Failed Event ID 560 every 30 seconds
All,
Every 30 seconds we are receiving failed logins from a certain IP addresses on our network. The IP addresses are always the same. The events look like below:
Jan 20 08:54:34
dcint2
AgentDevice=WindowsLog
AgentLogFile=Security
Source=Security
Computer=DCINT2
User=
Domain=NT AUTHORITY
EventID=680
EventIDCode=680
EventType=16
EventCategory=
RecordNumber=1120442225
TimeGenerated=20110120085434.000000-360
TimeWritten=20110120085434.000000-360
Message=Logon attempt by:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account:<<USER NAME>>
Source Workstation:\\\\<<IP ADDRESS>>
Error Code:0xC000006A
We've run virus and malware scanners from two different vendors on these systems and they don't show as being infected.
The source operating systems are various versions of Windows ranging from Windows XP to 2008 Server.
Are these caused by cached login credentials? Mapped network drives? Services?
Any help as to where to look would be greatly appreciated.
Thanks!
Jeremy
January 20th, 2011 10:19am
Message=Logon attempt by:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account:<<USER NAME>>
Source Workstation:\\\\<<IP ADDRESS>>
Error Code:0xC000006A
Error Code: 0xC000006A. That means that an incorrect password was supplied.
For more information, refer to this
Microsoft article.
Have a look to this
Microsoft article.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Free Windows Admin Tool Kit Click here and download it now
January 20th, 2011 11:03am
Hi,
I am seeing exactly the same behaviour, with failed logins with the source IP address in the field and I have run 3 anti-virus applications and I do not see anything running as a virus.
Thanks
April 20th, 2011 8:02pm