[Snort-users] SA login failed.....

Joe Matusiewicz joem at ...692...
Tue Mar 29 07:00:15 EST 2005


At 09:45 AM 3/29/2005, Jeff Heckart wrote:

>I am getting quite a few unusual alerts, and am confused with what I am 
>seeing.
>
>
>
>The payload of the packet is:
>
>04 01 00 3B 00 00 01 00 AA 27 00 18 48 00 00 01        ...;....*'..H...
>
>0E 1B 00 4C 6F 67 69 6E 20 66 61 69 6C 65 64 20        ...Login failed
>
>66 6F 72 20 75 73 65 72 20 27 73 61 27 2E 00 00        for user 'sa'...
>
>00 00 FD 02 00 00 00 00 00 00 00                       ..}........
>
>
>
>The strange thing is that the source is:
>
>x.x.x.x:1433 (our network)

This looks like your MS sql server responding to someone's unsuccessful 
login attempt.  There was a problem with MS sql a while back where the sql 
server set up the admin account (sa) with NO password.  A worm was written 
to exploit it and this could be it.

-- Joe 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050329/1ddda27d/attachment.html>


More information about the Snort-users mailing list