I'm having something weird happen on a Windows Server 2008 R2 server.
Every day at exactly 9:00 PM, an Audit Failure is registered in Event Viewer, saying that an account failed to log on for reason "Unknown user name or bad password.". The weird part is that the Account Name is a 161-character string, beginning with @@, the rest being a seemingly random string of characters. This name is the same every day. It seems to be coming locally from the server. The Logon Type is 4, the Caller Process is svchost, and under Detailed Authentication Information the Logon Process is Advapi, and the Authentication Package is Negotiate. Any ideas where this might be coming from? Any other relevant information I haven't provided?
Asked
Active
Viewed 3,533 times
3
Micha
- 250
2 Answers
2
As it turns out, that was the Backup scheduled task failing to start. Apparently, at some point the Group Policy setting "Network access: Do not allow storage of credentials or .NET Passports for network authentication" got enabled. This was disallowing storing the credentials for use with the scheduled task, as seen in the error message: 
A quick Google search later, and the cause was revealed. I was able to specify credentials in Task Scheduler, and tomorrow morning I'll see whether or not the problem is solved. Still don't know where "@@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAkDA0AAOAEEA5AQQAIEABBQLAEDABBAOAEDAtAANAEEAFBwQA0CA4AAMAEDAEBQLAMDABBAMAUDA1AgNAADABBwQAkDAyAAOA0HA" came from, but hopefully that's no longer important. Thanks for all your help!
Micha
- 250
1
My first inclination is that this was caused by a Scheduled Task that was being run under an user's Active Directory account that was either disabled or deleted, however it appears it may be of more sinister origin.
Advapi appears to be part of BKDR_NETDEVIL.12 malware package so it seems likely that your server is compromised.
