Solved

18,000+ logon failures in 4 minutes

Posted on 2014-04-25
11
584 Views
Last Modified: 2014-05-01
We saw 18,929 logon failures between 0850 and 0854 on one of the servers we manage. The odd this is that there is no information in any of the even logs as to source, user, or anything else that we might be able to use to track it down. Here is the event in question:

- System

  - Provider

   [ Name]  Microsoft-Windows-Security-Auditing
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D}
 
   EventID 4625
 
   Version 0
 
   Level 0
 
   Task 12544
 
   Opcode 0
 
   Keywords 0x8010000000000000
 
  - TimeCreated

   [ SystemTime]  2014-04-24T14:53:51.637409500Z
 
   EventRecordID 40321479
 
   Correlation
 
  - Execution

   [ ProcessID]  588
   [ ThreadID]  15388
 
   Channel Security
 
   Computer svrmain12.srm.local
 
   Security
 

- EventData

  SubjectUserSid S-1-0-0
  SubjectUserName -
  SubjectDomainName -
  SubjectLogonId 0x0
  TargetUserSid S-1-0-0
  TargetUserName  
  TargetDomainName SRM
  Status 0xc000006d
  FailureReason %%2313
  SubStatus 0xc0000064
  LogonType 3
  LogonProcessName NtLmSsp  
  AuthenticationPackageName NTLM
  WorkstationName  
  TransmittedServices -
  LmPackageName -
  KeyLength 0
  ProcessId 0x0
  ProcessName -
  IpAddress -
  IpPort -


Any help would be appreciated as these are flooding out event logs and with the limited information we cannot tell if it is an attack or a failing service.

The server is a Windows Server 2008 R2 Enterprise with Service pack 1
0
Comment
Question by:MrKnight
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40023044
It's a logon type 3, so it could be that it has something to do with shares/printers ... Did you recently change account names/passwords maybe renamed the admin account??

SubStatus 0xc0000064  means that the username doesn't exist...

Seeing so many it could be a script trying to login with a no longer existing user or someone is trying a brute-force attack ... But check the obvious things first...
0
 
LVL 26

Expert Comment

by:pony10us
ID: 40023065
From what you have provided it does look like it is from the inside as spravtek states.

Did someone get removed from AD just prior to the entries?
0
 

Author Comment

by:MrKnight
ID: 40023166
I just heard back from an onsite tech that they had a volunteer that connected a computer from the VA. I'm going to keep a close eye on it and see if the same happens again when the VA computer is gone.

I'm not sure that it is the cause but the time frame was right. The reason I'm not sure is the VA computer was in the logs before and was actually reporting user and computer names in the logs.
0
 
LVL 10

Expert Comment

by:tmoore1962
ID: 40023237
Is there any scheduled tasks running at that time for any application may be a task that is using expire credentials and just keeps trying until it times out, since it happens at a specific time.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 40023602
My initial reaction was similar to others above, with wonder on lack in event log, my suspect would be first a privileged server ID for application, possibly upgraded, needing password changed or the like, then to check on scheduled processes, AD changes and on..

But the update seems you provide the better clue. New user tries something, fails, then gives up trying - for now. If so then it probably will not recur for awhile, such as for same time frame tomorrow. The potential remains for you don't know what, so I recommend further pursuit to identify so policy can be enabled to address.

If we continue that line, the person should just be asked about it, but as you do not know them, it looks like answers can be derived (or confirmed) by examining their device. I'd next review their event log remotely and continue from there., such as review of services that may be stopped, but restarted upon reboot and what can found in their event log. They may have application trying to update itself which may still have some residence in a running task, so review that as well..
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 24

Expert Comment

by:SunBow
ID: 40023611
> failures between 0850 and 0854

While the quantity of failures reflects automatic process, the time elapse of four minutes is indicative more of a human frustrated with noticeable failures, error conditions.
0
 

Author Comment

by:MrKnight
ID: 40023738
I just checked the event logs fro this morning and I'm seeing the same type of event recorded. Aside from time it is a copy of the above Event. Today it is about 2000 of them spread out from about 0843 to 0905.

I also checked the Application logs and System logs for a corresponding event and time frame but nothing else is more than a minute or two off and has repeats through out the day, such as Exchange ADAccess events. There are also not any scheduled tasks for those times that I can see.
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40024265
Yeah, will be interesting tracking it down ...

Some things to check:

- If IIS is active on this server you could try disabling the loopback check, though I doubt it still pertains to SP1: https://support.microsoft.com/kb/926642

- https://support.microsoft.com/kb/2548120

- https://support.microsoft.com/kb/2549079

I'll have another look later to see if I have any fresh ideas :)
0
 
LVL 24

Accepted Solution

by:
SunBow earned 500 total points
ID: 40027738
The time frame again indicates human access to automated process rather than automatic process on a schedule. This may be more of a determined effort for one to succeed, or a repeat of more stations, begin of work day/week, so checking login times of users can help derive.

Also recheck application policy and usage updates for changes, and their usage of platforms, specifically for proportion of portables.

I recall situation where application using something like oracle that only affected laptops, not desktops, inside firewall etc. - direct connect. It was initially reported as longer login times. It was found that the timer for login validation was too short for platform, and application would continue on automatically in the background with attempts even though there was no issue such as for valid login/password/connection. Possibly a review of latest customer support requests could help to isolate.

Possibly, for client/server app, the server got initial load of traffic it could not handle well, but eventually caught up with demand - of the human. This is supported by your having ten times frequency last week and an apparent delay for it recurring this week.
0
 

Author Closing Comment

by:MrKnight
ID: 40035463
Based on what we were seeing on the server and the fact that we have not had a re-occurrence since the VA controlled computer was removed from the site, I'm pretty sure it was caused by that system. The VA had it locked down so we could not even look at the security/application settings, but the time frame it was connected is also pretty close to the time frame that the failures were being logged.

Thanks for all of your help and suggestions from everyone who gave input on this issue.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 40036051
Thanx, and                               Good Fortune !


[not so nice another wants to access yours, presumably w/o completing your internal security safeguard review (a volunteer)/(logon) while protecting (hiding) their own (stuff/activity). There can be workarounds for some of that, but ever nice to achieve desired resolution]
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
Read about achieving the basic levels of HRIS security in the workplace.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now