Responding to a hacker attack a case in a SQL Server database

Recently found hanging on the Web server somehow restarted, that server is now primarily the start of the IIS service, SQL SERVER service.

Telnet The system response was found to be very slow. A noticeable sense of stagnation, open Task Manager, CPU in basic usage 30% approx. Open Event Viewer, a large number of levels for the information source is mssql$pncsms, the event ID is 18456. The task category is a logged-on record. Almost 24 hours uninterrupted, 15 records per second, the content of each record is roughly the same, such as "User ' sa ' login failed."

Cause: The login name that matches the provided name is not found. [client:60.191.144.214] "only the username are sometimes different. ClientIP addresses also change over time (minutes to hours). This IP address is found in Hunan, Henan and other locations.

It is very clear that someone is attempting to invade the database using the traversal password method. So renamed the database SA, the database of IP all TCPPort, from the default of 1433 to another port number (all applications have to follow the connection string, pain!)

）。 Restart the service, run a day, and then look at the Event Viewer, no longer found similar records, CPU utilization decreased to about 5, the system response significantly faster. The problem has been satisfactorily resolved.

To prevent hackers from traversing the system login account. Administrator was renamed, but after renaming, SQL Server could not start. Found SQL SERVER in the service and set the logon account again with the new system logon account. When the computer restarts, SQL Server starts successfully.

Copyright notice: This article blog original article. Blogs, without consent, may not be reproduced.

Responding to a hacker attack a case in a SQL Server database