• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1434
  • Last Modified:

Worrisome error 675 event id problem showing continuous unsuccessful audits, 7 per second

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            11/7/2006
Time:            1:52:31 PM
User:            NT AUTHORITY\SYSTEM
Computer:      LONGBOWFP01
Description:
Pre-authentication failed:
       User Name:            YOUR-A9279112E3$
       User ID:            LONGBOW\YOUR-A9279112E3$
       Service Name:            krbtgt/LONGBOW.INTRA
       Pre-Authentication Type:      0x2
       Failure Code:            0x18
       Client Address:            192.168.0.45
 

there are hundreds of these per day, all from this one IP address.  I'm not sure what's going on... can someone help?  Thanks.  
0
QuiteSupersonic
Asked:
QuiteSupersonic
1 Solution
 
trenesCommented:
Hi QuiteSupersonic,

Seems like you are under a dictionary attack.
Block the IP in the firewall.

Cheers!
regards,

Trenes
0
 
QuiteSupersonicAuthor Commented:
But i have setup an account lockout after 5 tries in group policy.  Shouldn't this prevent further attempts?  And it would seem as the requests are happening internally. After all, there is a machine with the .45 address on our network.  

Are you saying there's a program on this pc trying numerous user names and passwords to enter the system? Thanks.
0
 
Rich RumbleSecurity SamuraiCommented:
Doesn't stop attempts... just simply keeps them from succeeding if they did guess the password correctly.
http://www.eventid.net/display.asp?eventid=675&eventno=62&source=Security&phase=1

That IP BTW looks like it's coming from inside your network as it's an RFC 1918 subnet.. the class B subnet 192.168.x.x
There are plenty of apps that can do this, and a very effective one is called TSgrinder http://www.hammerofgod.com/download.html
There are also plenty of viri that can trigger this, slammer, code-red, welcha... they scan for hosts to infect... you can find the switch port by the pc's mac address
-rich
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
QuiteSupersonicAuthor Commented:
Unfortunately the computer's name is generic, and i'm not sure which user's workstation this is.  Is there a way to know which user name is long onto a given pc in the domain?  
0
 
Rich RumbleSecurity SamuraiCommented:
nbtstat -A 192.168.0.45  (if it's not firewalled you can get the mac address) If it is firewalled, you will have to look on your router for the arp cache, on cisco you type
show arp
and look for the .45 ip's mac address, you go onto a switch and look for that mac, for 1U switches like the 2900 and 3500 series cisco's you type
show mac-address-table
and look for that same mac, for a catalyst series cisco switch like the 4000, 5000, 6500 series' you type
show cam dynamic     or   show cam ab-cd-ef-01-02-03 (that is an example mac address)
-rich
0
 
SoyYopCommented:
I'm having the same problem. I identified the machine, but I haven't logged into in a LONG time.

I haven't checked in detail. However, it may be some kind of service installed... with that account into the machine, which saved the password.

Or the user has a bad bug. My account is a hidden one (with $ at the end). So, is difficult anyone gets is easy...

I'll check this thread later.
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now