[dba-SQLServer] Logins on workstation

Billy Pang tuxedo_man at hotmail.com
Sun Feb 13 13:09:31 CST 2005 

Not sure how those logins got there in first place.  first thing I'd check 
is syslogins table to see when they were created.  (ie. SELECT crdate,* FROM 
master.dbo.SYSLOGINS).  maybe that provides some insight.  what is an 
example of the bogus logins that are created? do they follow some sort of 
naming convention? maybe it was created during some sort of app install.

HTH

Billy

>From: Steve Erbach <erbachs at gmail.com>
>Reply-To: dba-sqlserver at databaseadvisors.com
>To: dba-sqlserver at databaseadvisors.com
>Subject: [dba-SQLServer] Logins on workstation
>Date: Sun, 13 Feb 2005 10:32:23 -0600
>
>Dear Group,
>
>I downloaded the DB Designer 4 from FabForce to check it out. I
>thought I'd see what it could do with a database I've got on my
>workstation's copy of SQL Server 2000. It has helped me in my
>development of a .NET application.
>
>Anyway, my SQL Server uses Windows authentication and I change my
>workstation password every 60 days. Imagine my surprise today when I
>looked at the Logins under Security for my server...and I found 459
>logins!!!!!!!?????
>
>What the heck, over? I looked at the properties for a bunch of these
>bogus logins and I see that all the Authentication options are
>disabled, but there's a password listed and the radio button for SQL
>Server Authentication is selected. None of these users (at least the
>ones I've checked so far) have no Server roles selected nor do they
>have permissions for any of the databases I've got.
>
>Now this is creeping me out because:
>
>1) I have a Router
>2) I use ZoneAlarm Pro
>
>Looking at my ZoneAlarm Pro settings, I see that the settings I used
>to have for blocking incoming UDP and TCP requests on the SQL Server
>ports are gone. Does this mean that, since I have my SQL Server
>running all the time on my workstation, that SQL Server requests have
>been made hundreds of times and neither my router's firewall nor
>ZoneAlarm has raised a red flag?
>
>Any thoughts on this? My period of alarm is past since it appears that
>none of these Logins have access to anything...but how did they get
>into my server?
>
>Regards,
>
>Steve Erbach
>Scientific Marketing
>Neenah, WI
>www.swerbach.com
>Security Page: www.swerbach.com/security
>_______________________________________________
>dba-SQLServer mailing list
>dba-SQLServer at databaseadvisors.com
>http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
>http://www.databaseadvisors.com
>

More information about the dba-SQLServer mailing list