Network Security: Detailed info on Re: [Snort-users] SA login failed.....

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Snort-Users

[Top] [All Lists]

Re: [Snort-users] SA login failed.....

from [Joe Matusiewicz] Network Security

[Permanent Link]

Subject:	Re: [Snort-users] SA login failed.....
Date:	Tue, 29 Mar 2005 10:01:22 -0500

At 09:45 AM 3/29/2005, Jeff Heckart wrote:

I am getting quite a few unusual alerts, and am confused with what I am seeing.

The payload of the packet is:

04 01 00 3B 00 00 01 00 AA 27 00 18 48 00 00 01        ...;....*'..H...

0E 1B 00 4C 6F 67 69 6E 20 66 61 69 6C 65 64 20        ...Login failed

66 6F 72 20 75 73 65 72 20 27 73 61 27 2E 00 00        for user 'sa'...

00 00 FD 02 00 00 00 00 00 00 00                       ..}........

The strange thing is that the source is:

x.x.x.x:1433 (our network)

This looks like your MS sql server responding to someone's unsuccessful login attempt. There was a problem with MS sql a while back where the sql server set up the admin account (sa) with NO password. A worm was written to exploit it and this could be it.

-- Joe

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-users] SA login failed....., Jeff Heckart RE: [Snort-users] SA login failed....., Eric Hines Re: [Snort-users] SA login failed....., Joe Matusiewicz <= RE: [Snort-users] SA login failed....., SRH-Lists RE: [Snort-users] SA login failed....., Snort RE: [Snort-users] SA login failed....., Esler, Joel - Contractor

Previous by Date:	[Snort-users] create_postgresql, Narayan Sivaramakrishnan
Next by Date:	RE: [Snort-users] SA login failed....., Snort
Previous by Thread:	RE: [Snort-users] SA login failed....., Eric Hines
Next by Thread:	RE: [Snort-users] SA login failed....., SRH-Lists
Indexes:	[Date] [Thread] [Top] [All Lists]