This is a cross summary of discussions from the incidents.org list.

There's been a severe rise in port 1433 scanning, and login attempts to
SA (using a blank password). It seems to be coming from Win2k boxes,
some of which are running basic IIS, in (from the home page) what looks
like an unused state.

I would suggest everyone makes sure that failed SQL logins are turned on
(this is off by default) - goto SQL enterprise manager, right click on
your server, choose properties and then choose security. The failed
login attempts go into the Application log (why that's not the security
log, I have no idea). Make sure that no SQL servers have blank SAs. Also
remember that some programs (Visio 2002 Enterprise for example) can
install MSDB, a cut down SQL engine, which will install with blank SA.

I can only assume that they are scanning for boxes missing the MS02-020
patch

Regards,

Barry

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]