{"id":6895,"date":"2025-05-13T16:41:01","date_gmt":"2025-05-13T21:41:01","guid":{"rendered":"https:\/\/andreas-wolter.com\/?p=6895"},"modified":"2025-05-13T16:41:01","modified_gmt":"2025-05-13T21:41:01","slug":"2505_sqlserver_under_attack","status":"publish","type":"post","link":"https:\/\/andreas-wolter.com\/en\/2505_sqlserver_under_attack\/","title":{"rendered":"10 hours of SQL Server under attack \u2013 takeaways"},"content":{"rendered":"\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-m0cxh8ps-d767491cca6804b7a8e930ce7f52f818\">\n#top .av-special-heading.av-m0cxh8ps-d767491cca6804b7a8e930ce7f52f818{\npadding-bottom:10px;\n}\nbody .av-special-heading.av-m0cxh8ps-d767491cca6804b7a8e930ce7f52f818 .av-special-heading-tag .heading-char{\nfont-size:25px;\n}\n.av-special-heading.av-m0cxh8ps-d767491cca6804b7a8e930ce7f52f818 .av-subheading{\nfont-size:15px;\n}\n<\/style>\n<div  class='av-special-heading av-m0cxh8ps-d767491cca6804b7a8e930ce7f52f818 av-special-heading-h3 blockquote modern-quote  avia-builder-el-0  el_before_av_textblock  avia-builder-el-first '><h3 class='av-special-heading-tag'  itemprop=\"headline\"  >10 hours of SQL Server under attack \u2013 takeaways<\/h3><div class=\"special-heading-border\"><div class=\"special-heading-inner-border\"><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-m0cxgkjy-c935304b4106b45214698f40e83a9894 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>Have you ever wondered what are signs of attacks on SQL Server?<\/p>\n<p>Once in a while, just for fun, I do expose a SQL Server directly to the internet. Then I wait and see how long it takes for the attempts to breach happen.<\/p>\n<p>This year at the <a href=\"https:\/\/sqlsaturday.com\/2025-05-10-sqlsaturday1105\/\" target=\"_blank\" rel=\"noopener\">SQLSaturday New York City<\/a> conference which took place at the Microsoft offices in New York City, I had the honor to deliver my Performance Monitoring workshop as a <a href=\"https:\/\/andreas-wolter.com\/en\/2502-sqlsaturday-nyc-precon-performance-monitoring-sqlserver\/\">1 day PreCon<\/a> . What distinguishes my workshop is that attendees can connect to my SQL Server, which is running a production-like workload, and do some hands-on analysis themselves.\\<\/p>\n<p>I decided to make it easy \u2013 for myself as well as for attackers \u2013 <strong>and left the standard SQL Server port 1433 exposed to the internet<\/strong>, on purpose.<\/p>\n<p>Then I waited for the first break-in attempts to show up in the Logs.<\/p>\n<p>In this post, I am sharing with you what happened:<\/p>\n<h2>First break-in attempts after 10 minutes<\/h2>\n<p>It took only 10 minutes, while I was still preparing the Demo-environment (workload simulations etc.) for the first attacker to try.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-6892\" src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/202505_SQLogonAttempt1.jpg\" alt=\"SQLogonAttempt\" width=\"800\" height=\"441\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/202505_SQLogonAttempt1.jpg 800w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/202505_SQLogonAttempt1-300x165.jpg 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/202505_SQLogonAttempt1-768x423.jpg 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/202505_SQLogonAttempt1-705x389.jpg 705w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/p>\n<p>The attacker apparently came from Iran. &#8211; Yes, I know, this can be forged, but based on experience, this was likely not the case.<\/p>\n<blockquote><p><em>Who leaves SQL Server exposed to the public internet?<\/em><\/p>\n<p>If you think it is unrealistic that someone would leave SQL Server exposed to the internet, I understand where you are coming from. However, not every company has sufficiently well-informed DBA\u2019s and Network Admins working for them.<\/p>\n<p>Shodan has a list of network scan results for the whole internet, and currently there are about 330.000 such SQL Server instances found as you can see here: \u00a0<a href=\"https:\/\/www.shodan.io\/search?query=SQL+Server\" target=\"_blank\" rel=\"noopener\">https:\/\/www.shodan.io\/search?query=SQL+Server<\/a> \u00a0(I exclude the number of browser services as those may well point to the same SQL Servers already in the list)<\/p><\/blockquote>\n<h2>Main workshop day, waiting for the first attacker of the day<\/h2>\n<p>Then came the day of the workshop. This time, the SQL Server would be online and hence exposed much longer.<\/p>\n<p>Just for fun, I made a bet with the attendees: which of the major nation-states known for aggressive and organized cyberattacks \u2014 <strong>China, russia, Iran, or North Korea<\/strong> \u2014 would be the first to hit my server that day?<\/p>\n<p>Well, the first attempt to breach the sa account came from Saudi Arabia. \ud83d\ude42 And in addition to that, for the remainder of that day, most attackers used North American IPs. Therefore, nobody won the bet.<\/p>\n<p><em><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-6894\" src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/202505_SQLogonAttempt2.jpg\" alt=\"SQLogonAttempt\" width=\"800\" height=\"469\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/202505_SQLogonAttempt2.jpg 800w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/202505_SQLogonAttempt2-300x176.jpg 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/202505_SQLogonAttempt2-768x450.jpg 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/202505_SQLogonAttempt2-705x413.jpg 705w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/>\u00a0<\/em><\/p>\n<blockquote><p><em>Security recommendation<\/em><\/p>\n<p>Since sa is well documented for SQL Server, this is always the first account that is tried. Therefore, the recommendation is: <strong>do not use the sa account. Disable the sa account<\/strong> after setting a very long (100+ characters) password. <strong>Use a separate account for sysadmin-privileges.<\/strong><\/p><\/blockquote>\n<p><br class=\"avia-permanent-lb\" \/><br class=\"avia-permanent-lb\" \/><\/p>\n<h2>Other signs of ongoing probing or attacks<\/h2>\n<p>So far, we have seen the classic attempts to breach the sa account followed by attempts of other well-known account names such as \u201cadmin\u201d, \u201cmssql\u201d, \u201csu\u201d etc.<\/p>\n<p>But there are other signs that someone is probing your environment and SQL Server.<\/p>\n<p>Here are some of the typical error messages you will see in such cases:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-6886\" src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/2025-05_SQLError17821.jpg\" alt=\"SQLError 17821\" width=\"850\" height=\"37\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/2025-05_SQLError17821.jpg 850w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/2025-05_SQLError17821-300x13.jpg 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/2025-05_SQLError17821-768x33.jpg 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/2025-05_SQLError17821-845x37.jpg 845w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/2025-05_SQLError17821-705x31.jpg 705w\" sizes=\"auto, (max-width: 850px) 100vw, 850px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-6888\" src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/2025-05_SQLError17832.jpg\" alt=\"SQLError 17832\" width=\"850\" height=\"40\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/2025-05_SQLError17832.jpg 850w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/2025-05_SQLError17832-300x14.jpg 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/2025-05_SQLError17832-768x36.jpg 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/2025-05_SQLError17832-845x40.jpg 845w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/2025-05_SQLError17832-705x33.jpg 705w\" sizes=\"auto, (max-width: 850px) 100vw, 850px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-6890\" src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/2025-05_SQLError17836.jpg\" alt=\"SQLError 17836\" width=\"850\" height=\"37\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/2025-05_SQLError17836.jpg 850w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/2025-05_SQLError17836-300x13.jpg 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/2025-05_SQLError17836-768x33.jpg 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/2025-05_SQLError17836-845x37.jpg 845w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/05\/2025-05_SQLError17836-705x31.jpg 705w\" sizes=\"auto, (max-width: 850px) 100vw, 850px\" \/><\/p>\n<p>So do not dismiss those. If you see these, pay extra attention.<\/p>\n<p>I hope this was interesting.<\/p>\n<p>If you feel you need a professional to look at your data estate from a security angle, please <a href=\"https:\/\/sarpedonqualitylab.us\/contact\/\" target=\"_blank\" rel=\"noopener\">reach out to me and my team<\/a>.<\/p>\n<p>Andreas<\/p>\n<\/div><\/section>\r\n\r\n<div  class='hr av-baku8u-c77559299fb7cb036a9bcb2d27e7c839 hr-default  avia-builder-el-2  el_after_av_textblock  el_before_av_social_share '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\r\n\r\n<div  class='av-social-sharing-box av-5n5vpa-78ffdd9d224b4a246af65bdc00dce900 av-social-sharing-box-default  avia-builder-el-3  el_after_av_hr  el_before_av_hr  av-social-sharing-box-fullwidth'><div class=\"av-share-box\"><h5 class='av-share-link-description av-no-toc '>Share article<\/h5><ul class=\"av-share-box-list noLightbox\"><li class='av-share-link av-social-link-facebook' ><a target=\"_blank\" aria-label=\"Share on Facebook\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https:\/\/andreas-wolter.com\/en\/2505_sqlserver_under_attack\/&#038;t=10%20hours%20of%20SQL%20Server%20under%20attack%20%E2%80%93%20takeaways\" aria-hidden=\"false\" data-av_icon=\"\ue8f3\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Facebook\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Facebook<\/span><\/a><\/li><li class='av-share-link av-social-link-twitter' ><a target=\"_blank\" aria-label=\"Share on Twitter\" href=\"https:\/\/twitter.com\/share?text=10%20hours%20of%20SQL%20Server%20under%20attack%20%E2%80%93%20takeaways&#038;url=https:\/\/andreas-wolter.com\/en\/?p=6895\" aria-hidden=\"false\" data-av_icon=\"\ue8f1\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Twitter\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Twitter<\/span><\/a><\/li><li class='av-share-link av-social-link-linkedin' ><a target=\"_blank\" aria-label=\"Share on LinkedIn\" href=\"https:\/\/linkedin.com\/shareArticle?mini=true&#038;title=10%20hours%20of%20SQL%20Server%20under%20attack%20%E2%80%93%20takeaways&#038;url=https:\/\/andreas-wolter.com\/en\/2505_sqlserver_under_attack\/\" aria-hidden=\"false\" data-av_icon=\"\ue8fc\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on LinkedIn\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on LinkedIn<\/span><\/a><\/li><\/ul><\/div><\/div>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-4ofg9q-c2108540b480aba02923089240a3a176\">\n#top .hr.hr-invisible.av-4ofg9q-c2108540b480aba02923089240a3a176{\nheight:50px;\n}\n<\/style>\n<div  class='hr av-4ofg9q-c2108540b480aba02923089240a3a176 hr-invisible  avia-builder-el-4  el_after_av_social_share  el_before_av_comments_list '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\r\n\r\n<div  class='av-buildercomment av-284ftq-f5a1564cd6b8ffad6ce835e2d40de4b7  av-blog-meta-author-disabled av-blog-meta-html-info-disabled'><\/div>","protected":false},"excerpt":{"rendered":"","protected":false},"author":4,"featured_media":6892,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57],"tags":[378,206],"class_list":["post-6895","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-en","tag-availability-groups","tag-sql-security"],"_links":{"self":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/6895","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/comments?post=6895"}],"version-history":[{"count":2,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/6895\/revisions"}],"predecessor-version":[{"id":6897,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/6895\/revisions\/6897"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media\/6892"}],"wp:attachment":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media?parent=6895"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/categories?post=6895"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/tags?post=6895"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}