Blank Username, Blank Source Machine Expand / Collapse
Author
Message
Posted 1/13/2011 4:17:26 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 1/13/2011 3:52:00 PM
Posts: 1, Visits: 0
Good afternoon.

I have been trying to identify what the cause is for some odd activity on my network that happened a while back.

9/25/2010 4:39:16PM 4 Logon Failure "" used for logon from "" MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Username does not exist 1

DomainControllerName Security 680

Over the course of a week, I saw literally thousands of login failures in a domain controller log for a blank username from a blank source machine.  Review of network traffic failed to identify a source IP for any authentication traffic that even came close to the volume of these failures.  Rebooting the DC caused the activity to move to another DC and again review of network logs for that DC could not identify a source.

If it were a brute force attack, I would have expected to see SOMETHING listed as a username.

Any thoughts?

Post #549
Posted 2/10/2011 10:11:37 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
I don't think you are dealing with an attack.  Sounds like some errant process.  I regularly see wierd "noise" like this in clients' logs. Rule of thumb to save your sanity - get comfortable with not being able to explain/justify every event in the security log.
Post #584
Posted 8/15/2011 9:59:21 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/31/2011 3:03:19 AM
Posts: 1, Visits: 0
Hi,
I have the same problem.

We have a proxy appliance which serve a lot of user. The proxy take user authentications form Active Directory.

Randomly, on the AD security logs i see some failed account logon with eventid 680 with blank username, and the source machine is the proxy. Error code is 0xC0000064. event count is about 1Million/hour. After proxy reboot, the problem is solved. (temporary)

On the proxy i did not see some abnormality, only the CPU and connection times grows.

The IDS report comes with these vulnerabilities:
-OpenSSL SSL/TLS Malformed Handshake DoS
-OpenSSL Multiple Denial of Service Vulnerabilities
I check the proxy openssl versions, but, is is up to date.


proxy appliance may be wrong?


regards
Post #787
Posted 10/9/2011 9:53:23 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 10/9/2011 9:48:32 AM
Posts: 1, Visits: 0
The IDS report comes with these vulnerabilities:
-OpenSSL SSL/TLS Malformed Handshake DoS

-OpenSSL Multiple Denial of Service Vulnerabilities
I check the proxy openssl versions, but, is is up to date.

kissing
Post #812
Posted 10/10/2011 5:36:43 AM
Genius

GeniusGeniusGeniusGeniusGeniusGeniusGeniusGenius

Group: Forum Members
Last Login: 12/22/2011 4:55:21 PM
Posts: 12, Visits: 3
hi,

use this command "nltest /dbflag:0x2080ffff" to enable netlogon debug. On log file netlogon.log you can see what is the source machine of this events.


This is kbase to enable netlogon log http://support.microsoft.com/kb/109626


Regards

Post #813
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 8:26am