Question

Failed Audit - Event ID 680

Asked by: WPHIT

Hi All,

We've noticed hundreds of failed logon attempts appear on the DC over the last 24 hours. Event ID below:

"Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      `bjeiVlak[]Y_bUUbY
 Source Workstation:      Workstationname
 Error Code:      0xC0000064"

The Workstation name is genuine but the logon account certainly isn't. This has been happening for about 60 machines. Our Workstations are Windows XP SP3 and the Servers run Windows Server 2003 R2.

We've scanned all the machines with Sophos and it removed xCmdSvc from the system32 directory on the XP desktops, but it then comes back. I guess we have a worm somewhere on the network but we can't seem to stop it propagating and remove it.

The Firewall to the outside world has always had port 445 blocked so i'm not sure it's replated to the iraq oil worm that's prominent on most searches.

I've enabled logon auditing on the DC and netlogon.log shows hundreds of lines very similar to the below:
10/02 15:26:19 [LOGON] ADMIN: SamLogon: Transitive Interactive logon of (null)\`bjeiVlak[]Y_bUUbY from workstationname1 (via workstationname1) Entered
10/02 15:26:19 [LOGON] ADMIN: NlPickDomainWithAccount: `bjeiVlak[]Y_bUUbY: Algorithm entered. UPN:0 Sam:0 Exp:0 Cross: 0 Root:1 DC:0
10/02 15:26:19 [LOGON] ADMIN: SamLogon: Transitive Interactive logon of (null)\`bjeiVlak[]Y_bUUbY from workstationname1 (via workstationname1) Returns 0xC0000064
10/02 15:26:20 [LOGON] ADMIN: SamLogon: Transitive Interactive logon of (null)\`bjeiVlak[]Y_bUUbY from workstationname3 (via workstationname3) Entered
10/02 15:26:20 [LOGON] ADMIN: NlPickDomainWithAccount: `bjeiVlak[]Y_bUUbY: Algorithm entered. UPN:0 Sam:0 Exp:0 Cross: 0 Root:1 DC:0
10/02 15:26:20 [LOGON] ADMIN: SamLogon: Transitive Interactive logon of (null)\`bjeiVlak[]Y_bUUbY from workstationname3 (via workstationname3) Returns 0xC0000064

These logs don't really help me much as i'd ideally have expected to see what machine the request came from.

When we clean the xCmdSvc from the system32 directory, another pc gets a copy of the same file in it's system32 directory to replace it. Netstat shows internal port 445 being used and the PC shows a connection to it's ipc$ share, but no clue as to where it came from.

We've got Sophos set to scan on read/write/access etc.. and on it's most through settings, so this has stopped the xCmdSvc.exe being wrote to most of the machines, although I can still see the attempts there.

Any ideas how we can track down the source of this and stop it running?

Cheers

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-10-02 at 07:55:28ID24780390
Tags

Failed Audit Event Id 680 Windows Server 2003

Topics

Networking Security Vulnerabilities

,

Windows Network Security

Participating Experts
1
Points
500
Comments
7

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. event viewer loaded with failure audits
    Running Windows XP Pro w/Event Viewer Security Settings set to filter all event types, all event sources and all event categories. All of these are preset by a script from the Domain Controller and cannot be changed. I noticed about a month ago my Event Logs for Securit...
  2. Is it genuine?
    When laptop boots up it says Windows is not genuine. Bottom of laptop has XP Home sticker complete with a product key. What gives? Owner assures me the copy is valid (genuine).
  3. Security Auditing
    Experts, I normally check out my event viewer to monitor security activities. Suddenly I noticed that all security events are gone except Event ID: 517. This event clearly indicates that the audit log was cleared. I am finding this very suspicious. Does this mean that some...
  4. Event Type:Failure Audit, Event ID: 861, Path: C:…
    Hi, I saw a similar question of this with same event ID but related to lsass.exe instead of svchost.exe but the question closed without confirmation of the solutions and I tested the command provided it even had syntax error. Can any one help on this one again with relativel...
  5. Auditing %SystemRoot%\system32 or c:\windows\s…
    I have two questions for this subject: 1. What is the difference between the SystemRoot location and the "windows" location? 2. If I need to set auditing for specific files within the \system32 directory, does it matter if I set it through SystemRoot or in t...
  6. failure audit event id 861
    I have a pc that is giving me some grief Out of 15 workstations that are set up the same, I have one that has this problem Type: Failure audit Source:Security Event id: 861 Description: the windows firewall has detected an application listening for incoming traffic ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: jfer0x01Posted on 2009-10-03 at 08:23:04ID: 25485672

Hi,

it's definetly an attack attempt, there are many exploits that attack 445, you need to make sure that the port if actually being blocked, or even better, not used

close 445
http://www.petri.co.il/whats_port_445_in_w2k_xp_2003.htm
"
How to disable port 445?
You can easily disable port 445 on your computer. To do so follow these instructions:

Start Registry Editor (Regedit.exe).
Locate the following key in the registry:
HKLM\System\CurrentControlSet\ Services\NetBT\Parameters

In the right-hand side of the window find an option called TransportBindName.
Double click that value, and then delete the default value, thus giving it a blank value.
Close the registry editor.
Reboot your computer.
After rebooting open a command prompt and in it type

netstat -an

See that your computer no longer listens to port 445.
"
try viewing logs from network device that feeds workstation internet access for access logs

Only way you are going to find out attacker source

Jfer

 

by: WPHITPosted on 2009-10-05 at 04:52:42ID: 25494307

Thanks for your reply Jfer,

We have port 445 'stealth' at the perimiter, would blocking it internally stop some applications / printing from working?

I've checked through the firewall logs and identified a machine internally that was sending across port 445 and also 8-10 Port 139 connections. I've taken that machine off the network and the replication of the worm has stopped according to Sophos.

We're still getting some of the failed login attempts for the non-existant username "bjeiVlak[]Y_bUUbY" on the DC so I guess we're still being attacked by something.

Am I right in assuming the "Root:1" part of the netlogon.log signifies a local attempt at logging on via a share as opposed to attempts on web-facing servers such as OWA?

Most of the alerts we were getting for the executable have been found in system restore partitions so we're globally disabing and then enabling System Restore overnight via GP.

Thanks






 

by: jfer0x01Posted on 2009-10-05 at 17:56:11ID: 25501171

445, will not necesarry hinder usage,

the problem is a stealth port, isn't really closed, alot a new exploits use range 137-139 for NetBios attacks, that are initialted through 445 or 139.

Do you have MS Exchange?

Odd are, if you disable 445, it could affect usage, I would at least try it though

Jfer

 

by: WPHITPosted on 2009-10-08 at 03:11:39ID: 25523614

Hi Jfer,

We're not able to block port 445 internally. We got a few issues arise on the machines I tested blocking the port on.

137-139 and 445 are all blocked at the perimeter outbound and inbound, I can see 1-2 connection attempts on these ports every minute or so.

Disabling system restore on the machines to clear out old volumes has almost stopped the xcmdsvc exe being written to the system32 directory, just the 2 attempts today. However, we're still getting the same volume of failed logon attempts in the netlogon.log file with the same username.

We've now seen 1 user's account being locked out for the past few nights whilst they've not been working and their machine was powered down, does this sound like it's related?

 

by: jfer0x01Posted on 2009-10-08 at 05:32:58ID: 25524607

Since the exploiter probably did get lan /user information after having infiltrated the network, it is possible

net attacks happend each day from people that brute force script though.

In any case, view logs for source of ip, and determine what isp they attacker used, call isp and inform them that a user for their service (or an ip from their service) is being used to commit malicious attacks

I know it sounds like work, but having worked at an isp before, this kind of call, although rare, will be treated with seriousness and action

There could be other rootkits installed if xcmdsvc still spawns on machines

Jfer

 

by: jfer0x01Posted on 2009-10-13 at 16:55:18ID: 25566027

any advancements?

 

by: WPHITPosted on 2009-10-19 at 00:26:17ID: 31636408

Hi Jfer,

All now sorted, clearing out system restore has stopped replication of the xcmdsvc and we've manually cleaned up a few machines that had some other infections.

The logs off the firewall were all going back to 2 IP's so i've forwarded those details on to the relevant ISP's.

Cheers

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...