[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

win2k locked out user accounts without any login attempt being made

Posted on 2003-10-21
8
Medium Priority
?
843 Views
Last Modified: 2013-12-04
I have a windows 2000 domain running in native mode with only win2k servers.  a PDC and a BDC are in place both with SP4.  the domain is a .local with direct inernet access through a cisco 2610 running NAT.  Everyday I must unlock all of my user accounts in the AD users and computers plugin.  Can you tell me of any known issues that would cause this to happen.  I am not seeing any failures in the event log to indicate that my user accounts are being hit by a password attack.  This has become a very big problem.  This happens every day and sometimes several times a day.  I have also experienced a day or two during this problem cycle that the lockout did not occur.  Any insight would be very appreciated.
0
Comment
Question by:digitalsoup
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 18

Accepted Solution

by:
JConchie earned 2000 total points
ID: 9591897
Set up auditing for login success/failure and see what you are getting for login attempts........if you are getting a lot of them from one source (ie 40-50 per second)   scan the source machines for a variant of the worm_Randex  From an infected machine, Randex attempts to connect to random IPs on the lan using a variety of simple passwords.......which is what creates a lot of failed login attempts.......and locked out accounts.....the remedy for stopping the spread of randex is to ensure that you have complex passwords on the local admin accounts of all your machines.......then you can clean the infected machines.
0
 

Author Comment

by:digitalsoup
ID: 9592668
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      User
       Domain:            YOUR-5OHMF9CG1X
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      YOUR-5OHMF9CG1X

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            10/15/2003
Time:            8:37:10 PM
User:            NT AUTHORITY\SYSTEM
Computer:      KING200
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Dr. Stephen Svastits
       Domain:            SVASTITS
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      SVASTITS


what are your thoughts on this
0
 
LVL 18

Expert Comment

by:JConchie
ID: 9592712
The most interesting thing about this entry is the time..........8:37 pm......unless you had a user working late that night, the most likely source  for this logon attempt would be a virus.........scan this machine.......and the rest of your network too.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 

Author Comment

by:digitalsoup
ID: 9592851
incidentally Dr. Stephen Svastits is not a user of mine!!!!
0
 
LVL 18

Expert Comment

by:JConchie
ID: 9592918
Do you have AV software.......if not, there are several online services you can use.......just google on "online virus scan"
0
 

Author Comment

by:digitalsoup
ID: 9593063
symantec corp ver 8.1 virus def are from 10\15 and no new updates found on LU
0
 

Expert Comment

by:vg30dett
ID: 9602787
We have had the same issue on one of our 2k servers aswell.  We found out its a virus\hacker on the outside, hashing Active Directory User Accounts,  
If you disable the netlogon Service and Kerbose the Hashing will stop.

As a test try enabling the netlogon service and Kerbose, then monitor the security logs on the server and your router.

Do a NSlookup for the suspecting IP address.  BLock that subnet coming in on your router/firewall.
0
 

Expert Comment

by:vg30dett
ID: 9602793
Symantec Corp Def. should be at 10/21/2003  
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question