Hello all,

Came up against this recently. Failed login attempts, at first I thought it was the RDP. As the customer had the default RDP port facing the web, and a sloth with a water pistol as a firewall.

I have disabled RDP to the server, blocked the ports; although, there are still failed login logs happening… any ideas?

image attached.

Check event log to see if you can pinpoint a local origin?

I have saved the last 24 hours of the event log with only the 4625 log code.

Server is currently stuck in a reboot at the moment.

Unsure where these failed login attempts could be coming from … another local network machine? - It can’t be the server itself, can it? Maybe trying to login to other accounts?

Edit: I have turned RDP off, so I’m not sure it can be other local network machines…

failed logins dont have to happen at RDP, they just have to fail via active directory. This could be from any machine on the network in the domain.

Ofcourse. The AD… It’s been a long day…

Al look into it in the morning. Just a new customer; likely some malware somewhere. Thank you for the sanity check

I know the feeling. I dont know if the event log would even point fingers to an IP on the network.

@Novasty you got any ideas on quick and/or dirty ways to spot the source?

Run netstat -a and check if port 21/22/23 is open to the world or not.

What are the open ports in general?

As for AD, run wireshark and it should tell you what IP you are being spammed by or AD access requests

Found what it was. Done a malware removal on one of the Laptops and the requests stopped.

Thanks again guys.