none
Tracking down all these illegal logins RRS feed

  • Question

  • Hi --

    I have an SBS server that has begun to register a large number of login audit failures. Here's an example:


    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          7/8/2019 12:58:57 AM
    Event ID:      4625
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      SERVER.domain.local
    Description:
    An account failed to log on.

    Subject:
    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Logon ID: 0x0

    Logon Type: 3

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: AHLMUA5I
    Account Domain:

    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xc000006d
    Sub Status: 0xc0000064

    Process Information:
    Caller Process ID: 0x0
    Caller Process Name: -

    Network Information:
    Workstation Name:
    Source Network Address: -
    Source Port: -

    Detailed Authentication Information:
    Logon Process: NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    They're all network logins, but they carry no source information -- Null SIDs, no process information, no source workstation information (not even an IP address). The user names found in the Account Name field are varied and eventually start to repeat. They've mercifully been names that we don't have registered in AD.

    This server is behind a Netgear firewall that blocks just about all incoming traffic to the server except for HTTPS (which I have to leave open) and RDP on a redirected port (for emergencies). Incoming email is handled through port 587, to/from an outside spam filtering service; the firewall blocks any SMTP traffic that does not come from the service.

    The biggest, most obvious problem is that I have no way to tell from where these login attempts are coming. Why are these audit errors being logged without even an IP address? How do I get Windows to at least report an originating IP address?

    I've been searching online for an answer to this for several hours now. I've found a large number of inquiries similar to mine (login failures logged without any information relating to the origin of the login request). But so far, I haven't found a single solution.

    Does anyone know how I can resolve this?

    Thanks,
    CL




    Monday, July 8, 2019 6:44 AM

All replies

  • Hi,

    0XC000006D:
    This is either due to a bad username or authentication information

    0xC0000064:
    User logon with misspelled or bad user account

    >Account Name:  AHLMUA5I
    Have you confirmed this account name? Such as log on credential of service, task, and etc.?

    Event has its limitation and as you mentioned, not all information has been logged. In order to have further identification about the failure log on attempt, network monitoring and tracing is necessary. Network package capture tool such as Network Monitor, Wireshark, or 3rd party system monitoring tool can be considered. 

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 9, 2019 3:11 AM
    Moderator
  • Hi,

    How things are going there on this issue?

    Please let me know if you would like further assistance.

    Best Regards,
    Eve Wang     

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 16, 2019 9:20 AM
    Moderator
  • Hi,

    Is there any update?

    Please click “Mark as answer” if any of above reply is helpful. It would make this reply to the top and easier to be found for other people who has the similar problem.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 17, 2019 9:24 AM
    Moderator
  • So what you're saying is that the server is logging an illegal login attempt, but has no way to tell from where it is coming?
    Saturday, July 20, 2019 8:17 PM
  • Hi,

    It depends, in general, Event such as Event 4625, it has section Source Network Address which records the IP address of machine from which logon attempt was performed. However, some factors such as package type, network and etc. it may be unable to analysis the exactly IP address. 

    If so, in order to identify the details, tracing and monitoring tools are recommended.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    4 hours 27 minutes ago
    Moderator