, check the source IP for mssql
accessible from the internet...

 

Joel

 

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Joe
Matusiewicz
Sent: Tuesday, March 29, 2005 10:01 AM
To: Jeff Heckart; snort-users () lists sourceforge net
Subject: Re: [Snort-users] SA login failed.....

 

At 09:45 AM 3/29/2005, Jeff Heckart wrote:




I am getting quite a few unusual alerts, and am confused with what I am
seeing.

 

The payload of the packet is:

04 01 00 3B 00 00 01 00 AA 27 00 18 48 00 00 01        ...;....*'..H...

0E 1B 00 4C 6F 67 69 6E 20 66 61 69 6C 65 64 20        ...Login failed 

66 6F 72 20 75 73 65 72 20 27 73 61 27 2E 00 00        for user 'sa'...

00 00 FD 02 00 00 00 00 00 00 00                       ..}........

 

The strange thing is that the source is:

x.x.x.x:1433 (our network)


This looks like your MS sql server responding to someone's unsuccessful
login attempt.  There was a problem with MS sql a while back where the
sql server set up the admin account (sa) with NO password.  A worm was
written to exploit it and this could be it.

-- Joe