Porter, Mark
MPorter at acsalaska.com
Wed Apr 2 13:06:26 CST 2003
Good food for thought Fortunately the backup ran just 2 hours before the table deletion. The admins are restoring now. They are going to check the network login logs directly afterwards. Luckily this was pretty late in the evening so determining logins will be pretty easy. All we really have to go on is empty tables with new creation dates, we're assuming they were dropped and recreated. The structure was identical, so we're not ruling out the possibility of an application error or a process failure causing it. No employee churn in quite a while, we're not considering intentional sabotage as a factor. No SP_s in the system which specifically do this type of action. More than likely it was an accident of some kind, we would like to track it down to its point of origin and make sure it doesn't happen again. We are in the middle of a few large data conversion projects. Any other ideas other than a 3rd party SQL Log explorer to find out who did what SQL statements and when? Mark -----Original Message----- From: Jim Lawrence (AccessD) [mailto:accessd at shaw.ca] Sent: Wednesday, April 02, 2003 9:56 AM To: dba-sqlserver at databaseadvisors.com Subject: RE: [dba-SQLServer]Tracking events Hi Mark: What patch version of SQL 7 do you have? Some of the older versions can be hacked through port address 1433 or 1434, according to some literature on the web. (The actual URL escapes me but there is veiled references to it on the MS site and a good explanation on patches and patching SQL7) The most likely explanation for such a targeted deletion would be that of some clumsy or vindictive local employee, who ran a process either, at the office or remotely. Check your login logs for times. Have there been any employee recently laid off who still has login privileges or a back-door access? Check all you SP for use and/or creation...It might give a hint as to when the deletion process was ran. Check the alerts for any ongoing processes that might, for example, rerun the same process every month or at the end of each backup. You have a good backup? HTH Jim -----Original Message----- From: dba-sqlserver-bounces at databaseadvisors.com [mailto:dba-sqlserver-bounces at databaseadvisors.com]On Behalf Of Porter, Mark Sent: Wednesday, April 02, 2003 10:05 AM To: 'dba-sqlserver at databaseadvisors.com' Subject: [dba-SQLServer]Tracking events DB=SQL Server 7 We've had a bit of a disaster here, and would like to know its cause. Our production system (SIEBEL) went down late last night and, after investigating the tables, we found that a few of the critical tables had been recreated (via the Create Date) late in the evening. They were empty. I'm a developer, not an Admin, so I don't know how to track who did what and when. Is there any way to access the SQL Server log files to determine how the drop and recreate happened? Thanks, Mark This transmittal may contain confidential information intended solely for the addressee. If you are not the intended recipient, you are hereby notified that you have received this transmittal in error; any review, dissemination, distribution or copying of this transmittal is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (collect at 907-564-1000) and ask to speak with the message sender. In addition, please immediately delete this message and all attachments. Thank you. _______________________________________________ dba-SQLServer mailing list dba-SQLServer at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-sqlserver http://www.databaseadvisors.com _______________________________________________ dba-SQLServer mailing list dba-SQLServer at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-sqlserver http://www.databaseadvisors.com This transmittal may contain confidential information intended solely for the addressee. If you are not the intended recipient, you are hereby notified that you have received this transmittal in error; any review, dissemination, distribution or copying of this transmittal is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (collect at 907-564-1000) and ask to speak with the message sender. In addition, please immediately delete this message and all attachments. Thank you.