Solved

Failed NtLmSsp Logon Processes

Posted on 2013-05-22
4
3,197 Views
Last Modified: 2013-07-29
We have a very odd failed NtLmSsp login issue. Everyday at 11:35 PM EDT we get an alert generated in LabTech.

These failed logins are generated by only three machines. A Server 2008, a Win 7 machine, and a Win XP machine. The Win 7 and Win XP machines are both NOT joined to the domain. The Server 2008 is joined to the domain.

The events all happen at 11:35AM or 11:35PM. They happen on different servers at the same time by the same machine and sometimes happen at the same time on different servers by one of each machine. Sometimes we'll go for 2-3 days without getting one of these events. Sometimes only one machine will generate the event.

We're completely stumped by this. Can anyone help or does anyone have any ideas what could be causing this? We have looked in task scheduler for clues, but nothing so far. Also have tried procmon at 11:30pm to log any traffic, but didn't see anything and no event had been created on that night.


Event for Server 2008 machine:
EV - Failed Logins* FAILED on MRM at NY for Logon Failure:

Reason: Unknown user name or bad password

User Name: arrcnetadmin

Domain: BDRCW0003675

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: BDRCW0003675

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address: 192.168.5.210

Source Port: 61353
result Security.:856


Event for Win 7 machine:
EV - Failed Logins* FAILED on MRM at NY for Logon Failure:

Reason: Unknown user name or bad password

User Name: volunteers

Domain: W7-VOLUNTE

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: W7-VOLUNTE

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address: 192.168.5.195

Source Port: 0
result Security.


Event for Win XP machine:
EV - Failed Logins* FAILED on MRM at NY for Logon Failure:

Reason: Unknown user name or bad password

User Name: pos

Domain: POS

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: POS

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address: 192.168.5.240

Source Port: 0
result Security.
0
Comment
Question by:btny
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 39

Accepted Solution

by:
Aaron Tomosky earned 500 total points
ID: 39189777
Sounds like a backup script with old credentials
0
 

Author Comment

by:btny
ID: 39207829
That  sounds plausible, but all of the login requests aren't coming from our backup appliance. The requests are coming from the backup appliance, a win 2003 server, and an xp machine. XP machine isn't even joined to the domain.
0
 

Author Comment

by:btny
ID: 39317494
We are still investigating where this came from
0
 

Author Closing Comment

by:btny
ID: 39364172
It's possible, but we're pursuing this further with our backup service.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question