locked
someone brute force attacking my computer or what? windows xp evt loaded with hundreds of error 680 RRS feed

  • Question

  • Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon 
    Event ID: 680
    Date: 8/13/2013
    Time: 5:40:53 PM
    User: NT AUTHORITY\SYSTEM
    Computer: Digningrmcmp
    Description:
    Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
     Logon account:  support
     Source Workstation: Digningrmcmp
     Error Code: 0xC0000064


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Microsoft writes that this is not important. however I'm worried as the "logon account" keeps on changing as if someone is trying to fish a username. Is this what it seems to be? someone attempting to brute force my computer or what? I have hundreds of these logon attempts.

    Below is just a small sample of "logon account" names.

    John, administrator, Administrator, owner, a, sql, david, support_388945a0, backup, root,

    Wednesday, August 14, 2013 2:32 AM

Answers

All replies

  • You can ignore it :

    The account does not exist : 0xC0000064

     http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.2&EvtID=680&EvtSrc=Security


    Arnav Sharma | Facebook | Twitter Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, August 14, 2013 7:34 AM
    Moderator
  • You can ignore it :

    The account does not exist : 0xC0000064

     http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.2&EvtID=680&EvtSrc=Security



    I disagree.  If it were a single user name, then maybe.  But the OP writes that the attempted user name has changed multiple times.  It does sound to me like an attempt at a brute force hack.
    Wednesday, August 14, 2013 2:12 PM
  • Then OP needs to check error code for some sampled events. Referring to the above event this can be ignored.

    Arnav Sharma | Facebook | Twitter Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Saturday, August 17, 2013 3:04 PM
    Moderator
  • Although I am not seeing the same erros in our logs, I am also seeing the brute force attempt with the accounts you specified.  I don't believe it's the Morto worm as specified by several vendors, it carries the same characteristics. (Google Morto Worm)

    Based on the notion that it is now public information, I beleive the C&C servers have changed their IP's and scripted the same backdoors to other malicious sites, but are still using the same RAT's and TTT's for this attack campaign.

    Our team is constantly monitoring this activity, and we noticed that much of the activity is coming from outside the US.  I focused on a report provided by Mandiant, which describes a recent discovery of APT threats, and I beleive we, in addition to many others, are experiencing this level of a threat. (Google Mandiant APT1)

    Any attempt to block IP's will only direct the infected machines to hit another website, usually part of the C&C environment.  To my knowledge, malicious sites under C&C are using base64 code embedded within HTML tags to send commands to the infected machines.  One a machine is infected, it will move laterally within your network and search for mission critical systems.  I would advise you to begin searching your logs for external 80 traffic to regions outside the US, and possibly internally.  I believe any attempt to disable these accounts will only trigger the APT to re-initialize them.  How this is being done is still under investigation.

    I hope this helps

    Regards,

    z3120nu11

    Thursday, August 22, 2013 9:55 PM
  • Friday, August 23, 2013 2:23 PM
    Moderator
  • Agree. Never figured out this one. Microsoft writes to just ignore this. (sounds naive.)
    Thursday, August 29, 2013 3:15 AM
  • Please mark this question as answered if you don't require any inputs now.

    Arnav Sharma | Facebook | Twitter Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, August 29, 2013 5:16 AM
    Moderator