Solved

Thousands of 675 errors in DC event log

Posted on 2010-11-22
13
574 Views
Last Modified: 2013-11-05
I am stumped on this one. We are getting thousands (>90,000) of 675 entries in the DC security event log constantly!

Symptoms:
There are 6-10 entries per second
There are around 100 entries per user in a row, then it seems to move onto the next user
There appears to be no pattern of which user it picks next - they are not in the same site OU, it's not in alphabetical order
All of the entries appear to be coming from a single client IP. Firstly we remove the original client from the network, but now it appears to have moved onto another client
There entries are only occuring on one site server, The other site servers on the same domain are not showing any similar messages
I've had a look at the logs on the client machine and they don't appear to be showing anything that would cause/instigate this many failed authentication attempts
I've checked all the accounts in AD and they are active and not expired
I've sync'd the time on the DC and the client


Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            22/11/2010
Time:            04:33:08
User:            NT AUTHORITY\SYSTEM
Computer:      [siteDC]
Description:
Pre-authentication failed:
       User Name:      [username]
       User ID:            PIC\[username]
       Service Name:      krbtgt/[domain]
       Pre-Authentication Type:      0x2
       Failure Code:      0x18
       Client Address:      10.x.x.4


Any ideas/suggestions!?

All other research and possible resolutions have failed so far.
0
Comment
Question by:jonathonberg
  • 4
  • 4
  • 3
  • +1
13 Comments
 
LVL 7

Expert Comment

by:ieden
ID: 34187581
Sounds like someone is trying to gain access by guessing passwords...
0
 
LVL 9

Expert Comment

by:losip
ID: 34187690
Have you changed password complexity rules lately?
0
 
LVL 7

Expert Comment

by:ieden
ID: 34187733
This behavior can occur if a user has a manually mapped and saved connection after a password change. Go to the affected users desktop and disconnect all drives. perhaps add the drive in question to the login script.
0
 
LVL 9

Expert Comment

by:losip
ID: 34187756
@ieden, that was my first thought but the OP is getting this on many different users and it's comparatively unlikely that they've all suddenly changed their passwords.
0
 
LVL 7

Expert Comment

by:ieden
ID: 34187797
@losip, when you asked about password policy being changed, the thought then came that perhaps they did all change their password.
0
 
LVL 9

Expert Comment

by:losip
ID: 34187838
Only if they went through and pre-expired all passwords forcing a change at next logon.  In my experience, the effect you mention only occurs when drives are mapped using explicit credentials - perhaps from machines that are not part of the domain.  Normal drive mappings with domain accounts don't usually do this on password chaneg unless the user changes his password from a machine other than the one with the mappings.  We had this with some Unix machines mapping SMB drives but not on the scale reported.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 2

Author Comment

by:jonathonberg
ID: 34188060
The drive mapping idea did come to mind but it doesn't explain why it's cycling through different users, but reporting from the same client.

The strange things is that the users being reported have nothing to do with this client - they are not on the same site or in the same OU. It's almost as if something on the PC is cycling through LDAP and trying to logon using each user account it finds!?

I agree that the symptoms would match some kind of intrusion attack on the network?
0
 
LVL 9

Expert Comment

by:losip
ID: 34188109
The other time I saw this was in a large organisation with separate server/account admin team to the IT Security/audit team.  A rogue admin had changed part of the account policies which he wasn't authorised to do and created a script to fill up the Security log until it cycled round and overflowed and covered up the audit event of his mis-deed!  Fortunately, due to our account policies and use of Operations Manager, he was thwarted.
0
 
LVL 2

Author Comment

by:jonathonberg
ID: 34195463
I think the next thing I will be doing is inspecting the client very closely to check that it's AV etc is up to date and that there is nothing malicious installed/running.

Some reports show it may be DNS issue, but if it was I don't see why it would be picking up random AD users and referring to this single client.
0
 
LVL 7

Expert Comment

by:ieden
ID: 34337731
So how has it been going with this issue?
0
 
LVL 2

Accepted Solution

by:
jonathonberg earned 0 total points
ID: 34341446
Investigation eventually revealed it was the PGP edge protection client software throwing up a fault on a few workstations.  The workstations were attended to and the traffic ceased.  

Thanks to those who threw up suggestions.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 35225182
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now