Users getting locked out, getting killed by multiple logon requests, NEED HELP !?!

Posted on 2004-11-11
Last Modified: 2010-04-11
Here's what i have, what's happening, and what i need to do....  Lot's of points here to split or give to one person..

The Network:
     firewall (can't think of name right now, blocks certain ports, but not a lot)
     full class-c subnet (##.##.##.0 - ##.##.##.255) on the internet
     2 win 2k3 domain controllers / dns / dhcp / (1 comp does terminal service) ~ internal and external ip addresses
     1 win 2k member server / ras / vpn / ISA 6.0 ~ internal and external ip address
     1 win nt 4.0 server / internal ip

What's Happening:
     Tons of login failures are occuring with ALL of the user accounts in the domain.  We have a policy set up that after 5 bad login attepts, the account gets locked out.  So basically when one of these attacks comes across the internet, all of our users (about 80) get locked out of their account and then i have to sit there and manually unlock them.

    Don't know if this helps, but here's the event log from one of the server from one of the attacks.

 Logon account:      ** username here **
 Source Workstation:      MALOEY
 Error Code:      0xC000006A

and then:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      ** username here **
       Domain:            MALOEY
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      MALOEY
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:
       Source Port:      

what i can get out of this is the computer and ip that is attacking us.   but i don't know how they are getting the FULL LIST of user accounts (even accounts that were added last week).

i'm looking on a detailed description on what i can do to stop this, as in terms of what i need to do, and i would also like to know how the people are getting the FULL LIST of user accounts on the domain and then slamming them with requests.

Question by:Eric
    LVL 7

    Accepted Solution

    It seems that your network might have been compromised.
    Let's look at it from the outside in...
    1.) Firewall: Is port 23, 137, 138, 139  opened? review policy...
    2.) DNS configuration : How are the zone configured? to review...
    3.) DC : Your DCs config might be a problem... to review.  DCs should not have external IPs. Not even in the DMZ zone...(imho only).
    4.) The IP address that was logged might not be the IP address of the real attacker. Might be spoofed.

    Suspect: Brute-force might have been done on one of the DCs (on the SAM database) possibly the one that have external IP address. Upon a successful hack on the server, the latest account list could be obtained, anytime.

    It only take one compromised DC to get the info of your network.
    (my assumption only, based on limited info.)...;-)  
    LVL 7

    Expert Comment

    You can use Core Impact demo to determine your network security risks.

    Core Impact overview
    LVL 6

    Author Comment

    i'll review this stuff in the morning, and post my findings.
    LVL 6

    Author Comment

    quick port scan of the entire subnet...

    These are the open ports.  i have replaced the IP addresses with a unique name to a computer (my reference)

    Router: 23,25,110

    smtp server: 21,25,110,389,443,445,464,593,636,691,995,1025,1026,1031,1074,1076,1079,1161,1171,1219,1311,1312,1326,1376,1389,1393,1420,1448,1451,2160,2161,2260,3052,3268,3269,3389,5753,6001,6002,6101,6106,8000,8081

    mail server: 25,88,110,389,443,445,464,593,636,691,995,1025,1026,1031,1092,1096,1110,1161,1171,1219,1311,1312,1326,1376,1389,1393,1420,1448,1451,2160,2161,2260,3052,3268,3269,3389,5753,6001,6002,8000,8081

    domain controller 1: 21,25,42,53,80,88,110,135,389,443,445,464,593,636,691,995,1025,1026,1031,1074,1076,1079,1092,1096,1110,1161,1171,1219,1311,1312,1326,1376,1389,1393,1420,1448,1451,2160,2161,2260,3052,3268,3269,3389,5753,6001,6002,6101,6106,8000,8081

    domain controller 2: 21,25,42,53,80,88,110,135,389,443,445,464,593,636,691,995,1025,1026,1031,1074,1076,1079,1092,1096,1110,1161,1171,1311,1312,1326,1376,1389,1393,1420,1448,1451,2160,2161,2260,3052,3268,3269,3389,5753,6001,6002,6101,6106
    LVL 6

    Author Comment

    and that's only scanning ports 1-9999
    using Angry IP Scanner2.21
    LVL 7

    Expert Comment

    For external IP, DCs and DNS Server, should not open port 135, 1025...for internet facing interface.
    Why are sooo manyyy ports open? Is there a particular reason?

    Try checking what port you actually need open and close all other unused ports...
    You can use ethereal to monitor your inbound and outbound traffic.

    Good Luck...;-)
    LVL 6

    Author Comment

    standard load of the 2003 servers..   i don't know why they are all open..  
    focusing on security is new to me.. i normally just fix PC's but am getting
    into the Security aspect of it now..  I have to take a look today at what is running
    on each server, and turn on the Internet Connection Firewall settings in Windows.

    Do you have any references on a step by step check to secure DNS Servers, i really want
    to remove the external IP's from the DNS/DHCP servers, but when I do, people loose
    the connection to the internet.

    LVL 7

    Expert Comment

    Refer to these tutorials. It should give you a headstart...

    Securing Server 2003 Domain Controllers

    Changes to Default Settings Make Windows Server 2003 More Secure (Part 1)

    Changes to Default Settings Make Windows Server 2003 More Secure (Part 2)

    LVL 6

    Author Comment

    i'll check that stuff out.  for now i'll award the points. you've been a great help...

    LVL 6

    Author Comment

    turning on the ICF was interesting today.  after turning it on, people could not access email (Exchange 2003 Server)
    and couldn't access network shares...  So i still have some work to do before even 1 of my domain controllers is

    LVL 7

    Expert Comment

    Maybe, you can ask another Q for ICF config for your environment.
    I'm sure many will assist...;-)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now