Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Server 2012 R2 - Failed login and Security SSP Events


  • Please log in to reply
8 replies to this topic

#1 Aerys

Aerys

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:41 PM

Posted 17 November 2014 - 04:44 PM

I've been troubleshooting a server that is having thousands of failed login events (4625) but I can't tell anything based on the information I am getting. Most of them happen at minute 9 each hour, like 12:09, 1:09, 2:09, and 30 minutes later, 12:39, 1:39, 2:39. It's almost like there is an exact timing, but then there will also be a few random ones at 12:46 or something and it doesn't seem to follow an exact pattern.

An account failed to log on.

Subject:
	Security ID:		SYSTEM
	Account Name:		SERVER$
	Account Domain:		DORRAY
	Logon ID:		0x3E7

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		
	Account Domain:		

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xC000006D
	Sub Status:		0xC0000064

Process Information:
	Caller Process ID:	0x2b4
	Caller Process Name:	C:\Windows\System32\lsass.exe

Network Information:
	Workstation Name:	SERVER
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		Schannel
	Authentication Package:	Kerberos
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

In the application event logs the Software Protection service will start (event 900, 1066), do a license check (event 1003) then there is a 902 event, and it always reschedules another check for 30/60 minutes later (event 16384) and the service will stop (event 903).

 

I can provide more details about each event but I have never seen something like this and have no idea what could be causing this, I mainly want to get rid of the failed login events, or figure out what is causing them.


He said the same thing he had been saying for hours... "burn them all".

-Jaime Lannister

Feel free to add me on Skype for help or to chat; lolballinn


BC AdBot (Login to Remove)

 


#2 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,992 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:05:41 PM

Posted 17 November 2014 - 04:52 PM

Hi,

 

Just a hunch by any chance you installed the November Windows Updates recently?


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#3 Aerys

Aerys
  • Topic Starter

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:41 PM

Posted 17 November 2014 - 05:05 PM

Hi,

 

Just a hunch by any chance you installed the November Windows Updates recently?

Quite a few were installed on the 12th, but this has been going on since late September/early October.


He said the same thing he had been saying for hours... "burn them all".

-Jaime Lannister

Feel free to add me on Skype for help or to chat; lolballinn


#4 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,992 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:05:41 PM

Posted 17 November 2014 - 05:46 PM

Quite a few were installed on the 12th, but this has been going on since late September/early October.

 

In that case it must be something else.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#5 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:02:41 AM

Posted 17 November 2014 - 07:25 PM

2 things stand out for me.

1. Have you checked the task scheduler for anything running at hourly intervals.

2. lsass.exe has been known to have been injected with malware, check the size of the file with a clean server if possible.

 

It could also be the system account or registry permissions on HKCU or HKCR which loads into memory IE(HKCU) anyway.



#6 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:05:41 PM

Posted 18 November 2014 - 02:50 PM

Is it an Exchange server? Does it host any websites or web based services? Is it published to the internet in any way?

 

A bit of decoding that might help direct thoughts..

  • NULL SID suggests that the account that was being authenticated could not be identified
  • 0xC000006D means that authentication failed due to bad credentials
  • 0xC0000064 means that the requested user name does not exist.
  • Logon type 3 means the request was received from the network (but given the request originated from "server", suggests that the request was looped back from itself over the network stack.

 

x64



#7 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:05:41 PM

Posted 18 November 2014 - 03:03 PM

sorry - should also have clarified that though the authentication request is being generated locally, the process generating the request could be being manipulated externally. For example a published email server being probed for logons or maybe an old (once legitimate) access request now being denied because the associated user no longer exists (for example access to an email server pop/imap or owa)

 

x64



#8 Aerys

Aerys
  • Topic Starter

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:41 PM

Posted 07 January 2015 - 03:36 PM

Seems like it was related to IIS, my boss disabled the sites and the failed logins stopped. Not sure exactly what was causing it if anyone else is having the issue, but we didn't need them so it's good enough for us.


He said the same thing he had been saying for hours... "burn them all".

-Jaime Lannister

Feel free to add me on Skype for help or to chat; lolballinn


#9 zea62

zea62

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 07 October 2015 - 04:10 PM

This Event is usually caused by a stale hidden credential. Try this from the system giving the error:
 
From a command prompt run:    psexec -i -s -d cmd.exe
From the new DOS window run:  rundll32 keymgr.dll,KRShowKeyMgr
Remove any items that appear in the list of Stored User Names and Passwords.  Restart the computer.
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users