A case of hacking against a SQL Server database

Recently found that the server on the outside of the network inexplicably restarted, the server is currently mainly started the IIS services, SQL Server services. Remote login, found that the system response is very slow, there is a noticeable sense of stagnation, open Task Manager, CPU usage in the basic 30 or so. Open Event Viewer, found in the application of a large number of levels for the information source is mssql$pncsms, the event ID is 18456, the task category is logged in the record, almost 24 hours of uninterrupted, 15 records per second, the content of each record is roughly the same, such as "User ' sa ' login failed." Cause: The login name that matches the provided name is not found. [Client: 60.191.144.214] "Only the user names are sometimes different, and the client IP address varies over time (minutes to hours). This IP address is found in Hunan, Henan and other locations.

Apparently, someone attempted to invade the database with a traversal password, renamed the SA for the database, changed the TCP port of the Ipall of the database by the default of 1433 to a different port number (all applications have to follow the connection string, pain). Restart the service, run a day, and then look at the Event Viewer, no longer found similar records, CPU utilization decreased to about 5, the system response significantly accelerated. The problem has been satisfactorily resolved.

In order to prevent hackers to traverse the system login account, but also renamed the Administrator, but after renaming, SQL Server can not start, found in the service SQL Server, the login account was reset, restart the computer, SQL server started successfully.

A case of hacking against a SQL Server database