Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Getting EventID 4625 logon failures

Posted on 2016-10-29
18
Medium Priority
?
169 Views
Last Modified: 2016-11-26
The last two days one of our Citrix servers has been getting 4625 logon failures.   They are happening 3 times every minute.  The logon names are all random.  Mohamed, Betty, Sally, etc.

We have a 2nd Citrix server and it is not getting these.   The server that is, is a Hyper-V VM.  

How do I stop these?

audit failure
0
Comment
Question by:J.R. Sitman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 4
  • 3
18 Comments
 
LVL 29

Expert Comment

by:Dr. Klahn
ID: 41865233
To locate the attacker, download a copy of Microsoft TCPView and run it on the system being attacked.  Since the victim is being attacked every 20 seconds, after a few minutes it should be obvious where the attack is coming from.

If it is coming from within your LAN, locate the system currently on the attacking IP address, unplug it from the network and restore it from a clean backup.

If it is coming from outside your LAN, block the offending IP block (at least to the /24 level) at the firewall.

TCP View
0
 

Author Comment

by:J.R. Sitman
ID: 41865238
I have it running, but don't know what I'm looking for?

tcpview
0
 
LVL 26

Assisted Solution

by:Fred Marshall
Fred Marshall earned 1000 total points
ID: 41865261
Select one of the items / highlighting it.
Then right click and select WhoIs.
Read the result.

I would practice doing this as there's lots of information and reading a number of results should help you understand what you're seeing.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:J.R. Sitman
ID: 41865264
thanks
0
 

Author Comment

by:J.R. Sitman
ID: 41865268
I clicked on several and most of them state this.

whois
0
 
LVL 26

Assisted Solution

by:Fred Marshall
Fred Marshall earned 1000 total points
ID: 41865296
Can you highlight a few of those so one might see which ones do this?  It sounds like a local host but...
Not exactly to the point but this may be of some help:
http://www.watchingthenet.com/how-to-identify-unknown-network-connections-in-windows.html
Here's another:
http://www.abuseat.org/advanced.html
0
 
LVL 29

Expert Comment

by:Dr. Klahn
ID: 41865315
Going back to the image you posted originally, there is no information in the source network address field.

Are you sure that the system is being attacked over the network?  It might have been infected and the infection may be using an internal connection to attack.
0
 

Author Comment

by:J.R. Sitman
ID: 41865370
no I'm not sure. I ran a virus scan this morning and nothing was found
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 41865411
I would also run Malwarebytes as a good and additional starting point...
0
 

Author Comment

by:J.R. Sitman
ID: 41865412
doing that already.  Thanks
0
 

Author Comment

by:J.R. Sitman
ID: 41866237
no solution found as of this post.   Still getting 4625 audit failures every 20 seconds.
0
 
LVL 29

Expert Comment

by:Dr. Klahn
ID: 41866423
You may need to try this after hours.

Unplug it from the network, let it sit for five minutes, and plug it back in.  See if the attacks stopped for that period.  If they did, the attack is probably external.  If they did not, the attack is definitely internal.
0
 

Author Comment

by:J.R. Sitman
ID: 41866940
it is a Virtual server.  How would I disconnect it?  Change the network connection to "not connected"
0
 

Author Comment

by:J.R. Sitman
ID: 41867756
I took it off line.   The errors continued except the Account Name was always the name of the server CitrixVM_2012.   When is was online the Account Name was things like Mohamed, Robert, Sally, Admin, etc.  

So does this tell you it's internal?   If so, why does it have other Account Names when connected to the network?
0
 
LVL 29

Accepted Solution

by:
Dr. Klahn earned 1000 total points
ID: 41887209
So does this tell you it's internal?   If so, why does it have other Account Names when connected to the network?

That's correct.  When it's not connected to the network, the only thing that can be attacking it is itself.

It has other account names when it is connected to the network because it can then connect to the malware master server and download lists of account names and passwords.

If it is not obvious what process is causing this, and the antivirus and anti-malware are coming up clean, then there are only two solutions:

  • Restore from a previous full backup that is known to be clean
  • Reload Windows from scratch

The second solution is ugly if there is no clean full backup, but you cannot afford to have a subverted system on your network.  At some point it will start downloading even worse malware and try to infest other systems.
0
 

Author Comment

by:J.R. Sitman
ID: 41893854
Dr. Klahn:

I read your last post.  We are still deciding what to do.  I'll get back to you.

Thanks
0
 

Author Closing Comment

by:J.R. Sitman
ID: 41902382
Thanks for all the help.   We've decided to build a new server from scratch.
0
 

Author Comment

by:J.R. Sitman
ID: 41902751
I thought it was important to update this.   Prior to building a new server I spent hours just looking for anything logical or not that could cause this.
I noticed that this VM had 2 network cards.  Only was was active.  I changed the one that was connected to "not connected".   Connected the other.  
I then checked the Event logs and all the 4625 errors had stopped.  

Why would a different IP stop the problem?
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question