Has anyone seen this....
On one of my SQL 7.0 sp 4-ish (version 7.00.1021) server's I have been seeing a 100+ failed logins within one minute. After running a sniffer on the machine we found that the attacker appears to be opening a connection to port 1433 (SQL Server's Port) and then running sp_cusoropen and then this qeury
SELECT name from sysxlogins
WHERE lower( name ) = 'builtin\administrators'
AND sysxlogins.xstatus = 22.8;
placing it in a cursor and running through the cursor
then runnig sp_cursoropen then this
SELECT name from sysxlogins
WHERE lower( name ) NOT IN ( 'master', 'tempb', 'msdb' )
ORDER BY name
and then running through the first half of this resuklting cursor set.
Now, it doesn't appear that the use is getting into the box and since i know who he is I can stop the PC itself. I was just wondering if there is a service patch or security fix that I am missing? Or if this has happened to anyone else?
jimmY
On one of my SQL 7.0 sp 4-ish (version 7.00.1021) server's I have been seeing a 100+ failed logins within one minute. After running a sniffer on the machine we found that the attacker appears to be opening a connection to port 1433 (SQL Server's Port) and then running sp_cusoropen and then this qeury
SELECT name from sysxlogins
WHERE lower( name ) = 'builtin\administrators'
AND sysxlogins.xstatus = 22.8;
placing it in a cursor and running through the cursor
then runnig sp_cursoropen then this
SELECT name from sysxlogins
WHERE lower( name ) NOT IN ( 'master', 'tempb', 'msdb' )
ORDER BY name
and then running through the first half of this resuklting cursor set.
Now, it doesn't appear that the use is getting into the box and since i know who he is I can stop the PC itself. I was just wondering if there is a service patch or security fix that I am missing? Or if this has happened to anyone else?
jimmY