Tyler, Grayling wrote:
When a user attempts to log on at a workstation with a bad password, the
DC records event ID 675 (pre-authentication failed) with Failure Code 24
(0x18 hex). By reviewing each of your DC Security logs for this event
and failure code, you can track every domain logon attempt that failed
as a result of a bad password. The IP address in the event log reflects
the system from which the logon attempt originated (since yours has
127.0.0.1 I assume you changed the real IP before sending the question
in to the list(which would be a smart thing to do).
-----Original Message-----
From: rs [mailto:rsmade@gmail.com]
Sent: Monday, April 17, 2006 4:49 PM
To: security-basics@securityfocus.com
Subject: Failure Audit for Event id 675
I am receiving a ton of Event 675 Failure Audits on my DC. Windows 2003
Mixed mode Domain and this is the pdc emulator. The bulk of these are
arriving as follows:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 4/17/2006
Time: 4:38:56 PM
User: NT AUTHORITY\SYSTEM
Computer: DC01
Description:
Pre-authentication failed:
User Name: Admin
User ID: OURDOMAIN\Admin
Service Name: krbtgt/OURDOMAIN
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1
I can't identify any process using this account on the DC. A reboot did
not solve the issue. A lot of searching on the we has pointed to time
issues dealing with kerberos but that does not seem to be it. The
strange part is the client address being 127.0.0.1. Could this just be a
virus out on our network reporting 127.0.0.1 as its source during
authentication attempts? Has anyone seen anything like this?
------------------------------------------------------------------------
-
This List Sponsored by: Webroot
Don't leave your confidential company and customer records un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise
http://www.webroot.com/forms/enterprise_lead.php
------------------------------------------------------------------------
--
**************************************************************************
This electronic message may contain confidential or privileged information
and is intended for the individual or entity named above. If you are
not the intended recipient, be aware that any disclosure, copying,
distribution or use of the contents of this information is prohibited.
If you have received this electronic transmission in error, please notify
the sender immediately by using the e-mail address or by telephone
(704-633-8250).
**************************************************************************
No, 127.0.01 was the actual source IP recorded for the event which is
part of the reason this is not making sense.
-------------------------------------------------------------------------
This List Sponsored by: Webroot
Don't leave your confidential company and customer records un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise
http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------
