Solved

Failed NtLmSsp Logon Processes

Posted on 2013-05-22
4
2,910 Views
Last Modified: 2013-07-29
We have a very odd failed NtLmSsp login issue. Everyday at 11:35 PM EDT we get an alert generated in LabTech.

These failed logins are generated by only three machines. A Server 2008, a Win 7 machine, and a Win XP machine. The Win 7 and Win XP machines are both NOT joined to the domain. The Server 2008 is joined to the domain.

The events all happen at 11:35AM or 11:35PM. They happen on different servers at the same time by the same machine and sometimes happen at the same time on different servers by one of each machine. Sometimes we'll go for 2-3 days without getting one of these events. Sometimes only one machine will generate the event.

We're completely stumped by this. Can anyone help or does anyone have any ideas what could be causing this? We have looked in task scheduler for clues, but nothing so far. Also have tried procmon at 11:30pm to log any traffic, but didn't see anything and no event had been created on that night.


Event for Server 2008 machine:
EV - Failed Logins* FAILED on MRM at NY for Logon Failure:

Reason: Unknown user name or bad password

User Name: arrcnetadmin

Domain: BDRCW0003675

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: BDRCW0003675

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address: 192.168.5.210

Source Port: 61353
result Security.:856


Event for Win 7 machine:
EV - Failed Logins* FAILED on MRM at NY for Logon Failure:

Reason: Unknown user name or bad password

User Name: volunteers

Domain: W7-VOLUNTE

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: W7-VOLUNTE

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address: 192.168.5.195

Source Port: 0
result Security.


Event for Win XP machine:
EV - Failed Logins* FAILED on MRM at NY for Logon Failure:

Reason: Unknown user name or bad password

User Name: pos

Domain: POS

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: POS

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address: 192.168.5.240

Source Port: 0
result Security.
0
Comment
Question by:btny
  • 3
4 Comments
 
LVL 39

Accepted Solution

by:
Aaron Tomosky earned 500 total points
ID: 39189777
Sounds like a backup script with old credentials
0
 

Author Comment

by:btny
ID: 39207829
That  sounds plausible, but all of the login requests aren't coming from our backup appliance. The requests are coming from the backup appliance, a win 2003 server, and an xp machine. XP machine isn't even joined to the domain.
0
 

Author Comment

by:btny
ID: 39317494
We are still investigating where this came from
0
 

Author Closing Comment

by:btny
ID: 39364172
It's possible, but we're pursuing this further with our backup service.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
save browser passwords 11 73
Windows 7 Networking - Public vs. Work vs Public 8 37
VPN Server config in Modem 5 31
VPN Server 5 15
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr‚Ķ

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question