Detecting Logins

Do you have a login on any of your SQL Server instances that is named “default”? If you do, you might have an issue with the MrbMiner malware that has infected a number of SQL Server instances. This adds a login with the name of default and the password of “@fg125kjnhn987.”.

Stop and double check your instances now. If you use SQL Monitor, you can also add this custom metric to your alerts to look for this on an ongoing basis.

I don’t know this is a SQL Server problem. It’s really a user/administrator issue. This works by looking for weak passwords, which is always a problem. It’s also an issue if you have an exposed SQL Server connected directly to the Internet. Shodan shows lots of SQL Servers on the Internet, and if you own any, you might be sure you have *very* strong passwords.

Or remove them from public Internet access.

While this is easy to detect, what if the login were stevejones? Can you detect if logins are added to your SQL Server. Sure you can, but would you really notice something strange? On my instances, where I add all logins, I would. In many organizations where I’ve worked, more than one person added logins, and logins could be added on a regular basis. Often these are associated with tickets in some system, like Jira, but even if they are, would you know an extra one got added?
I bet most people wouldn’t notice, especially across their estate and with a team of administrators.

That’s a problem, and it’s one where we ought to perhaps have good controls in place. There are a few places I know where every change is submitted to a pipeline of sorts, meaning that everything is logged, and given the integration with release management tools and ticketing systems, things could be audited. Maybe more importantly, approved logins could be added to a list that might be compared with the actual list on a server.

Possible, but not necessarily simple to implement or get right. Maybe the low tech solution I’d use is a daily report that included changes from the previous day. All administrators could check it to be sure any new logins were added by one of them.

You should know how to secure your SQL Server. Implement strong controls, and be sure that you periodically audit for anything unusual. At the very least, ensure you have monitoring so that any unusual or strange activity might be detected.

Steve Jones

Listen to the podcast at Libsyn, Stitcher or iTunes.

About way0utwest

Editor, SQLServerCentral
This entry was posted in Editorial and tagged . Bookmark the permalink.