Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SQL Credentials changing on their own

Status
Not open for further replies.

CecilXavier

Technical User
Oct 2, 2007
104
US
Good Morning all. I'm having a very strange problem. I have a SQL server that is running the background database for several of my production applications. One specific application's credentials started to randomly get changed. An example. I have my production server set with an OBDC connection to the SQL server. It uses the username and password of bob (not really, this is just an example). At random times the production server will lose connection to the sql. When I investigate a little I find that the production server is erroring out on the bob credentials. I go to the SQL server and sure enough, I cannot connect to SQL Management server using those credentials. I get into the server using other credentials and reset bob's password back to bob and all works great.
I really don't know where to start looking for this. Nothing has changed on the production server that is looking at the SQL server. We are in the works of getting the production server upgraded, but it hasn't gone into effect what so ever.
Any help or guidance would be great. I know enough about SQL to hurt myself. Usually why I don't touch the server.
 
The only thing that I can find in event viewer, before it seems the credentials were changed, are a few event 100's and a SQLVDI error. But, we've had those since day one with this SQL server. Below are the copies of the events.
Event Type: Error
Event Source: qsa
Event Category: None
Event ID: 100
Date: 3/22/2013
Time: 10:54:05 AM
User: N/A
Computer: EMERGIN-SQL
Description:
The description for Event ID ( 100 ) in Source ( qsa ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: OCM Exception:
Code = "TRANSPORT_CONNECT_ERROR"
Desc = "Unable to connect to transport."
Detail = "ACM::poll OCM::SendReceive, Addr="us1-ws.service.gehealthcare.com:443". Message is idempotent (retry allowed).."
.

Event Type: Error
Event Source: qsa
Event Category: None
Event ID: 100
Date: 3/22/2013
Time: 10:43:04 AM
User: N/A
Computer: EMERGIN-SQL
Description:
The description for Event ID ( 100 ) in Source ( qsa ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: TcpIpTransport::Connect connect failed.
.

Event Type: Error
Event Source: SQLVDI
Event Category: None
Event ID: 1
Date: 3/22/2013
Time: 4:03:40 AM
User: N/A
Computer: EMERGIN-SQL
Description:
SQLVDI: Loc=CVDS::Cleanup. Desc=Release(ClientAliveMutex). ErrorCode=(288)Attempt to release mutex not owned by caller.
. Process=1720. Thread=1068. Client. Instance=. VD=.

For more information, see Help and Support Center at
 
I would set up a trace to capture a day's worth of activity (Account Login/Logoff for two events), I think there might be an event for accounts being changed/modified. See if someone or some application is changing the login (don't tell anyone you are running this trace if possible.....if someone is doing this on purpose and they find out you are tracing it, they won't do it).

-SQLBill

The following is part of my signature block and is only intended to be informational.
Posting advice: FAQ481-4875
 
Found it. It was another computer witha virus logging in useing SA to change the accounts credentials.
 
Aha....was your SA account password blank by any chance? I hope you reset it to a very strong password.

-SQLBill

The following is part of my signature block and is only intended to be informational.
Posting advice: FAQ481-4875
 
It wasn't blank. It was weak, but not blank. It is no so strong that even I can't get in. Literally. I forgot what it is and had to reset it again.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top