Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Account lock out

Posted on 2003-11-04
10
Medium Priority
?
1,850 Views
Last Modified: 2008-02-01
I found that every few hours all my accounts are being locked


User Account Changed:
       Account Locked.  
       Target Account Name:      scott
       Target Domain:      web
       Target Account ID:      web\scott
       Caller User Name:      webMAIN$
       Caller Domain:      web
       Caller Logon ID:      (0x0,0x3E7)
       Privileges:      -


User Account Locked Out:
       Target Account Name:      scott
       Target Account ID:      web\scott
       Caller Machine Name:      MAIN
       Caller User Name:      webMAIN$
       Caller Domain:      web
       Caller Logon ID:      (0x0,0x3E7)
 
0
Comment
Question by:jumble
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 18

Accepted Solution

by:
JConchie earned 750 total points
ID: 9682039
Do a virus scan on all machines.......you will probably find you have at least one machine infected with a variant of the Randex worm.  For more info, see:

http://www.viruslibrary.com/virusinfo/Worm.Win32.Randex.htm

"It then runs its spreading routine.

The routine entails scanning port 445 at random IP addresses, and when successfully connecting to a victim machine the worm tries to locate open resources on the remote computer and connect to them using various passwords such as:


"","admin", "root", "123";
e.t.c.
When a successful connection is accomplished the worm copies itself to a victim machine"

it is the unsuccessful attempts to connect to other machines that causes the account lockouts.

http://search.symantec.com will give you help with the Randex B,H,J,S,R,C,and E variants.


0
 
LVL 32

Expert Comment

by:LucF
ID: 9682394
Wow, good search JConchie. I got about the same information, but you were way faster. Too bad Symantec doesn't have a removal tool for this one.

LucF

0
 
LVL 18

Expert Comment

by:JConchie
ID: 9683220
Luc,
I hate to admit it, but on this one, it was personal experience rather than good diagnostic and search skills  :-)

It's actually fairly easy to take care of.......Symantec has manual removal instructions.......and TrendMicro, which we use here has it in thier current version of their system cleaner tool.  The most important thing is to make sure that you have strong passwords on all your local admin accounts.........as it cost me $200 to find out from MS tech support....who to give them thier due, diagnosed the problem for us very quickly and helped with the cleanup.  Once again, it's true.........every dollar you spend on AV will be returned many times over...........even though, in this case the variant that we caught was out in the wild a day ahead of TrendMicro's detection pattern.....and we got it on the first day.

Regards,
Jim
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 18

Expert Comment

by:JConchie
ID: 9683228
Didn't finish my thought above...."The most important thing is to make sure that you have strong passwords on all your local admin accounts".....because that will stop it from spreading.
0
 
LVL 3

Author Comment

by:jumble
ID: 9683803
Thanks,

The funny thing was this Company  uses Trend Corp AntiVirus Software and it didn't pick anything up.The Def where up to Date. what i found once i was able to get on site was a couple different virus on 1 Node lucky it never spread through the network due to strong passwords on all accounts.  Virus's found where "ADW Tenget .A and BKDR Coreflood .A." had to manually remove all the registery keys since there where no tools for ADW Tenget.A So as you know that was fun...
0
 
LVL 32

Expert Comment

by:LucF
ID: 9684892
>it was personal experience rather than good diagnostic and search skills
don't you hate it when that happens?

anyway, jumble, glad you solved your problem.

LucF
0
 
LVL 18

Expert Comment

by:JConchie
ID: 9687672
jumble,

There is often a 2-3 day lag between the release of a virus and the release of detection patterns by the major av makers.......they are very good, but they need to get an example of a new virus before they can write a pattern.

May I ask why the "B" grade?  It may not be the same virus, but I certainly gave you the solution to your problem.
0
 
LVL 3

Author Comment

by:jumble
ID: 9690333
Problem is still not resloved and all computers are cleaned at this point  THE reason for the grade is because there was a Virus on 1 system but those virus don't try each account i found other IRC-Bot software oppening FTP ports and i found there text file and it showed the accounts it was trying to crack ... In Progress I will let you know the outcome .....
0
 
LVL 18

Expert Comment

by:JConchie
ID: 9690732
Good Luck......very interested in the outcome and how you deal with it.....looking forward to your report.  I think you will find that all the bots were installed and propagated by the virus.
0
 
LVL 3

Author Comment

by:jumble
ID: 9691535
First update regarding this issue  removed all system from the network , check every system for Virus all come up clean even the server left the server by it self now for about 8 hours still getting the same errors in the event logs rescanned Server still not able to find anything used a couple different Trojan Removal Programs Spybot Etc still no luck.... will let you know how the rest of the night goes " I love this **** " this is what makes this job fun.... :)
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction How to create multiboot configuration with XP\Vista and Windows 7 on it? And most important question - how to do this correctly so not to have any kind of nightmares we get when system gets screwed? First of all one should realize t…
Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question