Security Event Log Failure Audit 681

[Mark]

We have been getting 100's of these Failure Audit logs on a daily
basis in our security event log for the past couple weeks. They are
showing up on our win 2000 sp4 application/database server. The user
is a current domain user but not a local user on the server. The
workstation however is not in our domain. What is bothering me is
that is trying to login from a machine that has the same name as a
current user. I have scanned for viruses and spyware on both the
server and the user's workstation, but came up empty on both searches.

The server is part of a 2000 domain and the user logs into a NT
domain. The user doesn't have a mapped drive to the server, but
accesses our main application that resides on the server on a daily
basis.

Below is an example of what we have been seeing.

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 6/11/2004
Time: 6:12:17 AM
User: NT AUTHORITY\SYSTEM
Computer: Server-1 <---(Application/DB server)
Description:
The logon to account: NICKH <---(current user)
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: \\NICKH <---(not a current workstation)
failed. The error code was: 3221225572

Thanks in advance for any advise,

 

[Michele]

Although I can't offer any advice on this, the same thing
started happening to me yesterday on our network. We are
running Windows 2000 Advanced Server SP4 and I noted
yesterday a little over 2,000 entries in the security log
in our event viewer on the server within a 20-30 minute
time period. The Event ID is 681 just as you reported
with a slightly different error code (I'm also getting
error code 529 in the event viewer logs as well).
However, the logon account/user name is the network
administrator name that I created when I set up the
server, but the domain and the workstation name are the
same names which ARE NOT names that I have used on the
network at any point in time. Today, I received a little
over 1,000 attempts with a different domain and
workstation name. The weird thing is that this is
happening around the same time - in the morning around 9
AM or so until 11 AM. The attempts are repeated and then
they stop.

I have Norton's Anti-virus installed and updated and it
has found no threats.

I have not found any reason that this is occurring at this
point, but it seems similar to what is happening with your
server.

If I come across a solution, I'll certainly post it here.
Does anyone else have any clue to what might be happening?

 

[Steven Umbach]

The error code indicates a bad user name as reason for logon failure which
means that the user is trying to authenticate to the local sam on the server. I
would try to rule in or out the workstation of that user. I you are getting
failed logon attempts while his computer is shut down you will know it is a
different computer. If the logons stop when his computer is shut down then it
well may be his computer which you will need to investigate further, possibly by
putting a software firewall on it and then watching what process/application is
requesting access to your server. If it is not his computer, it is going to be
difficult to track down without some sort of software firewall installed
[firewall can be disabled] for logging to capture inbound traffic or using
something like Ethereal which will not require a reboot and then correlating the
failed logons with the capture based on time which still will give you only an
IP address and a mac address, though that is a good start as you can scan that
IP address with something like Supercan 4 using Windows enumeration to try to
find out information like the operating system, services, shares, and local
users on that computer. Of course with Ethereal you can have thousands of lines
in a couple of minutes, though you can configure filtering to narrow the traffic
captured. The other option is to track it down to what switch and switch port
the computer is on. --- Steve

 

[Steven Umbach]

That sounds like a hack attempt on the administrator account using computers
from possibly the internet. I would check your firewall configuration to make
sure it is correct. The best way is to try and scan your network from the
outside. Another alternative is to try a self scan site such as
http://scan.sygatetech.com/ . You should have file and print sharing disabled on
any network adapted connected directly to the internet. Looking in your firewall
logs for traffic at the time of the failed logons may help in determining if a
hack is coming from the internet and what ports are used. Of course you want
your firewall device and server times right on synch. --- Steve