• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 738
  • Last Modified:

18,000+ logon failures in 4 minutes

We saw 18,929 logon failures between 0850 and 0854 on one of the servers we manage. The odd this is that there is no information in any of the even logs as to source, user, or anything else that we might be able to use to track it down. Here is the event in question:

- System

  - Provider

   [ Name]  Microsoft-Windows-Security-Auditing
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D}
   EventID 4625
   Version 0
   Level 0
   Task 12544
   Opcode 0
   Keywords 0x8010000000000000
  - TimeCreated

   [ SystemTime]  2014-04-24T14:53:51.637409500Z
   EventRecordID 40321479
  - Execution

   [ ProcessID]  588
   [ ThreadID]  15388
   Channel Security
   Computer svrmain12.srm.local

- EventData

  SubjectUserSid S-1-0-0
  SubjectUserName -
  SubjectDomainName -
  SubjectLogonId 0x0
  TargetUserSid S-1-0-0
  TargetDomainName SRM
  Status 0xc000006d
  FailureReason %%2313
  SubStatus 0xc0000064
  LogonType 3
  LogonProcessName NtLmSsp  
  AuthenticationPackageName NTLM
  TransmittedServices -
  LmPackageName -
  KeyLength 0
  ProcessId 0x0
  ProcessName -
  IpAddress -
  IpPort -

Any help would be appreciated as these are flooding out event logs and with the limited information we cannot tell if it is an attack or a failing service.

The server is a Windows Server 2008 R2 Enterprise with Service pack 1
  • 4
  • 3
  • 2
  • +2
1 Solution
Zephyr ICTCloud ArchitectCommented:
It's a logon type 3, so it could be that it has something to do with shares/printers ... Did you recently change account names/passwords maybe renamed the admin account??

SubStatus 0xc0000064  means that the username doesn't exist...

Seeing so many it could be a script trying to login with a no longer existing user or someone is trying a brute-force attack ... But check the obvious things first...
From what you have provided it does look like it is from the inside as spravtek states.

Did someone get removed from AD just prior to the entries?
MrKnightPresidentAuthor Commented:
I just heard back from an onsite tech that they had a volunteer that connected a computer from the VA. I'm going to keep a close eye on it and see if the same happens again when the VA computer is gone.

I'm not sure that it is the cause but the time frame was right. The reason I'm not sure is the VA computer was in the logs before and was actually reporting user and computer names in the logs.
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Is there any scheduled tasks running at that time for any application may be a task that is using expire credentials and just keeps trying until it times out, since it happens at a specific time.
My initial reaction was similar to others above, with wonder on lack in event log, my suspect would be first a privileged server ID for application, possibly upgraded, needing password changed or the like, then to check on scheduled processes, AD changes and on..

But the update seems you provide the better clue. New user tries something, fails, then gives up trying - for now. If so then it probably will not recur for awhile, such as for same time frame tomorrow. The potential remains for you don't know what, so I recommend further pursuit to identify so policy can be enabled to address.

If we continue that line, the person should just be asked about it, but as you do not know them, it looks like answers can be derived (or confirmed) by examining their device. I'd next review their event log remotely and continue from there., such as review of services that may be stopped, but restarted upon reboot and what can found in their event log. They may have application trying to update itself which may still have some residence in a running task, so review that as well..
> failures between 0850 and 0854

While the quantity of failures reflects automatic process, the time elapse of four minutes is indicative more of a human frustrated with noticeable failures, error conditions.
MrKnightPresidentAuthor Commented:
I just checked the event logs fro this morning and I'm seeing the same type of event recorded. Aside from time it is a copy of the above Event. Today it is about 2000 of them spread out from about 0843 to 0905.

I also checked the Application logs and System logs for a corresponding event and time frame but nothing else is more than a minute or two off and has repeats through out the day, such as Exchange ADAccess events. There are also not any scheduled tasks for those times that I can see.
Zephyr ICTCloud ArchitectCommented:
Yeah, will be interesting tracking it down ...

Some things to check:

- If IIS is active on this server you could try disabling the loopback check, though I doubt it still pertains to SP1: https://support.microsoft.com/kb/926642

- https://support.microsoft.com/kb/2548120

- https://support.microsoft.com/kb/2549079

I'll have another look later to see if I have any fresh ideas :)
The time frame again indicates human access to automated process rather than automatic process on a schedule. This may be more of a determined effort for one to succeed, or a repeat of more stations, begin of work day/week, so checking login times of users can help derive.

Also recheck application policy and usage updates for changes, and their usage of platforms, specifically for proportion of portables.

I recall situation where application using something like oracle that only affected laptops, not desktops, inside firewall etc. - direct connect. It was initially reported as longer login times. It was found that the timer for login validation was too short for platform, and application would continue on automatically in the background with attempts even though there was no issue such as for valid login/password/connection. Possibly a review of latest customer support requests could help to isolate.

Possibly, for client/server app, the server got initial load of traffic it could not handle well, but eventually caught up with demand - of the human. This is supported by your having ten times frequency last week and an apparent delay for it recurring this week.
MrKnightPresidentAuthor Commented:
Based on what we were seeing on the server and the fact that we have not had a re-occurrence since the VA controlled computer was removed from the site, I'm pretty sure it was caused by that system. The VA had it locked down so we could not even look at the security/application settings, but the time frame it was connected is also pretty close to the time frame that the failures were being logged.

Thanks for all of your help and suggestions from everyone who gave input on this issue.
Thanx, and                               Good Fortune !

[not so nice another wants to access yours, presumably w/o completing your internal security safeguard review (a volunteer)/(logon) while protecting (hiding) their own (stuff/activity). There can be workarounds for some of that, but ever nice to achieve desired resolution]

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now