win2k locked out user accounts without any login attempt being made

I have a windows 2000 domain running in native mode with only win2k servers.  a PDC and a BDC are in place both with SP4.  the domain is a .local with direct inernet access through a cisco 2610 running NAT.  Everyday I must unlock all of my user accounts in the AD users and computers plugin.  Can you tell me of any known issues that would cause this to happen.  I am not seeing any failures in the event log to indicate that my user accounts are being hit by a password attack.  This has become a very big problem.  This happens every day and sometimes several times a day.  I have also experienced a day or two during this problem cycle that the lockout did not occur.  Any insight would be very appreciated.
digitalsoupOwnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JConchieCommented:
Set up auditing for login success/failure and see what you are getting for login attempts........if you are getting a lot of them from one source (ie 40-50 per second)   scan the source machines for a variant of the worm_Randex  From an infected machine, Randex attempts to connect to random IPs on the lan using a variety of simple passwords.......which is what creates a lot of failed login attempts.......and locked out accounts.....the remedy for stopping the spread of randex is to ensure that you have complex passwords on the local admin accounts of all your machines.......then you can clean the infected machines.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
digitalsoupOwnerAuthor Commented:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      User
       Domain:            YOUR-5OHMF9CG1X
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      YOUR-5OHMF9CG1X

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            10/15/2003
Time:            8:37:10 PM
User:            NT AUTHORITY\SYSTEM
Computer:      KING200
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Dr. Stephen Svastits
       Domain:            SVASTITS
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      SVASTITS


what are your thoughts on this
0
JConchieCommented:
The most interesting thing about this entry is the time..........8:37 pm......unless you had a user working late that night, the most likely source  for this logon attempt would be a virus.........scan this machine.......and the rest of your network too.
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

digitalsoupOwnerAuthor Commented:
incidentally Dr. Stephen Svastits is not a user of mine!!!!
0
JConchieCommented:
Do you have AV software.......if not, there are several online services you can use.......just google on "online virus scan"
0
digitalsoupOwnerAuthor Commented:
symantec corp ver 8.1 virus def are from 10\15 and no new updates found on LU
0
vg30dettCommented:
We have had the same issue on one of our 2k servers aswell.  We found out its a virus\hacker on the outside, hashing Active Directory User Accounts,  
If you disable the netlogon Service and Kerbose the Hashing will stop.

As a test try enabling the netlogon service and Kerbose, then monitor the security logs on the server and your router.

Do a NSlookup for the suspecting IP address.  BLock that subnet coming in on your router/firewall.
0
vg30dettCommented:
Symantec Corp Def. should be at 10/21/2003  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.