[Snort-users] SA login failed.....

Esler, Joel - Contractor joel.esler at ...9426...
Tue Mar 29 07:13:01 EST 2005


You're seeing this as a response, check the source IP for mssql
accessible from the internet...

 

Joel

 

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Joe
Matusiewicz
Sent: Tuesday, March 29, 2005 10:01 AM
To: Jeff Heckart; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] SA login failed.....

 

At 09:45 AM 3/29/2005, Jeff Heckart wrote:




I am getting quite a few unusual alerts, and am confused with what I am
seeing.

 

The payload of the packet is:

04 01 00 3B 00 00 01 00 AA 27 00 18 48 00 00 01        ...;....*'..H...

0E 1B 00 4C 6F 67 69 6E 20 66 61 69 6C 65 64 20        ...Login failed 

66 6F 72 20 75 73 65 72 20 27 73 61 27 2E 00 00        for user 'sa'...

00 00 FD 02 00 00 00 00 00 00 00                       ..}........

 

The strange thing is that the source is:

x.x.x.x:1433 (our network)


This looks like your MS sql server responding to someone's unsuccessful
login attempt.  There was a problem with MS sql a while back where the
sql server set up the admin account (sa) with NO password.  A worm was
written to exploit it and this could be it.

-- Joe 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050329/11162840/attachment.html>


More information about the Snort-users mailing list