What is the source of thousands of 4625 Logon Failure errors with Logon Type 8 (NetworkCleartext)?

windows-server-2008 windows-server-2008-r2 log-files windows-event-log brute-force-attacks
150

Solution 1

There are multiple login sources that could possibly be generating these errors:

  1. FTP logins - check your FTP log to see if login failures are showing up at the same time. This was the source in my case, which took me entirely too long to figure out, and which is why I'm posting this.
  2. Logins via Basic Authentication over http or https (simple, but possibly dangerous, way to password-protect a web site)
  3. ASP scripts
  4. There are likely others of which I'm not aware

Numbers 2 and 3 are mentioned at WindowsSecurity.com:

This logon type indicates a network logon like logon type 3 but where the password was sent over the network in the clear text. Windows server doesn’t allow connection to shared file or printers with clear text authentication. The only situation I’m aware of are logons from within an ASP script using the ADVAPI or when a user logs on to IIS using IIS’s basic authentication mode. In both cases the logon process in the event’s description will list advapi. Basic authentication is only dangerous if it isn’t wrapped inside an SSL session (i.e. https). As far as logons generated by an ASP, script remember that embedding passwords in source code is a bad practice for maintenance purposes as well as the risk that someone malicious will view the source code and thereby gain the password.

Solution 2

The logon type 8 occurs when the password was sent over the network in the clear text. Basic authentication in IIS is most possible cause for this kind of login failure. As for as I know there are five commonly used Microsoft IIS based services with Basic Authentication by end users via either by their Desktop or Mobile device, such are OWA client, MS Exchange ActiveSync, Outlook Anywhere, FTP client and SharePoint server.

When an end-user connect the Basic authentication enabled OWA client from their desktop-pc/mobile device with wrong passwords, the event 4625 with logon type 8 will be logged in Exchange Server which hosts the OWA.

Check this article: http://www.morgantechspace.com/2014/12/Find-Account-Lockout-Source-for-Logon-Type-8.html

Solution 3

I'd run a netstat -a -n | find "1232" to see what ports process ID (PID) 1232 is listening on. That's the PID that's generating these authentication failures. You could sniff traffic incoming on those ports to track down the source.

(I'm having a hard time coming up with services that run in-process w/ svchost.exe and listen for authentication. It almost feels third-party to me...)

Share:
150

Related videos on Youtube

sds
Author by

sds

Updated on September 18, 2022

Comments

  • sds
    sds almost 2 years

    I search a MongoDB collection using the find(...,limit=10000,...) method and I get the 10k documents I requested.

    Is there a cheap way to estimate how many documents would have been found without the limit argument?

    One obvious method is count_documents, but I suspect it would be prohibitively expensive.

    • JohnnyHK
      JohnnyHK almost 5 years
      How about using estimated_document_count instead? It's the next method in the documentation you linked.
    • sds
      sds almost 5 years
      @JohnnyHK: Thanks. Alas, that method returns the estimated total number of documents, instantaneously, regardless of the filter argument.
  • FooBee
    FooBee over 9 years
    Login type 3 != Logon type 8.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

New set up DHCP Server on Server 2008 R2 won't work, Event-ID 1046
Windows Server restart / shutdown history
task in task scheduler failing when executing batch file
Windows Server 2008 R2 + IIS 7.5 + ASP.NET 4.0 = HTTP Error 500.0
Stop sync windows 2008 r2 clock
How can I take advantage of multiple NICs in Server 2008 R2 Storage addition to improve speed transfer?
Is there any way to query a list of users who can access a VPN connection in Windows Server 2008 R2
What is the technical difference between Windows server and regular desktop Windows
Teamviewer multi-user mode
Problems with FTP file access to VirtualBox guest running Windows 2008 Server R2 x64