Error 680, 675 and 539.... User getting locked out. Am I getting hacked?

Well I added him to his own OU which did not inherit any other policies, however I understand that this still may not apply as the account lockout policies under administration apply to the entire domain.

I actually did have the user try changing his pw back to what it was, and I tried having him do this several times at different levels; on the DC, via OWA, via ctrl + alt +del and everytime i pushed replication throughout the domain before he did anything as well as ran gpupdate /force on his machine  (not really sure if that helps here but did it anyway).  I have also rebooted both DC's as well as the Exchange server to see if that would help.

I have also had the user completely delete his blackberry/exchange setup to insure that this was not logging in with wrong pw on their side as well as turned off his computer to make sure that there were no scheduled tasks, network shares or anything else on his local desktop causing the issue.  He has never used Remote Desktop, as some forums point to an account being accidently left logged in and the pw being changed at the same time.

I cant think of anything else.....

T

I was just on another post that had similar issues. They couldn't change passwords because they were logged on somewhere else. When they tried to change passwords, they were imidiately locked out and were displaying the same symptoms you describe.

My user can change pw's just fine on either the DC or on the desktop....they will not get locked out until they have been succesfully logged in for several minutes....I even put this user on a diff pc to make sure that it was not an issue with their laptop caching a wrong pw..... Im fairly certain that this will require 1 of 2 things....1, blocking the external IP from "hosted12" that is trying to authenticate with this user credentials to our mail server or 2, just deleting this users account all together and re-setting it up.   Let me ask this, can I simply change the users login name to something else without loosing his profile (desktop environment and email account that is tied to this users login name)?  -Again, I have not had too much experience here, and I believe that I tried this once before and ended up 'killing' the profile.

Thanks for any additional input!

I figured that regarding the profile, and moving the documents and such is no biggie but the email account would be a much bigger issue....still do-able though.

I would say that I am about 99% sure that this user is not logged on elsewhere, but is there a way that I could check this to be 100%?  Ive downloaded and ran eventcombmt.exe and compiled a list of all of the failure logs for this user off of all of the DC's, mail server and the file server....None of these requests seem to be comming from any other computers other than his, the email server, this 'hosted12' and then some that show no computer name at all.  I am not currently looking at these logs, but I can bring them back up and re-review them tomorrow.  

Is there any other tools that might help decipher this any better?

These DC's have been deployed for about 6 months with no major issues.  You and I had previously worked on some NetBios issues regarding problems with accessing the C$...the only thing that I have done in the past few weeks was change WINS to run on my main PDC in addition to the secondary DC.....  This was about 2 weeks ago.  Specifically these issues showed up on Monday when the user changed his pw at home....  I have found some forums suggesting similar issues when this was changed at home but obviously have not came across the answer.

oh, one other thing about that public IP.... it is trying different source ports when it is trying to authenticate.... is this significant or do you feel that we are still looking at an internal issue?

OK:

Lets figure out all of these issues that you are having!
Can you provide me a network topology?>>
Example: WAN>>Router>>3-2003 servers & 4-xp pro workstations & 1-NT server.

Lets see your clients and server's list of preferred DNS servers: go to the client and type IPconfig /all.

I see your time isn't synchronized: This can cause slowness or AD authentication failures and timed out logons.

What errors show up on a DCdiag report?

What errors show up on Netdiag?

Cheif,

I will have to give you a sub-par network topology for now, you see, I have only recently (last 9 or so months) been in this position and was only brought in as a desktop support....lucky me, I have done WAY more server side stuff than user!  The admin before me was in a similar situation and had a very 'messy' setup, AD and so on.  The other side of this, we are a software company and are very pro unix and anti windows....therefore there is NO documentation of the windows side of things.....that said:

1 data center with a T1 connection to the office.  All traffic to internal server goes this route...the data center includes all production servers and most of the unix side of things.  The router sitting here is the default gateway listed in all of our static addresses and DHCP.  So, in our office is where all of my servers sit....email (which will soon be moving to datacenter) 2 DC's (PDC is DNS, DHCP, all FSMO WINS and the secondary is DNS and WINS) and file server.  50% windows vista/xp in office, 30% linux, and 20% mac.  VPN server uses DC's to authenticate, which sits at the datacenter, therefore comes through the T1 to authenticate.  All email is set to go in and out through the T1 and through the firewalls out there.  DC's have access to the outside world via the default gateway, the T1.  There is a 3rd unix DNS server in the office that is also the time server (no firewall between them and the DC's...(and ports are open)) which goes in and out via the T1 as it is the master DNS for the datacenter servers.  Both DC's are configured to act as there own DNS via static settings.  

DCHP is configed to use DNS in the following way: 1st PDC, 2nd secondary DNS, 3rd unix DNS. (Name servers is configed in exact same way). (should both of these not be configed???)

The replication is always immediate...if I setup a new user on the PDC I can refresh on the secondary and see the new user.... the time issue seems to be better, however I have not gone back to this issue quite yet.

I failed systemlog in DCdiag, which I will look into....last time i ran this, all passed.

All netdiag passed.

systemlog passed the second time through.

Sounds like you have your hands full:

For your environment, I think this is an article that will save you a lot of time:
http://www.computerperformance.co.uk/w2k3/Security_Audit.htm

675 Pre-authentication failed.
(Check the error code and compare it to figure four of the article).

680 Successful or Failed logon attempt - see Description

If your password expired, and he/she changed it. Then the password on the box will not be the same password as on the server. So, you will get a preauthentication failure if the password cached on the box is different from the server.

Let me know what the error code is. It sounds like you may have a cached password that is on a Unix machine and that password is incorrectly trying to authenticate with the DC.

And for your application, keep this one handy.

539 means the account is locked out from too many attempts, basically.

If these errors come it at a rabbit's pace, and are trying generic passwords on files or services, you may have malware on that computer. You might try and check for mallware.

Or it may be hammering away at trying to communicate.

Sorry for taking so long to get back my internet went down last night. There is something you can try that I have had problems with before. Windows saves username and passwords that allow you quicker access to resources. For an example, a corporate intranet site or some other service. Make sure that the user removes all passwords from the computers he has access from. I'm almost positive somewhere there is a password saved with the prior password. Also, like Chief said it could be cached on one of the servers.

http://blogs.msdn.com/jasonlan/archive/2007/11/07/how-to-clear-out-outlook-web-access-passwords-on-windows-mobile.aspx

I am certain that the pw's are changing correct, as I have changed these on DC while remoted into the DC from his box and then immediately locked his laptop and then re logged in with the new credentials....

Here is where I am at:

Last night, every 10 -13 minutes he was getting a request from 'hosted12' at the odd public IP address.  This looked as though it was coming into our email server, and then the email server would send exactly 3 requests to our DC's for access....all with failure.  This process happened all night long, and the users computer was off, blackberry to exchange processes was deleted and he was obviously not awake.  This to me rules out his computer and services or processes, his blackberry caching the wrong pw, him using a wrong pw and several other senario's.  To me, this leaves one of two things, servers caching wrong pw or someone outside running attacks against the email server to gain access....a very slow dictionary attack or something.

Also, to comment on Cheifs last post, none of our unix servers authenticate with AD.... and this user does not have any access or need to access the unix side of things.... I dont think a unix server is caching the pw wrong.

We have now blocked the public IP address in our firewall and have gone for about 45 minutes with no lockout....(before it was every 2 - 10 minutes).  I will now start reviewing logs to see if 'hosted12' is still getting through.

Ill update when i know more.

I agree fully.  I have previously looked and saw that this was from rr.com.   Can anyone recommend some better tracking/pinpointing methods to find out more info.

I would half assume that its a kid in a basement with a dynamic public IP that will change eventually and I may need to then block another IP.  

I will ask that we try and monitor the firewalls over the coming days for a more serious issue.

Thanks again for everyones help and Ill update again on Monday.

This issue has been fixed by blocking the external, public IP address that I mentioned before.  I appreciate everyone's help in walking through all of the possibilities here, however in the end, I am very confident that this is not an internal issue.... Let me clarify:

The firewall that we blocked this IP from is the furthest most facing firewall to the outside world.... this was not a firewall in between our Datacenter (where production unix servers live) and our office (where DC's email and all desktop clients live). I understand this could be spoofing an IP to look like it is coming from the outside, however given that there is no firewall between our datacenter and office that is blocking this traffic, I would think that it is not an internal box either.  

Also, this user is a sales person and honestly does not even know the ip or hostname of any boxes within our environment...nor has enough knowledge of how to get to them and or setup any emailing parsers.

I have passed this onto the Unix admins to just double check and make sure that one of the production servers is not compromised, and I will do send a final reply/award points when I find this out.

I do agree though that this users information was compromised somehow, and that upon changing his pw he temporarily stopped this 'hacker' from accessing whatever he was getting into before.  Ill talk with this user some more and try and get any more info. (he did mention that his blackberry had crapped out a few weeks ago, however he had wiped it before sending it back)

Thanks again,

Travis

Sounds like you might want to have a sit down with the user and go over some best-met practices of how to protect themselves from computer fraud.

Thanks again, I brought this to the Unix admins and we have determined that in the end this was definitely coming from an outside source.  Thanks for your attention on this!