windows server 2008 r2 event id 4776 and 4625
hello
We have two servers that constantly getting hammered with audit failures to the point where the server starts to run really slow. one of them runs a software called facts which is all in pos/inventory system and the other has all the pdf documents for the facts server and name of the software is udam. The second server is also the print server for the 1st server. so they need to obviously need to communicate with each other. Recently I have noticed thousands of audit failures come from server 2 to server 1 to the point where server one can not function and I noticed that it is coming from c:\windows\explorer.exe.. I thought it could be a virus I am running malwarebytes premium on both I also ran hitman pro, dint find anything other than 2 adwares which were removed. I am attaching a file with both event id details. Any help will be very much appreciated
EVENT ID 4776
Log Name: Security
Source: Microsoft-Windows-Security
Auditing
Date: 11/17/2017 4:19:28 PM
Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: Fax.companyname.local
Description:
The computer attempted to validate the
credentials for an account.
Authentication Package:
MICROSOFT_AUTHENTICATION_P
Logon Account: Guest
Source Workstation: FAX
Error Code: 0xc0000234
Event Xml:
<Event
xmlns="http://schemas.microsoft.com/win/200
4/08/events/event">
<System>
<Provider Name="Microsoft-Windows-
Security-Auditing" Guid="{54849625-5478-
4994-A5BA-3E3B0328C30D}" />
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000
<TimeCreated SystemTime="2017-11-
17T21:19:28.264902700Z" />
<EventRecordID>15717085</E
<Correlation />
<Execution ProcessID="680"
ThreadID="1308" />
<Channel>Security</Channel
<Computer>Fax.companyname.
<Security />
</System>
<EventData>
<Data
Name="PackageName">MICROSO
_PACKAGE_V1_0</Data>
<Data
Name="TargetUserName">Gues
<Data Name="Workstation">FAX</Da
<Data Name="Status">0xc0000234</
</EventData>
</Event>
EVENT ID 4625
Log Name: Security
Source: Microsoft-Windows-Security
Auditing
Date: 11/17/2017 4:19:28 PM
Event ID: 4625
Task Category: Account Lockout
Level: Information
Keywords: Audit Failure
User: N/A
Computer: Fax.companyname.local
Description:
An account failed to log on.
Subject:
Security ID:
companyname\infor
Account Name: infor
Account Domain: companyname
Logon ID: 0x69018ee
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Guest
Account Domain: FAX
Failure Information:
Failure Reason: Account
locked out.
Status: 0xc0000234
Sub Status: 0x0
Process Information:
Caller Process ID: 0x1b14
Caller Process Name: C:\Windows
\explorer.exe
Network Information:
Workstation Name: FAX
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon
request fails. It is generated on the
computer where access was attempted.
The Subject fields indicate the account on
the local system which requested the logon.
This is most commonly a service such as the
Server service, or a local process such as
Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of
logon that was requested. The most common
types are 2 (interactive) and 3 (network).
The Process Information fields indicate
which account and process on the system
requested the logon.
The Network Information fields indicate
where a remote logon request originated.
Workstation name is not always available
and may be left blank in some cases.
The authentication information fields
provide detailed information about this
specific logon request.
- Transited services indicate which
intermediate services have participated in
this logon request.
- Package name indicates which
sub-protocol was used among the NTLM
protocols.
- Key length indicates the length
of the generated session key. This will be
0 if no session key was requested.
Event Xml:
<Event
xmlns="http://schemas.microsoft.com/win/200
4/08/events/event">
<System>
<Provider Name="Microsoft-Windows-
Security-Auditing" Guid="{54849625-5478-
4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12546</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000
<TimeCreated SystemTime="2017-11-
17T21:19:28.264902700Z" />
<EventRecordID>15717086</E
<Correlation />
<Execution ProcessID="680"
ThreadID="1308" />
<Channel>Security</Channel
<Computer>Fax.companyname.
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-
1957994488-725345543-68200
<Data
Name="SubjectUserName">inf
<Data
Name="SubjectDomainName">c
<Data
Name="SubjectLogonId">0x69
<Data Name="TargetUserSid">S-1-0
0</Data>
<Data
Name="TargetUserName">Gues
<Data
Name="TargetDomainName">FA
<Data Name="Status">0xc0000234</
<Data Name="FailureReason">%
%2307</Data>
<Data Name="SubStatus">0x0</Data
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Ad
</Data>
<Data
Name="AuthenticationPackag
/Data>
<Data Name="WorkstationName">FAX
<Data Name="TransmittedServices"
</Data>
<Data Name="LmPackageName">-</Da
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x1b14</D
<Data Name="ProcessName">C:\Wind
\explorer.exe</Data>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
</EventData>
</Event>
eventid.txt
We have two servers that constantly getting hammered with audit failures to the point where the server starts to run really slow. one of them runs a software called facts which is all in pos/inventory system and the other has all the pdf documents for the facts server and name of the software is udam. The second server is also the print server for the 1st server. so they need to obviously need to communicate with each other. Recently I have noticed thousands of audit failures come from server 2 to server 1 to the point where server one can not function and I noticed that it is coming from c:\windows\explorer.exe.. I thought it could be a virus I am running malwarebytes premium on both I also ran hitman pro, dint find anything other than 2 adwares which were removed. I am attaching a file with both event id details. Any help will be very much appreciated
EVENT ID 4776
Log Name: Security
Source: Microsoft-Windows-Security
Auditing
Date: 11/17/2017 4:19:28 PM
Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: Fax.companyname.local
Description:
The computer attempted to validate the
credentials for an account.
Authentication Package:
MICROSOFT_AUTHENTICATION_P
Logon Account: Guest
Source Workstation: FAX
Error Code: 0xc0000234
Event Xml:
<Event
xmlns="http://schemas.microsoft.com/win/200
4/08/events/event">
<System>
<Provider Name="Microsoft-Windows-
Security-Auditing" Guid="{54849625-5478-
4994-A5BA-3E3B0328C30D}" />
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000
<TimeCreated SystemTime="2017-11-
17T21:19:28.264902700Z" />
<EventRecordID>15717085</E
<Correlation />
<Execution ProcessID="680"
ThreadID="1308" />
<Channel>Security</Channel
<Computer>Fax.companyname.
<Security />
</System>
<EventData>
<Data
Name="PackageName">MICROSO
_PACKAGE_V1_0</Data>
<Data
Name="TargetUserName">Gues
<Data Name="Workstation">FAX</Da
<Data Name="Status">0xc0000234</
</EventData>
</Event>
EVENT ID 4625
Log Name: Security
Source: Microsoft-Windows-Security
Auditing
Date: 11/17/2017 4:19:28 PM
Event ID: 4625
Task Category: Account Lockout
Level: Information
Keywords: Audit Failure
User: N/A
Computer: Fax.companyname.local
Description:
An account failed to log on.
Subject:
Security ID:
companyname\infor
Account Name: infor
Account Domain: companyname
Logon ID: 0x69018ee
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Guest
Account Domain: FAX
Failure Information:
Failure Reason: Account
locked out.
Status: 0xc0000234
Sub Status: 0x0
Process Information:
Caller Process ID: 0x1b14
Caller Process Name: C:\Windows
\explorer.exe
Network Information:
Workstation Name: FAX
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon
request fails. It is generated on the
computer where access was attempted.
The Subject fields indicate the account on
the local system which requested the logon.
This is most commonly a service such as the
Server service, or a local process such as
Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of
logon that was requested. The most common
types are 2 (interactive) and 3 (network).
The Process Information fields indicate
which account and process on the system
requested the logon.
The Network Information fields indicate
where a remote logon request originated.
Workstation name is not always available
and may be left blank in some cases.
The authentication information fields
provide detailed information about this
specific logon request.
- Transited services indicate which
intermediate services have participated in
this logon request.
- Package name indicates which
sub-protocol was used among the NTLM
protocols.
- Key length indicates the length
of the generated session key. This will be
0 if no session key was requested.
Event Xml:
<Event
xmlns="http://schemas.microsoft.com/win/200
4/08/events/event">
<System>
<Provider Name="Microsoft-Windows-
Security-Auditing" Guid="{54849625-5478-
4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12546</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000
<TimeCreated SystemTime="2017-11-
17T21:19:28.264902700Z" />
<EventRecordID>15717086</E
<Correlation />
<Execution ProcessID="680"
ThreadID="1308" />
<Channel>Security</Channel
<Computer>Fax.companyname.
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-
1957994488-725345543-68200
<Data
Name="SubjectUserName">inf
<Data
Name="SubjectDomainName">c
<Data
Name="SubjectLogonId">0x69
<Data Name="TargetUserSid">S-1-0
0</Data>
<Data
Name="TargetUserName">Gues
<Data
Name="TargetDomainName">FA
<Data Name="Status">0xc0000234</
<Data Name="FailureReason">%
%2307</Data>
<Data Name="SubStatus">0x0</Data
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Ad
</Data>
<Data
Name="AuthenticationPackag
/Data>
<Data Name="WorkstationName">FAX
<Data Name="TransmittedServices"
</Data>
<Data Name="LmPackageName">-</Da
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x1b14</D
<Data Name="ProcessName">C:\Wind
\explorer.exe</Data>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
</EventData>
</Event>
eventid.txt
Do you by chance have a type of PCI Compliance Scanning going on in your network?
ASKER
no not at the moment
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.