Security Basics mailing list archives
Re: Failure Audit for Event id 675
From: ilaiy <ilaiy.e () gmail com>
Date: Thu, 20 Apr 2006 15:37:59 -0500
DC would be the domain controller .. ./thanks ilaiy On 4/19/06, Dana Hudnall <danahudnall () hotmail com> wrote:
I hate to sound dumb (but I usually do anyway) but what does DC stand for? Is that an auditing tool? Dana DANA HUDNALL ----- Original Message ----- From: "rs" <rsmade () gmail com> To: "Tyler, Grayling" <ggtyler () foodlion com> Cc: <security-basics () securityfocus com> Sent: Wednesday, April 19, 2006 12:07 PM Subject: Re: Failure Audit for Event id 675Tyler, Grayling wrote:When a user attempts to log on at a workstation with a bad password, the DC records event ID 675 (pre-authentication failed) with Failure Code 24 (0x18 hex). By reviewing each of your DC Security logs for this event and failure code, you can track every domain logon attempt that failed as a result of a bad password. The IP address in the event log reflects the system from which the logon attempt originated (since yours has 127.0.0.1 I assume you changed the real IP before sending the question in to the list(which would be a smart thing to do). -----Original Message----- From: rs [mailto:rsmade () gmail com] Sent: Monday, April 17, 2006 4:49 PM To: security-basics () securityfocus com Subject: Failure Audit for Event id 675 I am receiving a ton of Event 675 Failure Audits on my DC. Windows 2003 Mixed mode Domain and this is the pdc emulator. The bulk of these are arriving as follows: Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 4/17/2006 Time: 4:38:56 PM User: NT AUTHORITY\SYSTEM Computer: DC01 Description: Pre-authentication failed: User Name: Admin User ID: OURDOMAIN\Admin Service Name: krbtgt/OURDOMAIN Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 127.0.0.1 I can't identify any process using this account on the DC. A reboot did not solve the issue. A lot of searching on the we has pointed to time issues dealing with kerberos but that does not seem to be it. The strange part is the client address being 127.0.0.1. Could this just be a virus out on our network reporting 127.0.0.1 as its source during authentication attempts? Has anyone seen anything like this? ------------------------------------------------------------------------ - This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php ------------------------------------------------------------------------ -- ************************************************************************** This electronic message may contain confidential or privileged information and is intended for the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify the sender immediately by using the e-mail address or by telephone (704-633-8250). **************************************************************************No, 127.0.01 was the actual source IP recorded for the event which is part of the reason this is not making sense. ------------------------------------------------------------------------- This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php --------------------------------------------------------------------------------------------------------------------------------------------------- This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php --------------------------------------------------------------------------
------------------------------------------------------------------------- This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php --------------------------------------------------------------------------
Current thread:
- Failure Audit for Event id 675 rs (Apr 18)
- <Possible follow-ups>
- RE: Failure Audit for Event id 675 Tyler, Grayling (Apr 18)
- Re: Failure Audit for Event id 675 rs (Apr 19)
- Re: Failure Audit for Event id 675 Dana Hudnall (Apr 20)
- Re: Failure Audit for Event id 675 ilaiy (Apr 21)
- Re: Failure Audit for Event id 675 Philippe De Ryck (Apr 21)
- Re: Failure Audit for Event id 675 rs (Apr 19)