Solved

Failed NtLmSsp Logon Processes

Posted on 2013-05-22
4
2,553 Views
Last Modified: 2013-07-29
We have a very odd failed NtLmSsp login issue. Everyday at 11:35 PM EDT we get an alert generated in LabTech.

These failed logins are generated by only three machines. A Server 2008, a Win 7 machine, and a Win XP machine. The Win 7 and Win XP machines are both NOT joined to the domain. The Server 2008 is joined to the domain.

The events all happen at 11:35AM or 11:35PM. They happen on different servers at the same time by the same machine and sometimes happen at the same time on different servers by one of each machine. Sometimes we'll go for 2-3 days without getting one of these events. Sometimes only one machine will generate the event.

We're completely stumped by this. Can anyone help or does anyone have any ideas what could be causing this? We have looked in task scheduler for clues, but nothing so far. Also have tried procmon at 11:30pm to log any traffic, but didn't see anything and no event had been created on that night.


Event for Server 2008 machine:
EV - Failed Logins* FAILED on MRM at NY for Logon Failure:

Reason: Unknown user name or bad password

User Name: arrcnetadmin

Domain: BDRCW0003675

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: BDRCW0003675

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address: 192.168.5.210

Source Port: 61353
result Security.:856


Event for Win 7 machine:
EV - Failed Logins* FAILED on MRM at NY for Logon Failure:

Reason: Unknown user name or bad password

User Name: volunteers

Domain: W7-VOLUNTE

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: W7-VOLUNTE

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address: 192.168.5.195

Source Port: 0
result Security.


Event for Win XP machine:
EV - Failed Logins* FAILED on MRM at NY for Logon Failure:

Reason: Unknown user name or bad password

User Name: pos

Domain: POS

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: POS

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address: 192.168.5.240

Source Port: 0
result Security.
0
Comment
Question by:btny
  • 3
4 Comments
 
LVL 38

Accepted Solution

by:
Aaron Tomosky earned 500 total points
Comment Utility
Sounds like a backup script with old credentials
0
 

Author Comment

by:btny
Comment Utility
That  sounds plausible, but all of the login requests aren't coming from our backup appliance. The requests are coming from the backup appliance, a win 2003 server, and an xp machine. XP machine isn't even joined to the domain.
0
 

Author Comment

by:btny
Comment Utility
We are still investigating where this came from
0
 

Author Closing Comment

by:btny
Comment Utility
It's possible, but we're pursuing this further with our backup service.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now