locked
Thousands of failed login 4625 events, corresponding with 1003 events form Security-SSP RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I've got a server running Server 2012 R2, it's got a few services and such, but lately there have been thousand of failed logins, they seem to happen every 30 minutes and there is about 10 or so at a time. I checked the application logs and there seem to be corresponding events from Security-SSP at the same times, event ID 1003,a s well as a few different ones at random times. These are the details for the 4625 events:

    An account failed to log on.

    Subject:
        Security ID:        SYSTEM
        Account Name:        SERVER$
        Account Domain:        MYSERVER
        Logon ID:        0x3E7

    Logon Type:            3

    Account For Which Logon Failed:
        Security ID:        NULL SID
        Account Name:        
        Account Domain:        

    Failure Information:
        Failure Reason:        Unknown user name or bad password.
        Status:            0xC000006D
        Sub Status:        0xC0000064

    Process Information:
        Caller Process ID:    0x2c4
        Caller Process Name:    C:\Windows\System32\lsass.exe

    Network Information:
        Workstation Name:    SERVER
        Source Network Address:    -
        Source Port:        -

    Detailed Authentication Information:
        Logon Process:        Schannel
        Authentication Package:    Kerberos
        Transited Services:    -
        Package Name (NTLM only):    -
        Key Length:        0

    - System
    - Provider
    [ Name] Microsoft-Windows-Security-Auditing
    [ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
    EventID 4625
    Version 0
    Level 0
    Task 12544
    Opcode 0
    Keywords 0x8010000000000000
    - TimeCreated
    [ SystemTime] 2014-10-08T15:39:27.023566500Z
    EventRecordID 555922
    Correlation
    - Execution
    [ ProcessID] 708
    [ ThreadID] 11356
    Channel Security
    Computer Server.MYSERVER.local
    Security
    - EventData
    SubjectUserSid S-1-5-18
    SubjectUserName SERVER$
    SubjectDomainName MYSERVER
    SubjectLogonId 0x3e7
    TargetUserSid S-1-0-0
    TargetUserName
    TargetDomainName
    Status 0xc000006d
    FailureReason %%2313
    SubStatus 0xc0000064
    LogonType 3
    LogonProcessName Schannel
    AuthenticationPackageName Kerberos
    WorkstationName SERVER
    TransmittedServices -
    LmPackageName -
    KeyLength 0
    ProcessId 0x2c4
    ProcessName C:\Windows\System32\lsass.exe
    IpAddress -
    IpPort -

    And the 1003 events:

    - System
    - Provider
    [ Name] Microsoft-Windows-Security-SPP
    [ Guid] {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
    [ EventSourceName] Software Protection Platform Service
    - EventID 1003
    [ Qualifiers] 16384
    Version 0
    Level 4
    Task 0
    Opcode 0
    Keywords 0x80000000000000
    - TimeCreated
    [ SystemTime] 2014-10-08T11:09:21.000000000Z
    EventRecordID 7230
    Correlation
    - Execution
    [ ProcessID] 0
    [ ThreadID] 0
    Channel Application
    Computer Server.MYSERVER.local
    Security
    - EventData
    55c92734-d682-4d71-983e-d6ec3f16059f

    1: e96022a1-3247-4125-9ddc-4c6068ab3bfc, 1, 1 [(0 [0x00000000, 1, 0], [(?)( 1 0x00000000)(?)( 2 0x00000000 0 0 msft:rm/algorithm/hwid/4.0 0x00000000 0)(?)(?)( 10 0x00000000 msft:rm/algorithm/flags/1.0)(?)])(1 )(2 )]

    There are also a few 900, 902, 903 events. Any ideas what is happening? Everything seems to be running fine.


    • Edited by Jdees Wednesday, October 8, 2014 4:01 PM
    Wednesday, October 8, 2014 3:52 PM

Answers

All replies