Possible Hack Attempt - Guidence Needed

Dear All,
I run a trace what checks for "Audit Login Fail". To be honest I set it up
out of Interest, never expecting anything to come of it. Yesterday I was on
holiday and got in today to find that I have had some audit failures.
They go something like this:-
Login failed for user 'sa'
Login failed for user 'admin'
Login failied for user 'probe'
Login failed for user 'sql'
Login failed for user 'Nessus-Test-User'
There are clusters of these which are done within a second.
Therefore I have reported an attempted hack. Can anyone tell me if I have
jumped the gun here, and if not what can I do to trace the hacker.
Thanks
PeterDid you also check to see if any security scanning tools
were run on the server? Something like MBSA?
Generally there is an entry in the Windows event log when
running security scanning tools.
You can use a network sniffer to track login attempts.
You can find more information on securing SQL Server at the
SQL Server security center site:
[url]http://www.microsoft.com/sql/techinfo/administration/2000/security/default.asp[/ur
l]
-Sue
On Tue, 12 Apr 2005 03:13:02 -0700, "Peter Nolan"
<PeterNolan@.discussions.microsoft.com> wrote:

>Dear All,
>I run a trace what checks for "Audit Login Fail". To be honest I set it up
>out of Interest, never expecting anything to come of it. Yesterday I was on
>holiday and got in today to find that I have had some audit failures.
>They go something like this:-
>Login failed for user 'sa'
>Login failed for user 'admin'
>Login failied for user 'probe'
>Login failed for user 'sql'
>Login failed for user 'Nessus-Test-User'
>There are clusters of these which are done within a second.
>Therefore I have reported an attempted hack. Can anyone tell me if I have
>jumped the gun here, and if not what can I do to trace the hacker.
>Thanks
>Peter|||Thanks for your input Sue.
Unfortunatly I do not have any server access, and the person I needed to
speak to (Head of IT Security) is on holiday.
I have done some research and found that it was indeed a hack attempt (have
a look at http://www.nessus.org) however they could not actually get into th
e
database as the sa password is too tight. Thank you for the link to SQL
Security I have been though that before and have already put in the
requirements.
The though is that our Parent Company sometimes do security audits and this
maybe one of those, but we will know more tomorrow.
Anyway thank you again for your response.
Peter
"Sue Hoegemeier" wrote:

> Did you also check to see if any security scanning tools
> were run on the server? Something like MBSA?
> Generally there is an entry in the Windows event log when
> running security scanning tools.
> You can use a network sniffer to track login attempts.
> You can find more information on securing SQL Server at the
> SQL Server security center site:
> [url]http://www.microsoft.com/sql/techinfo/administration/2000/security/default.asp[/
url]
> -Sue
> On Tue, 12 Apr 2005 03:13:02 -0700, "Peter Nolan"
> <PeterNolan@.discussions.microsoft.com> wrote:
>
>