What is the source of thousands of 4625 Logon Failure errors with Logon Type 8 (NetworkCleartext)?
There are multiple login sources that could possibly be generating these errors:
- FTP logins - check your FTP log to see if login failures are showing up at the same time. This was the source in my case, which took me entirely too long to figure out, and which is why I'm posting this.
- Logins via Basic Authentication over http or https (simple, but possibly dangerous, way to password-protect a web site)
- ASP scripts
- There are likely others of which I'm not aware
Numbers 2 and 3 are mentioned at WindowsSecurity.com:
This logon type indicates a network logon like logon type 3 but where the password was sent over the network in the clear text. Windows server doesn’t allow connection to shared file or printers with clear text authentication. The only situation I’m aware of are logons from within an ASP script using the ADVAPI or when a user logs on to IIS using IIS’s basic authentication mode. In both cases the logon process in the event’s description will list advapi. Basic authentication is only dangerous if it isn’t wrapped inside an SSL session (i.e. https). As far as logons generated by an ASP, script remember that embedding passwords in source code is a bad practice for maintenance purposes as well as the risk that someone malicious will view the source code and thereby gain the password.
I'd run a netstat -a -n | find "1232"
to see what ports process ID (PID) 1232 is listening on. That's the PID that's generating these authentication failures. You could sniff traffic incoming on those ports to track down the source.
(I'm having a hard time coming up with services that run in-process w/ svchost.exe
and listen for authentication. It almost feels third-party to me...)