windows server 2008 r2 event id 4776 and 4625

hello

We have two servers that constantly getting hammered with audit failures to the point where the server starts to run really slow. one of them runs a software called facts which is all in pos/inventory system and the other has all the pdf documents for the facts server and name of the software is udam. The second server is also the print server for the 1st server.  so they need to obviously need to communicate with each other.  Recently I have noticed thousands of audit failures come from server 2 to server 1 to the point where server one can not function and I noticed that it is coming from c:\windows\explorer.exe.. I thought it could be a virus I am running malwarebytes premium on both I also ran hitman pro, dint find anything other than 2 adwares which were removed.  I am attaching a file with both event id details.  Any help will be very much appreciated

EVENT ID 4776
Log Name:      Security
Source:        Microsoft-Windows-Security-

Auditing
Date:          11/17/2017 4:19:28 PM
Event ID:      4776
Task Category: Credential Validation
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      Fax.companyname.local
Description:
The computer attempted to validate the

credentials for an account.

Authentication Package:      

MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:      Guest
Source Workstation:      FAX
Error Code:      0xc0000234
Event Xml:
<Event

xmlns="http://schemas.microsoft.com/win/200

4/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-

Security-Auditing" Guid="{54849625-5478-

4994-A5BA-3E3B0328C30D}" />
    <EventID>4776</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14336</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2017-11-

17T21:19:28.264902700Z" />
    <EventRecordID>15717085</EventRecordID>
    <Correlation />
    <Execution ProcessID="680"

ThreadID="1308" />
    <Channel>Security</Channel>
   

<Computer>Fax.companyname.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data

Name="PackageName">MICROSOFT_AUTHENTICATION

_PACKAGE_V1_0</Data>
    <Data

Name="TargetUserName">Guest</Data>
    <Data Name="Workstation">FAX</Data>
    <Data Name="Status">0xc0000234</Data>
  </EventData>
</Event>




EVENT ID 4625

Log Name:      Security
Source:        Microsoft-Windows-Security-

Auditing
Date:          11/17/2017 4:19:28 PM
Event ID:      4625
Task Category: Account Lockout
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      Fax.companyname.local
Description:
An account failed to log on.

Subject:
      Security ID:            

companyname\infor
      Account Name:            infor
      Account Domain:            companyname
      Logon ID:            0x69018ee

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            Guest
      Account Domain:            FAX

Failure Information:
      Failure Reason:            Account

locked out.
      Status:                  0xc0000234
      Sub Status:            0x0

Process Information:
      Caller Process ID:      0x1b14
      Caller Process Name:      C:\Windows

\explorer.exe

Network Information:
      Workstation Name:      FAX
      Source Network Address:      -
      Source Port:            -

Detailed Authentication Information:
      Logon Process:            Advapi  
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

This event is generated when a logon

request fails. It is generated on the

computer where access was attempted.

The Subject fields indicate the account on

the local system which requested the logon.

This is most commonly a service such as the

Server service, or a local process such as

Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of

logon that was requested. The most common

types are 2 (interactive) and 3 (network).

The Process Information fields indicate

which account and process on the system

requested the logon.

The Network Information fields indicate

where a remote logon request originated.

Workstation name is not always available

and may be left blank in some cases.

The authentication information fields

provide detailed information about this

specific logon request.
      - Transited services indicate which

intermediate services have participated in

this logon request.
      - Package name indicates which

sub-protocol was used among the NTLM

protocols.
      - Key length indicates the length

of the generated session key. This will be

0 if no session key was requested.
Event Xml:
<Event

xmlns="http://schemas.microsoft.com/win/200

4/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-

Security-Auditing" Guid="{54849625-5478-

4994-A5BA-3E3B0328C30D}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12546</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2017-11-

17T21:19:28.264902700Z" />
    <EventRecordID>15717086</EventRecordID>
    <Correlation />
    <Execution ProcessID="680"

ThreadID="1308" />
    <Channel>Security</Channel>
   

<Computer>Fax.companyname.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-

1957994488-725345543-682003330-2735</Data>
    <Data

Name="SubjectUserName">infor</Data>
    <Data

Name="SubjectDomainName">companyname</Data>
    <Data

Name="SubjectLogonId">0x69018ee</Data>
    <Data Name="TargetUserSid">S-1-0-

0</Data>
    <Data

Name="TargetUserName">Guest</Data>
    <Data

Name="TargetDomainName">FAX</Data>
    <Data Name="Status">0xc0000234</Data>
    <Data Name="FailureReason">%

%2307</Data>
    <Data Name="SubStatus">0x0</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">Advapi  

</Data>
    <Data

Name="AuthenticationPackageName">Negotiate<

/Data>
    <Data Name="WorkstationName">FAX</Data>
    <Data Name="TransmittedServices">-

</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x1b14</Data>
    <Data Name="ProcessName">C:\Windows

\explorer.exe</Data>
    <Data Name="IpAddress">-</Data>
    <Data Name="IpPort">-</Data>
  </EventData>
</Event>
eventid.txt
iamaidiotAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ITSysTechSenior Systems AdministratorCommented:
Do you by chance have a type of PCI Compliance Scanning going on in your network?
0
iamaidiotAuthor Commented:
no not at the moment
0
Ajit SinghCommented:
Event 4776 indicates the domain controller attempted to validate the credentials for an account.

It seems like some service tried to logon some user with incorrect user credentials.

Do you have a firewall?  If So you can check the logs and search the IP address that the attack is coming from.

You can also look in the IIS logs for the IP address as well. Block the address and you should be good.

Event ID 4625 is generated when a logon request fails. It is generated on the computer where access was attempted.

First you need to track the source of this event and block the address to check if it is not appeared again.

The Security event that has Event ID 4625 does not contain the user account name on a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2: https://support.microsoft.com/en-us/help/2157973/the-security-event-that-has-event-id-4625-does-not-contain-the-user-ac

Check this article which define the process to audit the successful or failed logon and logoff attempts in the network using the audit policies.

Another informative article which lets you how to identify the source of Account Lockouts in Active Directory: https://www.lepide.com/how-to/identify-the-source-of-account-lockouts-in-active-directory.html

Hope this helps!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software

From novice to tech pro — start learning today.