Results 1 to 7 of 7

Thread: Failure Audit log entries

  1. #1
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424

    Failure Audit log entries

    Hey all,

    We had some strange things going on with our website yesterday, and in reviewing the logs, I noticed a whole bunch of Failure Audits (more than 12,000 of them within 20 minutes). I'm a little confused by what exactly is going on - I have a 680 Event ID immediately followed by a 529 Event ID (6,000+ of each). Below are the entries - the only difference between the successive entries is the time. This is Server 2003 Standard Edition - there's no Administrator account. Not sure what the 20372 PID is/was, as it's not running right now...

    680:

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 680
    Date: 1/11/2009
    Time: 8:23:41 AM
    User: NT AUTHORITY\SYSTEM
    Computer: STATECE-WEB1
    Description:
    Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon account: Administrator
    Source Workstation: STATECE-WEB1
    Error Code: 0xC0000064

    529:

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 529
    Date: 1/11/2009
    Time: 8:23:41 AM
    User: NT AUTHORITY\SYSTEM
    Computer: STATECE-WEB1
    Description:
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: Administrator
    Domain: STATECE-WEB1
    Logon Type: 8
    Logon Process: IIS
    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Workstation Name: STATECE-WEB1
    Caller User Name: STATECE-WEB1$
    Caller Domain: NEOSPIRE
    Caller Logon ID: (0x0,0x3E7)
    Caller Process ID: 20372
    Transited Services: -
    Source Network Address: -
    Source Port: -

  2. #2
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    Sounds like a brute force attack. The Error Code: 0xC0000064 means that an attempt to logon was made using a non-existent account.
    In God We Trust....Everything else we backup.

  3. #3
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    I would make sure you have a good strong password on your admin account...

    I think + 26 charactors is the new recommendation...

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  4. #4
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    Neg,
    at first I could not figure out why you were asking this, but I now I think I understand what you are asking.

    Guess this has already been said, and I am no IIS guy, but:

    Yea, brut force attack.
    Were you able to find anything in any other logs around the same time to find the IP of the attacking machine?
    Any chance of IDS logs available?
    ( also, was it attacking a FTP server ? )

    I think the question was why both events?

    The 680 event was because of the non-existent Administrator account, the 529 event was saying the attempt had a bad user name or password.

    Again, I am no IIS guy, but I would think that once the attempt hit the first event it should have been stopped before hitting the second?

    Or is that just me?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  5. #5
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    Heya,

    I was hoping that someone would confirm beyond a doubt that this is simply a brute force attack. What I'm worried about - and the reason I'm asking - is that this is somehow being triggered by some of our code. I guess the "logon type 8" is throwing me off... Also, the way our site was behaving after these events made me think that this was related to code being ridiculous more than to a brute force attack (as I don't think a brute force attack can make certain site functionality stop working)... So either this is a big coincidence, or something's going on with the code...

    The server is being hosted, and I'm waiting for the host to get back to me with anything they can find (although they already confirmed that they didn't see anything out of the ordinary in their IDS logs, which again caused me start doubting the brute force scenario)...

  6. #6
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Sometimes when the admin password is changed....it needs to be changed in all services\apps and scheduled tasks that run on the server ....so depending on what services\apps\task are running on the server...the admin password may need to be reset at thier level. Usually ...database maintenence\backups or mail services etc that run with the admin account.

    I would contact the host server admin and see if there have been recent changes\updates that may be interfering with services that run on your site.

    Do they happen at specific times??

    MLF
    Last edited by morganlefay; January 13th, 2009 at 04:57 AM.
    How people treat you is their karma- how you react is yours-Wayne Dyer

  7. #7
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    It's tough to "confirm beyond a doubt", but this looks very much like a lame brute force attack. The login type 8 is a basic authentication attempt over the network using clear text.

    Here's a link that explains the logon type codes
    http://www.windowsecurity.com/articles/Logon-Types.html

    I would heed the AO watery tart's suggestion re: password strength.

    CSR
    In God We Trust....Everything else we backup.

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 02:51 PM
  2. Internet Speed and Bandwidth problem !!
    By sumitprateek in forum General Computer Discussions
    Replies: 17
    Last Post: June 23rd, 2008, 07:42 PM
  3. can't rid my computer of Spoton
    By rpgraff in forum Spyware / Adware
    Replies: 16
    Last Post: August 24th, 2004, 08:01 AM
  4. failure audit
    By netknow in forum Microsoft Security Discussions
    Replies: 2
    Last Post: September 5th, 2003, 04:45 PM
  5. Win2K Logoff Audit Failure
    By Info Tech Geek in forum Network Security Discussions
    Replies: 9
    Last Post: July 30th, 2003, 07:44 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •