account lock outs

We've been experiencing account lock outs in our Active Directory - acting like bad password attempts.  We've looked at the event viewer on the Domain Controller in question and the failure audits occur within 2-3 seconds for the same user.  I don't think any user could type their password incorrectly that many times to lock their account out that quickly.  Has anyone else ever experienced a problem with account lock outs but the user didn't fail typing in their password?
This also seems to affect the synchronization of our user's PDA phones - if the account is locked out, the password is then not supplied and the synchronization won't occur
skbarnardAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
Is this just one user or is it a bunch of users?
I've seen a lot of similar questions here and many of these account lockout have been due to the conficker worm.  Have you checked for that on your network
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
http://blogs.msdn.com/nickmac/archive/2009/01/14/malicious-software-removal-tool-removes-win32-conficker-b.aspx
How to verify if my computer is infected by Conficker.B?

- If there are recent account lockout incidents in your company environment, you should pay attentions to this worm.

Thanks
Mike
0
skbarnardAuthor Commented:
Thanks mkline71 --
We've done a scan on the machine in question using our anti-virus client (OfficeScan -- Trend Micro) and no virus or malware was detected.  We're now looking to see if there are some incompatibilities with Active Directory and OfficeScan version 10.0.  If your or anyone out there knows of any issues with that, your response(s) would be greatly appreciated.
0
MatheusMCommented:
There can also be an issue where an application is trying to submit a saved password repeatedly, if the saved password it was trying to submit was wrong, then the issue you describe could occur.
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

skbarnardAuthor Commented:
It appears we may have a variant of the Conflicker virus which we're currently working to erraticate.  Thanks to all who have answered and I will post whether this was the actual issue once we've cleaned the suspect computers
0
Mike KlineCommented:
Oh man good luck on that, luckily we haven't been hit with conficker yet....knock on wood.
0
xmachineCommented:
Hi,

This is my working cure for Conficker infections.

1) To start working, first you need to download the required patches + fix tool:

Windows 2000: http://download.microsoft.com/download/4/a/3/4a36c1ea-7555-4a88-98ac-b0909cc83c18/Windows2000-KB958644-x86-ENU.EXE 

Windows 2003: http://download.microsoft.com/download/e/e/3/ee322649-7f38-4553-a26b-a2ac40a0b205/WindowsServer2003-KB958644-x86-ENU.exe 

Windows XP: http://download.microsoft.com/download/4/f/a/4fabe08e-5358-418b-81dd-d5038730b324/WindowsXP-KB958644-x86-ENU.exe 

Windows Vista SP0 + SP1: http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu 

Symantec FixDownadupTool: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDwndp.exe

2) Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users).

3) And you can use Psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.

4) In the batch file, you should replace the server name and shared folder name.

so, for example (run this as domain administrator):

c:\psexec @infected.txt -d -c Clean-Downadup.bat

infected.txt should contains one name/ip per line, like:

...
192.168.1.2
192.168.1.3
192.168.1.4
...

Use netscan to ping a range of IP's and save the results as a text file (http://www.softperfect.com/products/networkscanner/)

Another important points:

1) Review the current Passwords policy, you can configure a Windows GPO that will require a complex password, with a minimum number of characters.

http://technet.microsoft.com/en-us/library/cc736605.aspx
http://labmice.techtarget.com/security/passwordsec.htm

2) Use Nessus (http://www.nessus.org/download/), and scan all machines using this plugin ID (34476) to check if they have MS08-067 patch installed or not. (BTW, you can use a different tool to check for the installed patch, but this just an example)



Important Note: Please check the batch file before you run it on "Production Servers", becuase it will disable some features in Windows to prevent Conficker infection.


A Symantec Certified Specialist @ your service


@echo off
color 0A
ECHO. ***********************************************************************************************
ECHO.                ExtremeSecurity.blogspot.com - Do It Securely or Not At All 
ECHO.                                Multi OS W32.Downadup Cleaner v2.0
ECHO. ***********************************************************************************************
 
 
ver | find "2003" > nul
if %ERRORLEVEL% == 0 goto ver_2003
 
ver | find "XP" > nul
if %ERRORLEVEL% == 0 goto ver_xp
 
ver | find "2000" > nul
if %ERRORLEVEL% == 0 goto ver_2000
 
ver | find "Version 6.0.6000" > nul
if %ERRORLEVEL% == 0 goto ver_vista-sp0
 
ver | find "Version 6.0.6001" > nul
if %ERRORLEVEL% == 0 goto ver_vista-sp1
 
 
goto exit
 
:ver_2003
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Enabling Windows Error Reporting Service (ERSvc) ...
sc config ERSvc start= auto
echo Starting Windows Error Reporting ...
net start ERSvc
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
REM echo Removing all AT created scheduled tasks ...
REM AT /Delete /Yes
REM echo Stopping & Disabling Schedule service...
REM sc.exe stop schedule
REM sc.exe config schedule start= disabled
echo Fixing Downadup infection (Silent mode - Check log file in C:\)...
\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\WindowsServer2003-KB958644-x86-ENU.exe /quiet /norestart
echo Rebooting System ...  
shutdown -r -f -c "Rebooting system"
goto exit
 
:ver_xp
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Error Reporting Service (ERSvc) ...
sc config ERSvc start= auto
echo Starting Windows Error Reporting ...
net start ERSvc
echo Removing all AT created scheduled tasks ...
AT /Delete /Yes
echo Stopping & Disabling Schedule service...
sc.exe stop schedule
sc.exe config schedule start= disabled
echo Disabling "AutoPlay" ...
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f
echo Fixing Downadup infection (Silent mode - Check log file in C:\)...
\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\WindowsXP-KB958644-x86-ENU.exe /quiet /norestart
echo Rebooting System ...  
shutdown -r -f -c "Rebooting system"
goto exit
 
:ver_2000
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Removing all AT created scheduled tasks ...
AT /Delete /Yes
echo Fixing Downadup infection (Silent mode - Check log file in C:\)...
\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows2000-KB958644-x86-ENU.EXE /quiet /norestart
echo Rebooting System ...  
shutdown -r -f -c "Rebooting system"
goto exit
 
:ver_vista-sp0
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "wuauserv"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Defender Service (WinDefend) ...
sc config WinDefend start= auto
echo Starting Windows Defender ...
net start WinDefend
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Removing all AT created scheduled tasks ...
AT /Delete /Yes
echo Stopping & Disabling Schedule service...
sc.exe stop schedule
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f
echo Disabling "AutoPlay" ...
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f
echo Restoring Windows Defender startup key ...
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f
echo Enabling TCP Receive Window Auto-tuning ...
netsh interface tcp set global autotuning=normal
echo Fixing Downadup infection (Silent mode - Check log file in C:\)...
\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart
echo Rebooting System ...  
shutdown /r /f /c "Rebooting system"
goto exit
 
:ver_vista-sp1
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Defender Service (WinDefend) ...
sc config WinDefend start= auto
echo Starting Windows Defender ...
net start WinDefend
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Removing all AT created scheduled tasks ...
AT /Delete /Yes
echo Stopping & Disabling Schedule service...
sc.exe stop schedule
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f
echo Disabling "AutoPlay" ...
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f
echo Restoring Windows Defender startup key ...
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f
echo Enabling TCP Receive Window Auto-tuning ...
netsh interface tcp set global autotuning=normal
echo Fixing Downadup infection (Silent mode - Check log file in C:\)...
\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart
echo Rebooting System ...  
shutdown /r /f /c "Rebooting system"
goto exit
 
:exit

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
skbarnardAuthor Commented:
It appears we did have a variant of the Confliker worm that attacks Active Directory.  We have blocked ports of the suspect computers but then the users will plug the computer into another port so we've had to chase the rabbit a little bit.  As we approach the finish, the lockouts are happening less frequently.  Thanks to all who contributed.
0
solancotechCommented:
It looks like we are having this same issue now and we did have a run in with Conficker around this time frame. Do you know which variant it was?

Thanks
Ed
0
skbarnardAuthor Commented:
Sorry, I can't remember the variant.  We've been now having a run in with Qbot - here are a few of the variants:  JS_QAKBOT.BOJ, BKDR_QAKBOT.DAM, BKDR_QAKBOT.SME,  BKDR_QAKBOT.SMC, TROJ_QAKJOB.SM,  BKDR_QAKBOT.NEG, BKDR_QAKBOT.SMZP, BKDR_QAKBOT.EOF.  This is a nasty root kit that infects the root drive (infected files look like gibberish == i.e. ixektqf) and you'll find an unauthorized scheduled task (or tasks) but also grabs accounts and tries to login as that user.  Kill the scheduled tasks and delete all files that look like gibberish. The good news is that if the account locks out, the virus was UNsuccessful at logging in.  Bad news is, the account still locks out.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.