November 23, 2004 at 6:23 am
I have a new client that has a SQL Server database. 1 server 14 users. They are getting SA Denied. I have put a trace on it and something is trying to kick off "0sql" with password SA. I am having trouble finding out where it is coming from. The server is one location and the "clients" are in 7 different locations. I can't get them to shut everything down and bring it up one by one. I have used Ethereal to trace the ports, but it was my first time using it, and still trying to figure out what the data means.
Any one have ideas on how to trace the SA login back to find out what process is kicking it off?
Thanks,
Joseph
November 23, 2004 at 11:55 am
Are you using SQL 7 or SQL 2000? In SQL 2000 we have alert feature that would send you email everytime we have login failure. From the login failure, you could check the system event log to see if it record which machine is sending that requested to use sa login.
November 30, 2004 at 12:34 pm
I am using sql 2000. I have already checked the event log and sql logs, it does not tell me where it is coming from. I did find out that it is trying to execute a script by using the -osql utility.
Joseph
November 30, 2004 at 12:47 pm
You said that you can't get them to shut everything down and bring up one by one. Can you get them to bring clients down one by one? Bring one down, and if you are still getting failed logins, you can mark that one off the list. Bring them back up, then go to the next.
It might be a little mean spirited, but you could also deny them access at the server level, and when the failed sa logins stop, you've found your culprit.
Steve
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply