[Webinar] Learn how to a build a cloud-first strategyRegister Now


18,000+ logon failures in 4 minutes

Posted on 2014-04-25
Medium Priority
Last Modified: 2014-05-01
We saw 18,929 logon failures between 0850 and 0854 on one of the servers we manage. The odd this is that there is no information in any of the even logs as to source, user, or anything else that we might be able to use to track it down. Here is the event in question:

- System

  - Provider

   [ Name]  Microsoft-Windows-Security-Auditing
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D}
   EventID 4625
   Version 0
   Level 0
   Task 12544
   Opcode 0
   Keywords 0x8010000000000000
  - TimeCreated

   [ SystemTime]  2014-04-24T14:53:51.637409500Z
   EventRecordID 40321479
  - Execution

   [ ProcessID]  588
   [ ThreadID]  15388
   Channel Security
   Computer svrmain12.srm.local

- EventData

  SubjectUserSid S-1-0-0
  SubjectUserName -
  SubjectDomainName -
  SubjectLogonId 0x0
  TargetUserSid S-1-0-0
  TargetDomainName SRM
  Status 0xc000006d
  FailureReason %%2313
  SubStatus 0xc0000064
  LogonType 3
  LogonProcessName NtLmSsp  
  AuthenticationPackageName NTLM
  TransmittedServices -
  LmPackageName -
  KeyLength 0
  ProcessId 0x0
  ProcessName -
  IpAddress -
  IpPort -

Any help would be appreciated as these are flooding out event logs and with the limited information we cannot tell if it is an attack or a failing service.

The server is a Windows Server 2008 R2 Enterprise with Service pack 1
Question by:MrKnight
  • 4
  • 3
  • 2
  • +2
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40023044
It's a logon type 3, so it could be that it has something to do with shares/printers ... Did you recently change account names/passwords maybe renamed the admin account??

SubStatus 0xc0000064  means that the username doesn't exist...

Seeing so many it could be a script trying to login with a no longer existing user or someone is trying a brute-force attack ... But check the obvious things first...
LVL 26

Expert Comment

ID: 40023065
From what you have provided it does look like it is from the inside as spravtek states.

Did someone get removed from AD just prior to the entries?

Author Comment

ID: 40023166
I just heard back from an onsite tech that they had a volunteer that connected a computer from the VA. I'm going to keep a close eye on it and see if the same happens again when the VA computer is gone.

I'm not sure that it is the cause but the time frame was right. The reason I'm not sure is the VA computer was in the logs before and was actually reporting user and computer names in the logs.
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

LVL 10

Expert Comment

ID: 40023237
Is there any scheduled tasks running at that time for any application may be a task that is using expire credentials and just keeps trying until it times out, since it happens at a specific time.
LVL 24

Expert Comment

ID: 40023602
My initial reaction was similar to others above, with wonder on lack in event log, my suspect would be first a privileged server ID for application, possibly upgraded, needing password changed or the like, then to check on scheduled processes, AD changes and on..

But the update seems you provide the better clue. New user tries something, fails, then gives up trying - for now. If so then it probably will not recur for awhile, such as for same time frame tomorrow. The potential remains for you don't know what, so I recommend further pursuit to identify so policy can be enabled to address.

If we continue that line, the person should just be asked about it, but as you do not know them, it looks like answers can be derived (or confirmed) by examining their device. I'd next review their event log remotely and continue from there., such as review of services that may be stopped, but restarted upon reboot and what can found in their event log. They may have application trying to update itself which may still have some residence in a running task, so review that as well..
LVL 24

Expert Comment

ID: 40023611
> failures between 0850 and 0854

While the quantity of failures reflects automatic process, the time elapse of four minutes is indicative more of a human frustrated with noticeable failures, error conditions.

Author Comment

ID: 40023738
I just checked the event logs fro this morning and I'm seeing the same type of event recorded. Aside from time it is a copy of the above Event. Today it is about 2000 of them spread out from about 0843 to 0905.

I also checked the Application logs and System logs for a corresponding event and time frame but nothing else is more than a minute or two off and has repeats through out the day, such as Exchange ADAccess events. There are also not any scheduled tasks for those times that I can see.
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40024265
Yeah, will be interesting tracking it down ...

Some things to check:

- If IIS is active on this server you could try disabling the loopback check, though I doubt it still pertains to SP1: https://support.microsoft.com/kb/926642

- https://support.microsoft.com/kb/2548120

- https://support.microsoft.com/kb/2549079

I'll have another look later to see if I have any fresh ideas :)
LVL 24

Accepted Solution

SunBow earned 1500 total points
ID: 40027738
The time frame again indicates human access to automated process rather than automatic process on a schedule. This may be more of a determined effort for one to succeed, or a repeat of more stations, begin of work day/week, so checking login times of users can help derive.

Also recheck application policy and usage updates for changes, and their usage of platforms, specifically for proportion of portables.

I recall situation where application using something like oracle that only affected laptops, not desktops, inside firewall etc. - direct connect. It was initially reported as longer login times. It was found that the timer for login validation was too short for platform, and application would continue on automatically in the background with attempts even though there was no issue such as for valid login/password/connection. Possibly a review of latest customer support requests could help to isolate.

Possibly, for client/server app, the server got initial load of traffic it could not handle well, but eventually caught up with demand - of the human. This is supported by your having ten times frequency last week and an apparent delay for it recurring this week.

Author Closing Comment

ID: 40035463
Based on what we were seeing on the server and the fact that we have not had a re-occurrence since the VA controlled computer was removed from the site, I'm pretty sure it was caused by that system. The VA had it locked down so we could not even look at the security/application settings, but the time frame it was connected is also pretty close to the time frame that the failures were being logged.

Thanks for all of your help and suggestions from everyone who gave input on this issue.
LVL 24

Expert Comment

ID: 40036051
Thanx, and                               Good Fortune !

[not so nice another wants to access yours, presumably w/o completing your internal security safeguard review (a volunteer)/(logon) while protecting (hiding) their own (stuff/activity). There can be workarounds for some of that, but ever nice to achieve desired resolution]

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

865 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question