jumble
asked on
Account lock out
I found that every few hours all my accounts are being locked
User Account Changed:
Account Locked.
Target Account Name: scott
Target Domain: web
Target Account ID: web\scott
Caller User Name: webMAIN$
Caller Domain: web
Caller Logon ID: (0x0,0x3E7)
Privileges: -
User Account Locked Out:
Target Account Name: scott
Target Account ID: web\scott
Caller Machine Name: MAIN
Caller User Name: webMAIN$
Caller Domain: web
Caller Logon ID: (0x0,0x3E7)
User Account Changed:
Account Locked.
Target Account Name: scott
Target Domain: web
Target Account ID: web\scott
Caller User Name: webMAIN$
Caller Domain: web
Caller Logon ID: (0x0,0x3E7)
Privileges: -
User Account Locked Out:
Target Account Name: scott
Target Account ID: web\scott
Caller Machine Name: MAIN
Caller User Name: webMAIN$
Caller Domain: web
Caller Logon ID: (0x0,0x3E7)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Luc,
I hate to admit it, but on this one, it was personal experience rather than good diagnostic and search skills :-)
It's actually fairly easy to take care of.......Symantec has manual removal instructions.......and TrendMicro, which we use here has it in thier current version of their system cleaner tool. The most important thing is to make sure that you have strong passwords on all your local admin accounts.........as it cost me $200 to find out from MS tech support....who to give them thier due, diagnosed the problem for us very quickly and helped with the cleanup. Once again, it's true.........every dollar you spend on AV will be returned many times over...........even though, in this case the variant that we caught was out in the wild a day ahead of TrendMicro's detection pattern.....and we got it on the first day.
Regards,
Jim
I hate to admit it, but on this one, it was personal experience rather than good diagnostic and search skills :-)
It's actually fairly easy to take care of.......Symantec has manual removal instructions.......and TrendMicro, which we use here has it in thier current version of their system cleaner tool. The most important thing is to make sure that you have strong passwords on all your local admin accounts.........as it cost me $200 to find out from MS tech support....who to give them thier due, diagnosed the problem for us very quickly and helped with the cleanup. Once again, it's true.........every dollar you spend on AV will be returned many times over...........even though, in this case the variant that we caught was out in the wild a day ahead of TrendMicro's detection pattern.....and we got it on the first day.
Regards,
Jim
Didn't finish my thought above...."The most important thing is to make sure that you have strong passwords on all your local admin accounts".....because that will stop it from spreading.
ASKER
Thanks,
The funny thing was this Company uses Trend Corp AntiVirus Software and it didn't pick anything up.The Def where up to Date. what i found once i was able to get on site was a couple different virus on 1 Node lucky it never spread through the network due to strong passwords on all accounts. Virus's found where "ADW Tenget .A and BKDR Coreflood .A." had to manually remove all the registery keys since there where no tools for ADW Tenget.A So as you know that was fun...
The funny thing was this Company uses Trend Corp AntiVirus Software and it didn't pick anything up.The Def where up to Date. what i found once i was able to get on site was a couple different virus on 1 Node lucky it never spread through the network due to strong passwords on all accounts. Virus's found where "ADW Tenget .A and BKDR Coreflood .A." had to manually remove all the registery keys since there where no tools for ADW Tenget.A So as you know that was fun...
>it was personal experience rather than good diagnostic and search skills
don't you hate it when that happens?
anyway, jumble, glad you solved your problem.
LucF
don't you hate it when that happens?
anyway, jumble, glad you solved your problem.
LucF
jumble,
There is often a 2-3 day lag between the release of a virus and the release of detection patterns by the major av makers.......they are very good, but they need to get an example of a new virus before they can write a pattern.
May I ask why the "B" grade? It may not be the same virus, but I certainly gave you the solution to your problem.
There is often a 2-3 day lag between the release of a virus and the release of detection patterns by the major av makers.......they are very good, but they need to get an example of a new virus before they can write a pattern.
May I ask why the "B" grade? It may not be the same virus, but I certainly gave you the solution to your problem.
ASKER
Problem is still not resloved and all computers are cleaned at this point THE reason for the grade is because there was a Virus on 1 system but those virus don't try each account i found other IRC-Bot software oppening FTP ports and i found there text file and it showed the accounts it was trying to crack ... In Progress I will let you know the outcome .....
Good Luck......very interested in the outcome and how you deal with it.....looking forward to your report. I think you will find that all the bots were installed and propagated by the virus.
ASKER
First update regarding this issue removed all system from the network , check every system for Virus all come up clean even the server left the server by it self now for about 8 hours still getting the same errors in the event logs rescanned Server still not able to find anything used a couple different Trojan Removal Programs Spybot Etc still no luck.... will let you know how the rest of the night goes " I love this **** " this is what makes this job fun.... :)
LucF