Announcement

Collapse
No announcement yet.

Lots of "Logon Failure" messages

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Lots of "Logon Failure" messages

    Every evening a customer of mine has lots of Logon Failure messages logged in the Security logs. I thought it was coming from IIS but the IIS logs show no trace of external users attempting to exploit the server.

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 529
    Date: 28/10/2008
    Time: 02:29:17
    User: NT AUTHORITY\SYSTEM
    Computer: SERVERNAME
    Description:
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: new
    Domain:
    Logon Type: 3
    Logon Process: Advapi
    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Workstation Name: SERVERNAME
    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 681
    Date: 28/10/2008
    Time: 02:29:22
    User: NT AUTHORITY\SYSTEM
    Computer: SERVERNAME
    Description:
    The logon to account: new
    by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    from workstation: SERVERNAME
    failed. The error code was: 3221225572
    The above is logged about 1400+ times a night. I've searched the net over and over but found nothing obvious.

    Windows 2000 Server
    Exchange Server 2000
    SQL Server 2005

    Usernames:
    new
    manager
    academia
    inna
    candy
    mail
    administrator
    alice
    andy
    hello
    alex
    Last edited by ]SK[; 28th October 2008, 10:01.
    Please remember to leave positive reputation points (The Ying Yang Icon) if someone helps you.

  • #2
    Re: Lots of "Logon Failure" messages

    Just an Idea, It could be amongst others a case of a dictionary atack or a certain program running on a specific user account, i.e. Scheduled Backups etc.
    Check the succesfull audit events after the failure to ensure the specific account wasn't logged on succesfully, check local users on the specific machine for anything unusual plus the usual drill spyware scan, AV scan, check the other security logs and events.

    Ta
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: Lots of "Logon Failure" messages

      It does look like a dictionary attack yes.

      Antivirus scans every morning at 5AM. Finds nothing. Sophos also scans for Adware etc. I know this as it uninstalls completely anything it finds as adware because earlier this week was uninstalling some free proxy software on another server.

      IIS Logs show nothing.

      Found another username with Chinese or similar characters.
      Please remember to leave positive reputation points (The Ying Yang Icon) if someone helps you.

      Comment


      • #4
        Re: Lots of "Logon Failure" messages

        I would check your firewall logs right now, sounds like they are already in.
        Windows update on all hosts, scan with another AV product (1 is never enough).
        I would seriously think about stopping all external access until you know you are clean. You could allow only your Exchange out to 25 and in from 25 plus DNS lookups if you don't have a smarthost.
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: Lots of "Logon Failure" messages

          I don't think it's an attack at all. Have a look at these and see if they help:

          http://support.microsoft.com/kb/926210

          http://support.microsoft.com/kb/890477

          http://support.microsoft.com/kb/811082

          Comment


          • #6
            Re: Lots of "Logon Failure" messages

            I'm not convinced either. The only issue is the fact the usernames are random and then there is the username which contains Chinese characters. These logs are also only during the early hours of the morning.

            House call is still scanning from this morning. Nothing found so far.
            I read it could be SMTP authentication attempts but I would have thought that the IP would be logged in the event viewer.

            I can't close down the internet access for users. Port 25 is actually the only port open inwards from the internet now. I changed OWA from 80 to 8080 when I first saw these messages. Since still getting the logs I have closed access to OWA completely for now.
            Please remember to leave positive reputation points (The Ying Yang Icon) if someone helps you.

            Comment


            • #7
              Re: Lots of "Logon Failure" messages

              Originally posted by ]SK[ View Post
              The only issue is the fact the usernames are random and then there is the username which contains Chinese characters. These logs are also only during the early hours of the morning.
              Well no probs if you guys disagree. I'm not so sure myself.

              Do the client machines go straight out to the internet, if so then only allowing 25 in wouldn't mean anything as it would be likely the ACLs would block only traffic initiated from the outside not initiated from the inside and accepting the replies as many of these things setup.
              Can you see where your traffic is going at the moment and specifically during the evenings?
              Try turning off the clients and see if it happens tonight maybe?
              cheers
              Andy

              Please read this before you post:


              Quis custodiet ipsos custodes?

              Comment


              • #8
                Re: Lots of "Logon Failure" messages

                It appears that this is not a new thing :http://kb.monitorware.com/event-ids-...25572-t78.html
                Still no definite answers have been provided about the cause (Can't rule out the option of an attack just yet though, so it won't do any harm if you take all the precautions to minimise the impact of such an attack until the real culprit is found) .
                Have a look at this for more info as well: http://support.microsoft.com/kb/326985

                Ta
                Caesar's cipher - 3

                ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                SFX JNRS FC U6 MNGR

                Comment


                • #9
                  Re: Lots of "Logon Failure" messages

                  The users go though a proxy server. I have turned the proxy off during the evenings to see if this was an issue. The proxy is installed on the server that's having the errors. The servers themselves access the internet directly (NAT).

                  I also noted one thing. A good portion of the errors are one error rather than in two errors as logged above. The error also uses the username of the renamed Adminstrator account. This suggests to me that a service or some software is attempting to logon using the renamed administrator account (See error below). I will continue to poke around. The issue I have is its an inherited network. The previous guy seems to have installed lots of pointless software and used the live network for testing. Before I arrived they had about 8 servers. I've managed to get them down to 4. It's a slow process however.

                  Event Type: Failure Audit
                  Event Source: Security
                  Event Category: Account Logon
                  Event ID: 681
                  Date: 27/10/2008
                  Time: 19:20:55
                  User: NT AUTHORITY\SYSTEM
                  Computer: SERVERNAME
                  Description:
                  The logon to account: renamed_administrator_account
                  by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
                  from workstation: DTX-EXCH
                  failed. The error code was: 3221225578
                  *Edit*

                  Actually I just noticed one thing. This error seems to occur exactly when the nightly backup job starts. Time to investigate. Although this doesn't explain the reason for the random usernames in post #1.
                  Last edited by ]SK[; 28th October 2008, 15:03.
                  Please remember to leave positive reputation points (The Ying Yang Icon) if someone helps you.

                  Comment


                  • #10
                    Re: Lots of "Logon Failure" messages

                    The error code for the last event indicates a "Logon with misspelled or bad password". It could be a case of a service or program running under that account setup prior to your arrival but this event could also be caused by an IIS kerberos issue so I'd suggest you look closely in the article I posted before about IIS.

                    Ta
                    Caesar's cipher - 3

                    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                    SFX JNRS FC U6 MNGR

                    Comment


                    • #11
                      Re: Lots of "Logon Failure" messages

                      Is the machine where the events are logging your IIS machine? I didn't catch that in your previous posts. If so, then I would take another look at the IIS logs. Make sure you have logging turned on for any web sites. I would recommend W3C logging format, have the log rollover everyday, and set these logging options:

                      c-ip
                      cs-username
                      s-ip
                      cs-method
                      cs-uri-stem
                      cs-uri-query
                      sc-status
                      sc-substatus
                      sc-win32-status

                      This should give you quite a bit in the IIS log to go on.

                      Comment


                      • #12
                        Re: Lots of "Logon Failure" messages

                        Originally posted by ]SK[ View Post
                        IIS Logs show nothing.
                        I think it has already been checked. Plus if it was IIS wouldn't we get the process ID if it was local?
                        cheers
                        Andy

                        Please read this before you post:


                        Quis custodiet ipsos custodes?

                        Comment


                        • #13
                          Re: Lots of "Logon Failure" messages

                          Yes the logging is enabled. Between yesterday and today the only signs are a few connections from what I guess are bots looking for scripts. All 404 errors.
                          The other connections are from my IP when testing. I thought at first these logon errors were coming from IIS but the W3C logs suggest otherwise.
                          Please remember to leave positive reputation points (The Ying Yang Icon) if someone helps you.

                          Comment


                          • #14
                            Re: Lots of "Logon Failure" messages

                            What ports are exposed?
                            Marcel
                            Technical Consultant
                            Netherlands
                            http://www.phetios.com
                            http://blog.nessus.nl

                            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                            "No matter how secure, there is always the human factor."

                            "Enjoy life today, tomorrow may never come."
                            "If you're going through hell, keep going. ~Winston Churchill"

                            Comment


                            • #15
                              Re: Lots of "Logon Failure" messages

                              Currently. 25 for mail.
                              Please remember to leave positive reputation points (The Ying Yang Icon) if someone helps you.

                              Comment

                              Working...
                              X