?
Solved

Tracking down source of Event ID:  4625 on Windows 2008R2 server

Posted on 2014-07-11
6
Medium Priority
?
18,102 Views
Last Modified: 2014-07-21
Hello experts,
I have several entries in my Security logs of a hacking attempt. Initially I thought it may be an owa brute force attack. There is nothing in the IIS logs that correlate to this timestamp, and the Loginprocess is NtLmSsp rather than Advapi. Any advice on how to track the source of this hack attempt would be greatly appreciated.  Attached is the logged event.


Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          7/10/2014 3:00:35 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      EXCH2.foo.com
Description:
An account failed to log on.

Subject:
                Security ID:                         NULL SID
                Account Name:                 -
                Account Domain:                             -
                Logon ID:                             0x0

Logon Type:                                       3

Account For Which Logon Failed:
                Security ID:                         NULL SID
                Account Name:                 !
                Account Domain:                             #$%^@foo.com

Failure Information:
                Failure Reason:                 Unknown user name or bad password.
                Status:                                  0xc000006d
                Sub Status:                         0xc0000064

Process Information:
                Caller Process ID:             0x0
                Caller Process Name:     -

Network Information:
                Workstation Name:        ASMIRCRACKER1
                Source Network Address:            -
                Source Port:                       -

Detailed Authentication Information:
                Logon Process:                  NtLmSsp
                Authentication Package:               NTLM
                Transited Services:          -
                Package Name (NTLM only):       -
                Key Length:                        0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
                - Transited services indicate which intermediate services have participated in this logon request.
                - Package name indicates which sub-protocol was used among the NTLM protocols.
                - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2014-07-10T22:00:35.823496200Z" />
    <EventRecordID>57526864</EventRecordID>
    <Correlation />
    <Execution ProcessID="552" ThreadID="620" />
    <Channel>Security</Channel>
    <Computer>EXCH2.foo.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="SubjectLogonId">0x0</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">!</Data>
    <Data Name="TargetDomainName">#$%^@foo.com</Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2313</Data>
    <Data Name="SubStatus">0xc0000064</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">NtLmSsp </Data>
    <Data Name="AuthenticationPackageName">NTLM</Data>
    <Data Name="WorkstationName">ASMIRCRACKER1</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x0</Data>
    <Data Name="ProcessName">-</Data>
    <Data Name="IpAddress">-</Data>
    <Data Name="IpPort">-</Data>
  </EventData>
</Event>
0
Comment
Question by:sreynolds27
  • 3
  • 2
6 Comments
 
LVL 15

Expert Comment

by:joharder
ID: 40192551
Looks like that's a known MS issue with a hotfix:  http://support.microsoft.com/kb/2157973.
0
 

Author Comment

by:sreynolds27
ID: 40192573
Doubtful as we're not using smart cards, different login process too among other things. Thanks for your suggestion though.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 40193978
Here's the important parts of that message:
Account For Which Logon Failed:
                 Security ID:                         NULL SID
                 Account Name:                 !
                 Account Domain:                             #$%^@foo.com

 Failure Information:
                 Failure Reason:                 Unknown user name or bad password.
                 Status:                                  0xc000006d
                 Sub Status:                         0xc0000064

 Process Information:
                 Caller Process ID:             0x0
                 Caller Process Name:     -

 Network Information:
                 Workstation Name:        ASMIRCRACKER1
                 Source Network Address:            -
                Source Port:      

Is this valid information or did you change it for posting purposes:
                 Account Name:                 !
                 Account Domain:                             #$%^@foo.com

If it is valid domain and user accounts that you know must be on your network then most likely there is a password saved on  the PC named: ASMIRCRACKER1

Logon to the computer and check the event logs and any saved passwords
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:sreynolds27
ID: 40195039
Only the domain suffix has been changed in the post.  The workstation name does not exist on our network,  well at least it shouldn't! Which is exactly why I'm trying to track down the source address.
Anyone?
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 1500 total points
ID: 40196388
The workstation name does not exist on our network,  well at least it shouldn't!
Can you discount the fact that somebody may have brought a 'rouge' device onto your network? i.e. a personal laptop or other device that was connected to your network? What about virtual machines? Somebody could have created a local VM that is failing.

Your question heading is then a little misleading. The way it reads, you're looking for the application that is  trying to authenticate on the Exchange Server.

While what you're looking for is the actual computer?

If it's a local network 'attack' then I would suggest running wireshark or netmon on your LAN so that you can capture more data about this workstation. A full network scan might also work, but then you'd need that workstation to be on.

If you think it a direct OWA connection then you should see something on your firewall logs. Did you check those logs?

The bottom line that this event is only telling you that an authentication request failed due to bad username/password. It is not an indication that your system is under attack.

If you cannot find that workstation then there is nothing else from a LAN management perspective that you can do to stop this message from being logged, except to disable auditing....which I would never recommend on a production system
0
 

Author Comment

by:sreynolds27
ID: 40210182
Hi Leon
I'm leaning towards the rogue device on the network, as I haven't found anything in the firewalls logs with a time stamp that correlates to the security logs. Whatever the device was, there has been no more occurences since my initial post.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question