Failed NtLmSsp Logon Processes

We have a very odd failed NtLmSsp login issue. Everyday at 11:35 PM EDT we get an alert generated in LabTech.

These failed logins are generated by only three machines. A Server 2008, a Win 7 machine, and a Win XP machine. The Win 7 and Win XP machines are both NOT joined to the domain. The Server 2008 is joined to the domain.

The events all happen at 11:35AM or 11:35PM. They happen on different servers at the same time by the same machine and sometimes happen at the same time on different servers by one of each machine. Sometimes we'll go for 2-3 days without getting one of these events. Sometimes only one machine will generate the event.

We're completely stumped by this. Can anyone help or does anyone have any ideas what could be causing this? We have looked in task scheduler for clues, but nothing so far. Also have tried procmon at 11:30pm to log any traffic, but didn't see anything and no event had been created on that night.


Event for Server 2008 machine:
EV - Failed Logins* FAILED on MRM at NY for Logon Failure:

Reason: Unknown user name or bad password

User Name: arrcnetadmin

Domain: BDRCW0003675

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: BDRCW0003675

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address: 192.168.5.210

Source Port: 61353
result Security.:856


Event for Win 7 machine:
EV - Failed Logins* FAILED on MRM at NY for Logon Failure:

Reason: Unknown user name or bad password

User Name: volunteers

Domain: W7-VOLUNTE

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: W7-VOLUNTE

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address: 192.168.5.195

Source Port: 0
result Security.


Event for Win XP machine:
EV - Failed Logins* FAILED on MRM at NY for Logon Failure:

Reason: Unknown user name or bad password

User Name: pos

Domain: POS

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: POS

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address: 192.168.5.240

Source Port: 0
result Security.
btnyAsked:
Who is Participating?
 
Aaron TomoskyConnect With a Mentor SD-WAN SimplifiedCommented:
Sounds like a backup script with old credentials
0
 
btnyAuthor Commented:
That  sounds plausible, but all of the login requests aren't coming from our backup appliance. The requests are coming from the backup appliance, a win 2003 server, and an xp machine. XP machine isn't even joined to the domain.
0
 
btnyAuthor Commented:
We are still investigating where this came from
0
 
btnyAuthor Commented:
It's possible, but we're pursuing this further with our backup service.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.