Solved

Error 680, 675 and 539.... User getting locked out.  Am I getting hacked?

Posted on 2008-06-20
21
710 Views
Last Modified: 2010-04-21
Breif description:

User changed his pw at home over VPN for windows account via ctrl + alt + del.  That was on Monday.  Ever since, he has been getting locked out randomly.  Today it has become every 5 - 10 min.  I am constantly seeing the Errors listed in the title in both of our DC's as well as our Exchange server.  About 60% of the failure events in the DC's point to his machine, 35% to our Exchange server, and the other 5% has no computer name.  On the Exchange server (also server 03 just like the DC's) about 50% are coming from that server, and the other 50% are either unknown or are coming from a server/puter named "Hosted12".  I have never heard of Hosted12 in our network and when looking at some of the logs I get a public IP for this that comes from rr.com (I think Road Runner).  This could however be a blackberry plugin 3rd party service that we use to use for getting email to our blackberry users, but I doubt it.

How can I verify what is going on and overall rectify this whole situation.  I am somewhat new to the server world, so I may need a little coaching here...

Also, to add to the confusion, while troubleshooting (and only while troubleshooting) I set a group policy to keep this user from locking out, however the user continue to get locked out....all of the rest of the gp's work so I am fairly sure that I am blocking inheritance policies correct.

I really need some quick help on this please!!!
0
Comment
Question by:tgrizzel
  • 10
  • 8
  • 3
21 Comments
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 200 total points
Comment Utility
You can't deny a user the account lock policy and the password polices. Get the user to change his password back to what it was to see if the errors stop.
0
 

Author Comment

by:tgrizzel
Comment Utility
Well I added him to his own OU which did not inherit any other policies, however I understand that this still may not apply as the account lockout policies under administration apply to the entire domain.

I actually did have the user try changing his pw back to what it was, and I tried having him do this several times at different levels; on the DC, via OWA, via ctrl + alt +del and everytime i pushed replication throughout the domain before he did anything as well as ran gpupdate /force on his machine  (not really sure if that helps here but did it anyway).  I have also rebooted both DC's as well as the Exchange server to see if that would help.

I have also had the user completely delete his blackberry/exchange setup to insure that this was not logging in with wrong pw on their side as well as turned off his computer to make sure that there were no scheduled tasks, network shares or anything else on his local desktop causing the issue.  He has never used Remote Desktop, as some forums point to an account being accidently left logged in and the pw being changed at the same time.

I cant think of anything else.....

T
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
I was just on another post that had similar issues. They couldn't change passwords because they were logged on somewhere else. When they tried to change passwords, they were imidiately locked out and were displaying the same symptoms you describe.

0
 

Author Comment

by:tgrizzel
Comment Utility
My user can change pw's just fine on either the DC or on the desktop....they will not get locked out until they have been succesfully logged in for several minutes....I even put this user on a diff pc to make sure that it was not an issue with their laptop caching a wrong pw..... Im fairly certain that this will require 1 of 2 things....1, blocking the external IP from "hosted12" that is trying to authenticate with this user credentials to our mail server or 2, just deleting this users account all together and re-setting it up.   Let me ask this, can I simply change the users login name to something else without loosing his profile (desktop environment and email account that is tied to this users login name)?  -Again, I have not had too much experience here, and I believe that I tried this once before and ended up 'killing' the profile.

Thanks for any additional input!
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 300 total points
Comment Utility
Whenever you logon with a new domain or username, you get a new profile. The profile still exists, and you can copy documents and settings from the profile over to the new profile.

However, if this problem is happening to you, let's figure it out.

First make sure the user is NOT logged on anywhere else on the domain prior to changing your password!!

Then, I think you may have a problem with the protocol you are using. Is this a new DC?
0
 

Author Comment

by:tgrizzel
Comment Utility
I figured that regarding the profile, and moving the documents and such is no biggie but the email account would be a much bigger issue....still do-able though.

I would say that I am about 99% sure that this user is not logged on elsewhere, but is there a way that I could check this to be 100%?  Ive downloaded and ran eventcombmt.exe and compiled a list of all of the failure logs for this user off of all of the DC's, mail server and the file server....None of these requests seem to be comming from any other computers other than his, the email server, this 'hosted12' and then some that show no computer name at all.  I am not currently looking at these logs, but I can bring them back up and re-review them tomorrow.  

Is there any other tools that might help decipher this any better?

These DC's have been deployed for about 6 months with no major issues.  You and I had previously worked on some NetBios issues regarding problems with accessing the C$...the only thing that I have done in the past few weeks was change WINS to run on my main PDC in addition to the secondary DC.....  This was about 2 weeks ago.  Specifically these issues showed up on Monday when the user changed his pw at home....  I have found some forums suggesting similar issues when this was changed at home but obviously have not came across the answer.
0
 

Author Comment

by:tgrizzel
Comment Utility
oh, one other thing about that public IP.... it is trying different source ports when it is trying to authenticate.... is this significant or do you feel that we are still looking at an internal issue?
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
OK:

Lets figure out all of these issues that you are having!
Can you provide me a network topology?>>
Example: WAN>>Router>>3-2003 servers & 4-xp pro workstations & 1-NT server.

Lets see your clients and server's list of preferred DNS servers: go to the client and type IPconfig /all.

I see your time isn't synchronized: This can cause slowness or AD authentication failures and timed out logons.

What errors show up on a DCdiag report?

What errors show up on Netdiag?
0
 

Author Comment

by:tgrizzel
Comment Utility
Cheif,

I will have to give you a sub-par network topology for now, you see, I have only recently (last 9 or so months) been in this position and was only brought in as a desktop support....lucky me, I have done WAY more server side stuff than user!  The admin before me was in a similar situation and had a very 'messy' setup, AD and so on.  The other side of this, we are a software company and are very pro unix and anti windows....therefore there is NO documentation of the windows side of things.....that said:

1 data center with a T1 connection to the office.  All traffic to internal server goes this route...the data center includes all production servers and most of the unix side of things.  The router sitting here is the default gateway listed in all of our static addresses and DHCP.  So, in our office is where all of my servers sit....email (which will soon be moving to datacenter) 2 DC's (PDC is DNS, DHCP, all FSMO WINS and the secondary is DNS and WINS) and file server.  50% windows vista/xp in office, 30% linux, and 20% mac.  VPN server uses DC's to authenticate, which sits at the datacenter, therefore comes through the T1 to authenticate.  All email is set to go in and out through the T1 and through the firewalls out there.  DC's have access to the outside world via the default gateway, the T1.  There is a 3rd unix DNS server in the office that is also the time server (no firewall between them and the DC's...(and ports are open)) which goes in and out via the T1 as it is the master DNS for the datacenter servers.  Both DC's are configured to act as there own DNS via static settings.  

DCHP is configed to use DNS in the following way: 1st PDC, 2nd secondary DNS, 3rd unix DNS. (Name servers is configed in exact same way). (should both of these not be configed???)

The replication is always immediate...if I setup a new user on the PDC I can refresh on the secondary and see the new user.... the time issue seems to be better, however I have not gone back to this issue quite yet.

I failed systemlog in DCdiag, which I will look into....last time i ran this, all passed.

All netdiag passed.
0
 

Author Comment

by:tgrizzel
Comment Utility
systemlog passed the second time through.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Sounds like you have your hands full:

For your environment, I think this is an article that will save you a lot of time:
http://www.computerperformance.co.uk/w2k3/Security_Audit.htm

675 Pre-authentication failed.
(Check the error code and compare it to figure four of the article).

680 Successful or Failed logon attempt - see Description

If your password expired, and he/she changed it. Then the password on the box will not be the same password as on the server. So, you will get a preauthentication failure if the password cached on the box is different from the server.

Let me know what the error code is. It sounds like you may have a cached password that is on a Unix machine and that password is incorrectly trying to authenticate with the DC.

And for your application, keep this one handy.

0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
539 means the account is locked out from too many attempts, basically.

If these errors come it at a rabbit's pace, and are trying generic passwords on files or services, you may have malware on that computer. You might try and check for mallware.

Or it may be hammering away at trying to communicate.

0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Sorry for taking so long to get back my internet went down last night. There is something you can try that I have had problems with before. Windows saves username and passwords that allow you quicker access to resources. For an example, a corporate intranet site or some other service. Make sure that the user removes all passwords from the computers he has access from. I'm almost positive somewhere there is a password saved with the prior password. Also, like Chief said it could be cached on one of the servers.

http://blogs.msdn.com/jasonlan/archive/2007/11/07/how-to-clear-out-outlook-web-access-passwords-on-windows-mobile.aspx
0
 

Author Comment

by:tgrizzel
Comment Utility
I am certain that the pw's are changing correct, as I have changed these on DC while remoted into the DC from his box and then immediately locked his laptop and then re logged in with the new credentials....

Here is where I am at:

Last night, every 10 -13 minutes he was getting a request from 'hosted12' at the odd public IP address.  This looked as though it was coming into our email server, and then the email server would send exactly 3 requests to our DC's for access....all with failure.  This process happened all night long, and the users computer was off, blackberry to exchange processes was deleted and he was obviously not awake.  This to me rules out his computer and services or processes, his blackberry caching the wrong pw, him using a wrong pw and several other senario's.  To me, this leaves one of two things, servers caching wrong pw or someone outside running attacks against the email server to gain access....a very slow dictionary attack or something.

Also, to comment on Cheifs last post, none of our unix servers authenticate with AD.... and this user does not have any access or need to access the unix side of things.... I dont think a unix server is caching the pw wrong.

We have now blocked the public IP address in our firewall and have gone for about 45 minutes with no lockout....(before it was every 2 - 10 minutes).  I will now start reviewing logs to see if 'hosted12' is still getting through.

Ill update when i know more.
0
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 200 total points
Comment Utility
If it's a hacker it must be a Jr. Hacker because it is coming from one IP address. Also, make sure you review the firewall logs for any other unusal traffic coming in just in case the account lockout isn't just a distraction for a more serious attack. Trace the IP address to see where it is coming from. Good Luck!
0
 

Author Comment

by:tgrizzel
Comment Utility
I agree fully.  I have previously looked and saw that this was from rr.com.   Can anyone recommend some better tracking/pinpointing methods to find out more info.

I would half assume that its a kid in a basement with a dynamic public IP that will change eventually and I may need to then block another IP.  

I will ask that we try and monitor the firewalls over the coming days for a more serious issue.

Thanks again for everyones help and Ill update again on Monday.
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 300 total points
Comment Utility
Since this is a preauthentication it should be a unix box. Windows Kerberos doesn't preauthenticate, Unix does. Some mass mailing worms have the ability to spoof an IP to protect their identity. If that user's old credentials were comprimised, you would have a spoofed IP with what once was good credentials.

It would be my guess that the username and password were comprimized. I would also venture to guess a Unix box is sending a spoofed IP to you mail server with old credentials and sending out mass mail. JR. may not be so JR. after all.

I think one of your unix boxes in your production server environment could be infected with a mass mailing worm. When you changed the credentials, it locked you out of AD. When you kicked on the firewall, it blocked the port coming from the Unix box. Because of this, you are probably getting failed logons for AD and Mail Exchange.

Another, more reasonable alternative, is this person who is having problems with their credentials, may have created some sort of ALERT email that sends the email out on IP 10.12.... with that user's credentials to trick the Exchange server into believing it was him who sent the email. Some emails of this type will be to monitor things like UPS, heat issues, ect... If this be the case, with that port blocked on your firewall, you should be able to reset the user credentials in AD and allow the user to log on. But, you will still have emails going to a dead end.

The very most reasonable alternative is this user is logged onto one of your UNIX boxes in your production environment. Just like I said earlier, If the user is logged on from another location, they will immediately be locked out of AD upon trying to change their credentials.

The person, who is having problems should be able to reset his/her credentials with the firewall port blockage. But that is just a bandaid approach.

What I would do is give the user's machine a fixed IP for the time being. Then go into the production environment and track down the incriminating IP. Make sure the user is not logged in at that UNIX box. If not, then scan for mass mailing worms and ask the user if he/she has mail alerts being sent from the Unix box.

0
 

Author Comment

by:tgrizzel
Comment Utility
This issue has been fixed by blocking the external, public IP address that I mentioned before.  I appreciate everyone's help in walking through all of the possibilities here, however in the end, I am very confident that this is not an internal issue.... Let me clarify:

The firewall that we blocked this IP from is the furthest most facing firewall to the outside world.... this was not a firewall in between our Datacenter (where production unix servers live) and our office (where DC's email and all desktop clients live). I understand this could be spoofing an IP to look like it is coming from the outside, however given that there is no firewall between our datacenter and office that is blocking this traffic, I would think that it is not an internal box either.  

Also, this user is a sales person and honestly does not even know the ip or hostname of any boxes within our environment...nor has enough knowledge of how to get to them and or setup any emailing parsers.

I have passed this onto the Unix admins to just double check and make sure that one of the production servers is not compromised, and I will do send a final reply/award points when I find this out.

I do agree though that this users information was compromised somehow, and that upon changing his pw he temporarily stopped this 'hacker' from accessing whatever he was getting into before.  Ill talk with this user some more and try and get any more info. (he did mention that his blackberry had crapped out a few weeks ago, however he had wiped it before sending it back)

Thanks again,

Travis
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Sounds like you might want to have a sit down with the user and go over some best-met practices of how to protect themselves from computer fraud.
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 300 total points
Comment Utility
Not long ago, someone asked for the best AV product on the market. My response was an educated user and educated administrator:
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Enterprise_Anti-Virus/Q_23494407.html

I have always been an advocate of a font line defense, when it comes to preventing Malware. If this is a spoofed IP, your user should know why the IP was spoofed. Your DHCP server doesn't send out internal IPs. So, in my opinion, this information was comprimised.

On that above article, recommended to me by the FBI, there is a website to go over that lists out how to best protect yourself from computer fraud. It is a great site for users to go over and may offer things to an administrator that an administrator doesn't always think about. It's food for thought.

Take it from someone who has been a Computer Fraud Victim. $40K later and 7 years of a bad credit report really makes you think of such things.
0
 

Author Closing Comment

by:tgrizzel
Comment Utility
Thanks again, I brought this to the Unix admins and we have determined that in the end this was definitely coming from an outside source.  Thanks for your attention on this!  
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now