Snort mailing list archives
RE: SA login failed.....
From: "Esler, Joel - Contractor" <joel.esler () rcert-s army mil>
Date: Tue, 29 Mar 2005 10:12:33 -0500
You're seeing this as a response, check the source IP for mssql accessible from the internet... Joel -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Joe Matusiewicz Sent: Tuesday, March 29, 2005 10:01 AM To: Jeff Heckart; snort-users () lists sourceforge net Subject: Re: [Snort-users] SA login failed..... At 09:45 AM 3/29/2005, Jeff Heckart wrote: I am getting quite a few unusual alerts, and am confused with what I am seeing. The payload of the packet is: 04 01 00 3B 00 00 01 00 AA 27 00 18 48 00 00 01 ...;....*'..H... 0E 1B 00 4C 6F 67 69 6E 20 66 61 69 6C 65 64 20 ...Login failed 66 6F 72 20 75 73 65 72 20 27 73 61 27 2E 00 00 for user 'sa'... 00 00 FD 02 00 00 00 00 00 00 00 ..}........ The strange thing is that the source is: x.x.x.x:1433 (our network) This looks like your MS sql server responding to someone's unsuccessful login attempt. There was a problem with MS sql a while back where the sql server set up the admin account (sa) with NO password. A worm was written to exploit it and this could be it. -- Joe
Current thread:
- SA login failed..... Jeff Heckart (Mar 29)
- RE: SA login failed..... Eric Hines (Mar 29)
- Re: SA login failed..... Joe Matusiewicz (Mar 29)
- <Possible follow-ups>
- RE: SA login failed..... SRH-Lists (Mar 29)
- RE: SA login failed..... Snort (Mar 29)
- RE: SA login failed..... Esler, Joel - Contractor (Mar 29)