An example of SQL SERVER database attack

An example of SQL SERVER database attack

Recently, it was found that the SERVER on the internet is inexplicably restarted. This SERVER currently mainly starts the IIS and SQL SERVER services. Remote Login, found that the system reaction is slow, there is a significant sense of stagnation, open the task manager, CPU usage is about 30. Open the Event Viewer. In the application, you can find that the information source is MSSQL $ PNCSMS, the event ID is 18456, and the task category is the logon record, which is uninterrupted for almost 24 hours, there are 15 records per second, and the content of each record is roughly the same, for example, "user 'sa 'logon failure. Cause: the login name that matches the provided name cannot be found. [Client: 60.191.144.214] "However, the Client IP address may change once in a few minutes or hours. The IP address is found in Hunan, Henan, and other places.

Apparently, someone attempted to intrude into the database by traversing the password, rename the database sa, and set the database's ipall tcp port, change the default port number from 1433 to another port number (all applications have to change the connection string, which is painful ). Restart the service and run for one day. Check the Event Viewer again. No similar records can be found. The CPU usage is reduced to about 5, and the system response is obviously accelerated. The problem was solved successfully.

To prevent hackers from traversing the system login account, the Administrator is renamed. However, after the change, SQL server cannot be started, and the SQL SERVER is found in the service, the Logon account is reset, the computer is restarted, and SQL SERVER is started successfully.