Connection error '28000': how to find the culprit (User and/or EXE)?

0

The database (SQL Anywhere 17) is "attacked" by an unknown application.
We receive dozens of messages:
I. 11/17 13:07:20. Connection from XX.X.XX.XXX:XXXXX assigned connection ID 224
E. 11/17 13:07:20. Connection ID 224: Connection error '28000': Invalid user ID or password

It does not reach the login_procedure, the message appears at the user/password verification stage.

Whether there is an opportunity means of a DB to learn what user and what application tries to connect to a DB?

ps I don't want to specify the number of failed login attempts, as it is suspected that a "good" user is using a "bad" password hidden in the application.

asked 17 Nov '22, 09:40

Ilia63's gravatar image

Ilia63
1.2k505578
accept rate: 44%

One Answer:
active answersoldest answersnewest answerspopular answers
3

You can get the userid by enabling auditing. See https://help.sap.com/docs/SAP_SQL_Anywhere/61ecb3d4d8be4baaa07cc4db0ddb5d0a/3bcea97f6c5f1014addcf626d6e456ce.html?q=audit_log.

But I wouldn't log to the transaction log for the output as the tutorial suggests. Use an event file instead: https://help.sap.com/docs/SAP_SQL_Anywhere/61ecb3d4d8be4baaa07cc4db0ddb5d0a/812cbb736ce2101490b7fab431caa9ff.html?q=audit_log

Unfortunately, auditing doesn't log the "appinfo" string which contains the client app executable name, etc. I'm not sure if it is available to the server that early in the connection attempt but, if it is, I think we should enhance auditing to record it.

permanent link

answered 17 Nov '22, 09:57

John%20Smirnios's gravatar image

John Smirnios
11.7k394161
accept rate: 37%

4

Oh, wait. You can also create a ConnectFailed event. It will have access to the appinfo (and the user).

CREATE EVENT: https://help.sap.com/docs/SAP_SQL_Anywhere/93079d4ba8e44920ae63ffb4def91f5b/816bb10e6ce21014b9c1ffdd3e67b36f.html?q=create%20event

Available event parameters for ConnectFailed: https://help.sap.com/docs/SAP_SQL_Anywhere/93079d4ba8e44920ae63ffb4def91f5b/81f7991d6ce21014b2ec94fdcb7db2ce.html?q=connectfailed

(17 Nov '22, 10:00) John Smirnios

Thanks! Great opportunity!

(17 Nov '22, 10:31) Ilia63
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×231

question asked: 17 Nov '22, 09:40

question was seen: 314 times

last updated: 17 Nov '22, 10:31

Related questions

Error Code -6 when applying a transaction log file (from live backup)

sysuser last login time not being updated

Backups suddenly failing

Problem using 'callback' form of 'connect', JavaScript External Environment

Error using ''sa_dbcapi_handle" in JavaScript External Environment with WIndows

SA-17 Purchase Order Suspended

Portable version of SA and MobiLink

dbconsole and SQL Anywhere 17

Is there a local HTML help available for 17.0.4?

http web service trace log is empty in sa 17.0.10.5963