A Large amount of failed login attempts

October 31, 2011 at 11:14:36
Specs: Windows 7
I know I answer a lot of questions here, but I got a problem that has stumped me. I'm asking for any hints, tips, or ideas to help figure out what is going on.

I am running a windows server 2008 R2 Enterprise edition x64. It is currently running Hyper V as I'm playing around with it.

The problem right now is that it is being hit hard with failed log-on attempts from a room in the building I'm in. I can get up to 7 to 10 failed attempts in 1 second from one computer and about 1 to 10 would do it at a time. The intervals seem irregular as well. I first I thought someone was attempting a brute force, but as a sat in the room when it was happening, the users were only browsing the web, no programs open other than a browser.

Even when no one was at the computer, the attempts were still happening. So I sat down at a computer that was doing this and looked at the running processes and services and didn't see anything out of the ordinary. NETSTAT -ANO command showed no connections to my server. Wireshark running on my server shows a ton of SMB and SMB2 connections from the target computer and my server. Forefront shows no infections and says everything is good.

I'm at a loss as to what is causing this. I can't tell if the computers are infected or if there is a service in windows that is doing this. The only server at the moment that does anything directly to the host computers is our Untangle, no file server, no domain server (at the moment at least).

All host computers are windows 7 x64

Here is an example from event viewer of the failed attempt:

- System

- Provider

[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}

EventID 4625

Version 0

Level 0

Task 12544

Opcode 0

Keywords 0x8010000000000000

- TimeCreated

[ SystemTime] 2011-10-31T17:57:10.010189000Z

EventRecordID 52917


- Execution

[ ProcessID] 612
[ ThreadID] 656

Channel Security

Computer win-0d761fbgfff


- EventData

SubjectUserSid S-1-0-0
SubjectUserName -
SubjectDomainName -
SubjectLogonId 0x0
TargetUserSid S-1-0-0
TargetUserName admin
TargetDomainName SN-227-046567
Status 0xc000006d
FailureReason %%2313
SubStatus 0xc0000064
LogonType 3
LogonProcessName NtLmSsp
AuthenticationPackageName NTLM
WorkstationName SN-227-046567
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x0
ProcessName -
IpPort 49813


An account failed to log on.

Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: admin
Account Domain: SN-227-046567

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: SN-227-046567
Source Network Address:
Source Port: 49813

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

See More: A Large amount of failed login attempts

Report •

November 6, 2011 at 01:07:15

as you mentioned that smb connections are open on the workstation, is the server also a file server?
check for cached credentials on the workstation, install ccleaner and run it...

Report •

November 6, 2011 at 20:32:38
It is not a file server but we have had problems with our domain server lately.

I'll run that program and see if it helps

Report •
Related Solutions

Ask Question