We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

Even ID 4625 Audit failed Windows 2012 Server


Blodka
27-01-2017, 17:10
Hi all,

We have a dedicated web server from OVH and we have a lot of audit failed in the security ( like every second or so) I implemented some web protection, which got ride of few of them ( Russian IP and others) however, we still have a lot which are local with the following usernames :

NOUSER / SvcCOPSSH
Administrator
Administrateur
Tactile
STAMNITZ
STAEDTLERTSA
USer1
Unvcwt
watcs
.....

All of them are unknown username or bad password :
0xC000006D
0xC0000064

and except NOUSER which is Process: Advapi package :MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 all the others are:
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: xxxxx with xxxxx = values previously mentioned
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: empty or localhost
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

Any clue on the matter ?

Thanks in advance.

Regards.