Solved

Thousands of 675 errors in DC event log

Posted on 2010-11-22
13
575 Views
Last Modified: 2013-11-05
I am stumped on this one. We are getting thousands (>90,000) of 675 entries in the DC security event log constantly!

Symptoms:
There are 6-10 entries per second
There are around 100 entries per user in a row, then it seems to move onto the next user
There appears to be no pattern of which user it picks next - they are not in the same site OU, it's not in alphabetical order
All of the entries appear to be coming from a single client IP. Firstly we remove the original client from the network, but now it appears to have moved onto another client
There entries are only occuring on one site server, The other site servers on the same domain are not showing any similar messages
I've had a look at the logs on the client machine and they don't appear to be showing anything that would cause/instigate this many failed authentication attempts
I've checked all the accounts in AD and they are active and not expired
I've sync'd the time on the DC and the client


Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            22/11/2010
Time:            04:33:08
User:            NT AUTHORITY\SYSTEM
Computer:      [siteDC]
Description:
Pre-authentication failed:
       User Name:      [username]
       User ID:            PIC\[username]
       Service Name:      krbtgt/[domain]
       Pre-Authentication Type:      0x2
       Failure Code:      0x18
       Client Address:      10.x.x.4


Any ideas/suggestions!?

All other research and possible resolutions have failed so far.
0
Comment
Question by:jonathonberg
  • 4
  • 4
  • 3
  • +1
13 Comments
 
LVL 7

Expert Comment

by:ieden
ID: 34187581
Sounds like someone is trying to gain access by guessing passwords...
0
 
LVL 9

Expert Comment

by:losip
ID: 34187690
Have you changed password complexity rules lately?
0
 
LVL 7

Expert Comment

by:ieden
ID: 34187733
This behavior can occur if a user has a manually mapped and saved connection after a password change. Go to the affected users desktop and disconnect all drives. perhaps add the drive in question to the login script.
0
 
LVL 9

Expert Comment

by:losip
ID: 34187756
@ieden, that was my first thought but the OP is getting this on many different users and it's comparatively unlikely that they've all suddenly changed their passwords.
0
 
LVL 7

Expert Comment

by:ieden
ID: 34187797
@losip, when you asked about password policy being changed, the thought then came that perhaps they did all change their password.
0
 
LVL 9

Expert Comment

by:losip
ID: 34187838
Only if they went through and pre-expired all passwords forcing a change at next logon.  In my experience, the effect you mention only occurs when drives are mapped using explicit credentials - perhaps from machines that are not part of the domain.  Normal drive mappings with domain accounts don't usually do this on password chaneg unless the user changes his password from a machine other than the one with the mappings.  We had this with some Unix machines mapping SMB drives but not on the scale reported.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 2

Author Comment

by:jonathonberg
ID: 34188060
The drive mapping idea did come to mind but it doesn't explain why it's cycling through different users, but reporting from the same client.

The strange things is that the users being reported have nothing to do with this client - they are not on the same site or in the same OU. It's almost as if something on the PC is cycling through LDAP and trying to logon using each user account it finds!?

I agree that the symptoms would match some kind of intrusion attack on the network?
0
 
LVL 9

Expert Comment

by:losip
ID: 34188109
The other time I saw this was in a large organisation with separate server/account admin team to the IT Security/audit team.  A rogue admin had changed part of the account policies which he wasn't authorised to do and created a script to fill up the Security log until it cycled round and overflowed and covered up the audit event of his mis-deed!  Fortunately, due to our account policies and use of Operations Manager, he was thwarted.
0
 
LVL 2

Author Comment

by:jonathonberg
ID: 34195463
I think the next thing I will be doing is inspecting the client very closely to check that it's AV etc is up to date and that there is nothing malicious installed/running.

Some reports show it may be DNS issue, but if it was I don't see why it would be picking up random AD users and referring to this single client.
0
 
LVL 7

Expert Comment

by:ieden
ID: 34337731
So how has it been going with this issue?
0
 
LVL 2

Accepted Solution

by:
jonathonberg earned 0 total points
ID: 34341446
Investigation eventually revealed it was the PGP edge protection client software throwing up a fault on a few workstations.  The workstations were attended to and the traffic ceased.  

Thanks to those who threw up suggestions.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 35225182
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now