Does this mean I'm getting hacked

Does this mean I’m getting hacked, it seems like logon failures to me but I might be wrong.

If i posted this on the wrong category, Im very sorry.

What does the message say when you click one of them?

Also check - https://serverfault.com/questions/686393/event-4625-audit-failure-null-sid-failed-network-logons

1 Like

The first line says an account failed to log in and many more stuff about failed login. They also showed an ip which i think it belongs to the hacker

And its logon type 10

Can you post every line on the message here? Idk for sure, but i actually never bothered with it, it might / might not be bruteforce.

Bruteforce attempt is pretty common, but i’ve never faced such huge attempt that slowed my server down, that’s why i never bothered to secure it except for a moderately strong password.

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 4/26/2017 8:49:17 AM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: WIN-1BEF0FQBDOH
Description:
An account failed to log on.

Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: TEST
Account Domain:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 4/26/2017 8:27:53 AM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: WIN-1BEF0FQBDOH
Description:
An account failed to log on.

Subject:
Security ID: S-1-5-18
Account Name: WIN-1BEF0FQBDOH$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 10

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: owner
Account Domain: WIN-1BEF0FQBDOH

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064

Process Information:
Caller Process ID: 0x98
Caller Process Name: C:\Windows\System32\winlogon.exe

Network Information:
Workstation Name: WIN-1BEF0FQBDOH
Source Network Address: 187.190.15.18
Source Port: 15787

Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

I just realized theres 2 types. One type 3 and one type 10

Right. I think the first one is the internal issue, and the 2nd one is a bruteforce attempt.

So yeah, try going through the links i posted you may be able to solve it.

Also this http://www.morgantechspace.com/2013/10/event-4624-null-sid-repeated-security.html

1 Like

Seems like updating the VPS stopped it but idk if it will come back again

This is the update i applied:
For Windows Server 2008: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012212 (Please download and install March, 2017 Security Only Quality Update for Windows Server 2008 R2 for x64-based Systems (KB4012212))

For Windows Server 2012: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012213 (Please download and install March, 2017 Security Only Quality Update for Windows Server 2012 R2 (KB4012213))

These two are sent to me by GreenCloudVps

That IP address is from Latin America, where are you at?

Firewall on? If not, you need to properly configure it ASAP.

Rename the “administrator” account to something beside administrator.

Make sure any extra, unnecessary accounts are disabled.

Make sure any unnecessary services aren’t running - for instance, IIS if you aren’t running a web server.

1 Like

I’m at Singapore

Firewall is on

Guest accounts are disabled

Password is super complicated