Snort mailing list archives
Re: SA login failed.....
From: Joe Matusiewicz <joem () nist gov>
Date: Tue, 29 Mar 2005 10:01:22 -0500
At 09:45 AM 3/29/2005, Jeff Heckart wrote:
I am getting quite a few unusual alerts, and am confused with what I am seeing.The payload of the packet is: 04 01 00 3B 00 00 01 00 AA 27 00 18 48 00 00 01 ...;....*'..H... 0E 1B 00 4C 6F 67 69 6E 20 66 61 69 6C 65 64 20 ...Login failed 66 6F 72 20 75 73 65 72 20 27 73 61 27 2E 00 00 for user 'sa'... 00 00 FD 02 00 00 00 00 00 00 00 ..}........ The strange thing is that the source is: x.x.x.x:1433 (our network)
This looks like your MS sql server responding to someone's unsuccessful login attempt. There was a problem with MS sql a while back where the sql server set up the admin account (sa) with NO password. A worm was written to exploit it and this could be it.
-- Joe
Current thread:
- SA login failed..... Jeff Heckart (Mar 29)
- RE: SA login failed..... Eric Hines (Mar 29)
- Re: SA login failed..... Joe Matusiewicz (Mar 29)
- <Possible follow-ups>
- RE: SA login failed..... SRH-Lists (Mar 29)
- RE: SA login failed..... Snort (Mar 29)
- RE: SA login failed..... Esler, Joel - Contractor (Mar 29)