[dba-SQLServer]Tracking events

Jim Lawrence (AccessD) accessd at shaw.ca
Wed Apr 2 12:56:22 CST 2003 

Hi Mark:

What patch version of SQL 7 do you have? Some of the older versions can be
hacked through port address 1433 or 1434, according to some literature on
the web. (The actual URL escapes me but there is veiled references to it on
the MS site and a good explanation on patches and patching SQL7)

The most likely explanation for such a targeted deletion would be that of
some clumsy or vindictive local employee, who ran a process either, at the
office or remotely. Check your login logs for times. Have there been any
employee recently laid off who still has login privileges or a back-door
access?

Check all you SP for use and/or creation...It might give a hint as to when
the deletion process was ran. Check the alerts for any ongoing processes
that might, for example, rerun the same process every month or at the end of
each backup.

You have a good backup?

HTH
Jim

-----Original Message-----
From: dba-sqlserver-bounces at databaseadvisors.com
[mailto:dba-sqlserver-bounces at databaseadvisors.com]On Behalf Of Porter,
Mark
Sent: Wednesday, April 02, 2003 10:05 AM
To: 'dba-sqlserver at databaseadvisors.com'
Subject: [dba-SQLServer]Tracking events



DB=SQL Server 7

We've had a bit of a disaster here, and would like to know its cause.  Our
production system (SIEBEL) went down late last night and, after
investigating the tables, we found that a few of the critical tables had
been recreated (via the Create Date) late in the evening.  They were empty.

I'm a developer, not an Admin, so I don't know how to track who did what and
when.  Is there any way to access the SQL Server log files to determine how
the drop and recreate happened?

Thanks,

Mark


This transmittal may contain confidential information intended solely for
the addressee. If you are not the intended recipient, you are hereby
notified that you have received this transmittal in error; any review,
dissemination, distribution or copying of this transmittal is strictly
prohibited. If you have received this communication in error, please notify
us immediately by reply or by telephone (collect at 907-564-1000) and ask to
speak with the message sender. In addition, please immediately delete this
message and all attachments. Thank you.
_______________________________________________
dba-SQLServer mailing list
dba-SQLServer at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
http://www.databaseadvisors.com

More information about the dba-SQLServer mailing list