[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Worrisome error 675 event id problem showing continuous unsuccessful audits, 7 per second

Posted on 2006-11-11
6
Medium Priority
?
1,432 Views
Last Modified: 2013-12-04
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            11/7/2006
Time:            1:52:31 PM
User:            NT AUTHORITY\SYSTEM
Computer:      LONGBOWFP01
Description:
Pre-authentication failed:
       User Name:            YOUR-A9279112E3$
       User ID:            LONGBOW\YOUR-A9279112E3$
       Service Name:            krbtgt/LONGBOW.INTRA
       Pre-Authentication Type:      0x2
       Failure Code:            0x18
       Client Address:            192.168.0.45
 

there are hundreds of these per day, all from this one IP address.  I'm not sure what's going on... can someone help?  Thanks.  
0
Comment
Question by:QuiteSupersonic
6 Comments
 
LVL 9

Expert Comment

by:trenes
ID: 17921823
Hi QuiteSupersonic,

Seems like you are under a dictionary attack.
Block the IP in the firewall.

Cheers!
regards,

Trenes
0
 

Author Comment

by:QuiteSupersonic
ID: 17921846
But i have setup an account lockout after 5 tries in group policy.  Shouldn't this prevent further attempts?  And it would seem as the requests are happening internally. After all, there is a machine with the .45 address on our network.  

Are you saying there's a program on this pc trying numerous user names and passwords to enter the system? Thanks.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17927867
Doesn't stop attempts... just simply keeps them from succeeding if they did guess the password correctly.
http://www.eventid.net/display.asp?eventid=675&eventno=62&source=Security&phase=1

That IP BTW looks like it's coming from inside your network as it's an RFC 1918 subnet.. the class B subnet 192.168.x.x
There are plenty of apps that can do this, and a very effective one is called TSgrinder http://www.hammerofgod.com/download.html
There are also plenty of viri that can trigger this, slammer, code-red, welcha... they scan for hosts to infect... you can find the switch port by the pc's mac address
-rich
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:QuiteSupersonic
ID: 17927937
Unfortunately the computer's name is generic, and i'm not sure which user's workstation this is.  Is there a way to know which user name is long onto a given pc in the domain?  
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 17930347
nbtstat -A 192.168.0.45  (if it's not firewalled you can get the mac address) If it is firewalled, you will have to look on your router for the arp cache, on cisco you type
show arp
and look for the .45 ip's mac address, you go onto a switch and look for that mac, for 1U switches like the 2900 and 3500 series cisco's you type
show mac-address-table
and look for that same mac, for a catalyst series cisco switch like the 4000, 5000, 6500 series' you type
show cam dynamic     or   show cam ab-cd-ef-01-02-03 (that is an example mac address)
-rich
0
 
LVL 7

Expert Comment

by:SoyYop
ID: 18079228
I'm having the same problem. I identified the machine, but I haven't logged into in a LONG time.

I haven't checked in detail. However, it may be some kind of service installed... with that account into the machine, which saved the password.

Or the user has a bad bug. My account is a hidden one (with $ at the end). So, is difficult anyone gets is easy...

I'll check this thread later.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question