Getting Pounded by failed logon attempts

Discussion in 'Security Software' started by BrianKH, Jan 26, 2005.

  1. BrianKH

    BrianKH Guest

    I am getting hundreds of failed logon attempts from device names that don't
    seem to exist either in DNS or WINS. Here on of the event viewer error

    Event Type: Audit Failure
    Event Source: Security
    Event Category: Account Logon
    Event ID: 680
    Date: 1/26/2005
    Time: 7:22:29 AM
    User: SYSTEM
    Computer: COM1
    Logon account: uucp
    Source Workstation: \\ENDO
    Error Code: 0xC0000064


    How can I find the source IP of these?


    BrianKH, Jan 26, 2005
    1. Advertisements

  2. BrianKH

    Mark Gamache Guest

    I assume the host you are seeing this on is connected directly to the
    internet. These attempts will never stop and you are likely to never find
    the culprit. You can get their IP address by using a sniffer such as
    Ethereal to watch the traffic.

    In the end, you need to take preventative measures such as a firewall.


    Mark G
    Mark Gamache, Jan 26, 2005
    1. Advertisements

  3. Failed? Then everything is working like it should. It is the ones that
    don't fail that you have to worry about.
    Phillip Windell, Jan 26, 2005
  4. BrianKH

    BrianKH Guest

    Thanks for the responce. But no this device is not directly connected to the
    internet and is behind a firewall. I have connected a sniffer to the port
    the server is on but the volume of data is very large and I don't know what
    to really look for. I also connected snort to that port and got a few SMB
    errors but nothing that I could attibute to the volume of logon failure that
    we were experiencing. Which by the way have now stopped for no apparent


    BrianKH, Jan 27, 2005
  5. BrianKH

    BrianKH Guest

    True. But if I continue to let whoever it is just hack at our systems
    eventually they will find a way in don't you think?


    BrianKH, Jan 27, 2005
  6. No, they usually give up and go somewhere else. They are typically lazy,
    they aren't going to waste a bunch of time on you unless they actually know
    you, and already know what you have, and already know that there is
    something to gain by it.

    I'm not convinced it is a "hacker" to begin with. I think it is something on
    the machine itself and is not comming from anywhere else,...but I can't
    prove it. If it keeps up get MS Support on the phone,...they can sort that
    out better than any one else can,..they are the only ones that really have
    the resources to sort out something that "cryptic".
    Phillip Windell, Jan 27, 2005
  7. BrianKH

    BrianKH Guest

    That is probably good advice. Although the event log messages have now
    dissapeared as of about 5:00 PM yesterday and have nort started up again.
    Maybe whoever or whatever is was gave up, as you said they would.


    BrianKH, Jan 27, 2005
  8. If these failed logons are coming directly from the internet, check your
    firewall logs for activity from a common source IP address at the times that
    these failed logons are being recorded. You want your firewall time in synch
    with your domain time for this to work well. I would also check your
    firewall from outside the network by doing your own port scan against it or
    use one of the self scan sites such as .

    There is also the possibility that you have a compromised computer on your
    domain that is launching the attacks automatically or controlled remotely.
    Such a compromise could bypass your firewall depending on how you have
    outbound rules configured. You could enable netlogon logging temporarily and
    view the log for failed network transitive logon [ returns 0xC0000064 ] to
    trace back to the computer causing the failed logons to see if it is a
    computer or computers on then lan. If it is you would want to check those
    computers for malware, including root kits that are very hard to detect
    though you can use tools such as Pslist from SysInternals to compare
    enumerated process shown locally to that which are found from remotely
    scanning the problem computer. Ultimately it is best to flatten and
    reinstall such a compromised computer but it is always good to try and
    figure out what you are up against to help plan to eliminate a
    vulnerability. The link below may help which shows how to enable netlogon
    logging and interpret results.. --- Steve
    Steven L Umbach, Jan 27, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.