[dba-SQLServer]Tracking events

Porter, Mark MPorter at acsalaska.com
Wed Apr 2 13:06:26 CST 2003


Good food for thought

Fortunately the backup ran just 2 hours before the table deletion.  The
admins are restoring now.  They are going to check the network login logs
directly afterwards.  Luckily this was pretty late in the evening so
determining logins will be pretty easy.

All we really have to go on is empty tables with new creation dates, we're
assuming they were dropped and recreated.  The structure was identical, so
we're not ruling out the possibility of an application error or a process
failure causing it.  

No employee churn in quite a while, we're not considering intentional
sabotage as a factor.

No SP_s in the system which specifically do this type of action.

More than likely it was an accident of some kind, we would like to track it
down to its point of origin and make sure it doesn't happen again.  We are
in the middle of a few large data conversion projects.

Any other ideas other than a 3rd party SQL Log explorer to find out who did
what SQL statements and when?

Mark

-----Original Message-----
From: Jim Lawrence (AccessD) [mailto:accessd at shaw.ca]
Sent: Wednesday, April 02, 2003 9:56 AM
To: dba-sqlserver at databaseadvisors.com
Subject: RE: [dba-SQLServer]Tracking events


Hi Mark:

What patch version of SQL 7 do you have? Some of the older versions can be
hacked through port address 1433 or 1434, according to some literature on
the web. (The actual URL escapes me but there is veiled references to it on
the MS site and a good explanation on patches and patching SQL7)

The most likely explanation for such a targeted deletion would be that of
some clumsy or vindictive local employee, who ran a process either, at the
office or remotely. Check your login logs for times. Have there been any
employee recently laid off who still has login privileges or a back-door
access?

Check all you SP for use and/or creation...It might give a hint as to when
the deletion process was ran. Check the alerts for any ongoing processes
that might, for example, rerun the same process every month or at the end of
each backup.

You have a good backup?

HTH
Jim

-----Original Message-----
From: dba-sqlserver-bounces at databaseadvisors.com
[mailto:dba-sqlserver-bounces at databaseadvisors.com]On Behalf Of Porter,
Mark
Sent: Wednesday, April 02, 2003 10:05 AM
To: 'dba-sqlserver at databaseadvisors.com'
Subject: [dba-SQLServer]Tracking events



DB=SQL Server 7

We've had a bit of a disaster here, and would like to know its cause.  Our
production system (SIEBEL) went down late last night and, after
investigating the tables, we found that a few of the critical tables had
been recreated (via the Create Date) late in the evening.  They were empty.

I'm a developer, not an Admin, so I don't know how to track who did what and
when.  Is there any way to access the SQL Server log files to determine how
the drop and recreate happened?

Thanks,

Mark


This transmittal may contain confidential information intended solely for
the addressee. If you are not the intended recipient, you are hereby
notified that you have received this transmittal in error; any review,
dissemination, distribution or copying of this transmittal is strictly
prohibited. If you have received this communication in error, please notify
us immediately by reply or by telephone (collect at 907-564-1000) and ask to
speak with the message sender. In addition, please immediately delete this
message and all attachments. Thank you.
_______________________________________________
dba-SQLServer mailing list
dba-SQLServer at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
http://www.databaseadvisors.com

_______________________________________________
dba-SQLServer mailing list
dba-SQLServer at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
http://www.databaseadvisors.com


This transmittal may contain confidential information intended solely for
the addressee. If you are not the intended recipient, you are hereby
notified that you have received this transmittal in error; any review,
dissemination, distribution or copying of this transmittal is strictly
prohibited. If you have received this communication in error, please notify
us immediately by reply or by telephone (collect at 907-564-1000) and ask to
speak with the message sender. In addition, please immediately delete this
message and all attachments. Thank you.


More information about the dba-SQLServer mailing list