Failed Audit - Event ID 680 : Failed Audit Event Id 680 Windows Server 2003

Experts Exchange

	[x] Posted via EE Mobile
	Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.

Question

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.1

Failed Audit - Event ID 680

Asked by WPHIT in Networking Security Vulnerabilities, Windows Network Security

Tags: Failed Audit Event Id 680 Windows Server 2003

Hi All,

We've noticed hundreds of failed logon attempts appear on the DC over the last 24 hours. Event ID below:

"Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account:      `bjeiVlak[]Y_bUUbY
Source Workstation:      Workstationname
Error Code:      0xC0000064"

The Workstation name is genuine but the logon account certainly isn't. This has been happening for about 60 machines. Our Workstations are Windows XP SP3 and the Servers run Windows Server 2003 R2.

We've scanned all the machines with Sophos and it removed xCmdSvc from the system32 directory on the XP desktops, but it then comes back. I guess we have a worm somewhere on the network but we can't seem to stop it propagating and remove it.

The Firewall to the outside world has always had port 445 blocked so i'm not sure it's replated to the iraq oil worm that's prominent on most searches.

I've enabled logon auditing on the DC and netlogon.log shows hundreds of lines very similar to the below:
10/02 15:26:19 [LOGON] ADMIN: SamLogon: Transitive Interactive logon of (null)\`bjeiVlak[]Y_bUUbY from workstationname1 (via workstationname1) Entered
10/02 15:26:19 [LOGON] ADMIN: NlPickDomainWithAccount: `bjeiVlak[]Y_bUUbY: Algorithm entered. UPN:0 Sam:0 Exp:0 Cross: 0 Root:1 DC:0
10/02 15:26:19 [LOGON] ADMIN: SamLogon: Transitive Interactive logon of (null)\`bjeiVlak[]Y_bUUbY from workstationname1 (via workstationname1) Returns 0xC0000064
10/02 15:26:20 [LOGON] ADMIN: SamLogon: Transitive Interactive logon of (null)\`bjeiVlak[]Y_bUUbY from workstationname3 (via workstationname3) Entered
10/02 15:26:20 [LOGON] ADMIN: NlPickDomainWithAccount: `bjeiVlak[]Y_bUUbY: Algorithm entered. UPN:0 Sam:0 Exp:0 Cross: 0 Root:1 DC:0
10/02 15:26:20 [LOGON] ADMIN: SamLogon: Transitive Interactive logon of (null)\`bjeiVlak[]Y_bUUbY from workstationname3 (via workstationname3) Returns 0xC0000064

These logs don't really help me much as i'd ideally have expected to see what machine the request came from.

When we clean the xCmdSvc from the system32 directory, another pc gets a copy of the same file in it's system32 directory to replace it. Netstat shows internal port 445 being used and the PC shows a connection to it's ipc$ share, but no clue as to where it came from.

We've got Sophos set to scan on read/write/access etc.. and on it's most through settings, so this has stopped the xCmdSvc.exe being wrote to most of the machines, although I can still see the attempts there.

Any ideas how we can track down the source of this and stop it running?

Cheers

Get your answer NOW

20091111-EE-VQP-89 - Hierarchy / EE_QW_3_20080625

Hall of Fame

1. jahboite67,163
2. rpggamer...52,931
3. Admin3k41,017
4. DaveHowe26,972
5. MikeHolcomb22,668
6. richrumble21,260
7. David-Ho...20,736
8. xmachine19,984
9. warturtle18,498
10. Mestha18,182
11. breadtan14,300
12. astralcom...12,346
13. Roachy1...11,000
14. arnold10,274
15. TurboBorl...9,776
16. Tolomir9,594
17. samsixty8,164
18. dariusg7,750
19. bbao7,625
20. Paranorm...6,850
21. optoma6,591
22. ahoffmann6,464
23. IndiGenus6,400
24. xxdcmast6,006
25. tigermatt5,822

1. rpggamer...260,364
2. jahboite149,241
3. r-k106,289
4. Sheharya...99,699
5. IndiGenus80,970
6. Admin3k49,537
7. Tolomir47,942
8. war146,771
9. richrumble41,584
10. blue_zee39,997
11. sunray_...39,840
12. DaveHowe37,432
13. David-Ho...34,409
14. ahoffmann31,903
15. ghana29,660
16. rossfingal27,308
17. johnb676726,074
18. MikeHolcomb22,668
19. PowerIT20,727
20. arnold20,524
21. xmachine19,984
22. rindi19,919
23. warturtle18,498
24. phototropic18,339
25. Mestha18,182

Failed Audit - Event ID 680

Asked by WPHIT in Networking Security Vulnerabilities, Windows Network Security

Tags: Failed Audit Event Id 680 Windows Server 2003

About this solution