Hi all,
I recently found that there were some unknown users added to local admin group on my front end servers, upon further investigation i found that there are lots of 4625 event ids in my security log. many were from public ip addresses which i have added to
deny list on my firewall. But the following events are very strange. They all are coming from the same computer AND there are hundreds of them all trying different usernames (like admin, user1, print1). Looks more like a dictionary attack to me unless someone
can give a better explanation. Here an example of one event:
An account failed to log on.
Subject:
Security ID:
NULL SID
Account Name:
-
Account Domain:
-
Logon ID:
0x0
Logon Type:
3
Account For Which Logon Failed:
Security ID:
NULL SID
Account Name:
visitor
Account Domain:
Failure Information:
Failure Reason:
Unknown user name or bad password.
Status:
0xC000006D
Sub Status:
0xC0000064
Process Information:
Caller Process ID:
0x0
Caller Process Name:
-
Network Information:
Workstation Name:
WindowsMachine
Source Network Address:
-
Source Port:
-
Detailed Authentication Information:
Logon Process:
NtLmSsp
Authentication Package:
NTLM
Transited Services:
-
Package Name (NTLM only):
-
Key Length:
0
