Things cause, there is a service company in the server once attempted extortion virus (found in time, by killing ended), server 360 antivirus installed the latest patches and the complete set, using normal recently, only check Windows log, regularly every day have a such attacks, using the native IP, attack time is less than a minute, every second records below send

All talked, did not find where is attacked, excuse me, this kind of situation, how to troubleshoot?

CodePudding user response:

System, Windows 2012 used to 2008

CodePudding user response:

May be timed tasks and so on

CodePudding user response:

Login from 127 would be a little SAO, look at the timing task (though this silly does not generally), core or look at the process, what strange process, especially the powershell

CodePudding user response:

The possible reasons:
1, not killing machine clean, there is still a Trojan program
2, the machine has a timing task, login to perform some database operations (such as backup task)
3, the machine has a particular program, the login database to perform some operations (such as update some data)

CodePudding user response:

refer to the second floor wisewoman response:

may be timed tasks such as

Looked down in recent days, time and no special law

CodePudding user response:

Disable the sa also tried to port 1433, and appeared, but to log into the tip

User 'sa' login failed, the reason: the account is disabled, [client: & lt; named pipe>]

CodePudding user response:

Sa is disabled, you are afraid of what?
The trouble is that attack IP is native,
Check the machine normal operation, timing task without using sa
If not, check process,
May be a virus or Trojan,