Click here to Skip to main content
15,844,362 members
Please Sign up or sign in to vote.
1.00/5 (2 votes)
I have Windows server 2012 R2 azure virtual instance and few ports are open on it i.e. (80,443,RDC). I have observed the below logs into windows event viewer in security section.

Event 4625 : Microsoft windows security auditing

-------log description start
An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: ALLISON
Account Domain:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

-------log description end

The logs are continuously generating in event viewer (3-4 request per second) and account name always changes as mention below.

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: ATCNSBAYFG
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: SUPPORT
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: SUPPORT
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: HAYLEY
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: TEST5
and more...

What I have tried:

<pre>What I tried:
1. Disabled the all open ports from azure portal even RDC.
2. Disabled the Windows Essentials services.
3. Disabled Alert Evaluations task from windows scheduler.

but still the logs are generating in event viewer. Is this windows attacked or some thing else? and how to prevent this?
Posted
Updated 14-Apr-17 1:07am
v2

Looks like a script that tries username/password combinations to log in.
There is not much information besides that it is remote (type field == 3) and the user does not exist (0xC0000064). Unfortunately there is no source IP adress logged. If so it could be verified that it is probably from a hacked server or an infected home PC with a dial-up IP.

To know the origin of the attempts you have to install a network sniffer or monitor and find the packets using the time stamps and the packet types.

There is nothing you can do against such attempts besides restricting connections / remote logins using white lists (list of IPs or ranges that are allowed to connect / login).

While it may be annoying that the logs are flooded, logging should not be disabled.
 
Share this answer
 
Comments
swapnilsonawane123 15-Mar-18 3:32am    
While investigation the issue, I got those IP address from where requests are coming from. All the IP locations are from China and its vary every time. I had posted same problem on MS Azure portal but not getting expected answer. I did IP white listing for specific IPs but issue still remain. Thanks for reply.
Based on my research, I would suggest you following below links.

https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

https://technet.microsoft.com/en-us/library/bb463166.aspx

https://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/

Hope it helps
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900