Solved

AD user account lockouts

Posted on 2010-08-24
48
775 Views
Last Modified: 2013-12-04
Windows 2003 DC's (2)

Recently, we 've had a few users that have had their user accounts locked out.  currently, I'm looking at an account that is locked out, the user is not in the building or working remotely, and his PC is shut down. As soon as I un-lock his account, it is immediately locking out again.  I'm using the Lockoutstatus.exe tool, and can see the bad password count increase to five (our limit).   It shows as locked out on both DC's, but only one DC is showing the bad password count.  

I've looked at the security event viewer logs, but I'm not sure what I'm seeing.  I see the eventID 644 where the account is locked out  with the caller machine name of \\NTscan.   What does that mean?

I had a different user earlier today complain of being locked out, and I had to 'unlock' his account (before I had the tools) at least 15 times before it would stay unlocked.

If it's a virus, McAfee is not showing it to me.  Any advice?
0
Comment
Question by:netw-virgo
  • 20
  • 20
  • 2
  • +5
48 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33516155
The Conficker Virus springs to mind - or you are being externally abused with a password / username cracking system and they are trying brute force until they get the password.
I have seen a major increase in password guessing situtations / account lockouts on the servers I manage and this ultimately leads to Authenticated Relaying of spam and trouble.
Conficker is also known to cause account lockouts, so might be worth scanning your computers for this (also make sure they have the patch applied).
http://www.sophos.com/products/free-tools/conficker-removal-tool.html
0
 
LVL 8

Expert Comment

by:jimmyray7
ID: 33516156
Under the machine name in the event viewer, does it list the IP address?  Is it internal or external?  
0
 

Author Comment

by:netw-virgo
ID: 33516205
The IP address is not listed, the Caller User Name is the computer name of our DC with a $ sign at the end, the Caller Domain is our network domain name, and the Caller Logon ID is (0x0,0x3E7)

I'll also look into the conficker virus.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33516232
It also sounds like the same problem I am waiting to happen again on an SBS 03 server I manage.  Convinced it is a remote PC / Server which is a home user's PC (not switched on all the time) that is trying to crack the passwords on the server.
It is using names like 123 / admin / root etc.  I have cranked up the logging on the firewall and get the logs emailed to me hourly, but the attack has not re-surfaced for 3 days (annoyingly).
0
 
LVL 31

Expert Comment

by:Frosty555
ID: 33516233
Sounds like the computer "NTScan" is attacking your domain controller trying to guess passwords on your user accounts. But... NTScan could be an external computer, internal, or even a virtual machine on an infected computer.
0
 

Author Comment

by:netw-virgo
ID: 33516301
so if it is happening to you both, I'm guessing you have checked for conficker and that is not it?  
Before today, it was a week ago that it happened to a different user where I had to continually unlock the account until it stayed unlocked.   When it happened again today, I knew I need to get the lockout tools and 'ask the experts' how to figure this out.  i'm worried now that it's happening to  you both.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33516327
I would be fairly confident that if it is not consistently happening, that it is not conficker.
Most likely to be a remote system interrogating yours.  Crank up the logging on the firewall / router and next time it happens, you should be able to cross reference the IP in the logs with the time / date of the account lockouts.  Then you can block the IP Range from the ISP of the offending IP address and the problem should go away.
0
 

Author Comment

by:netw-virgo
ID: 33516346
thanks - i'll give that a try - how does it know whick user accounts names to try?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33516383
Guesswork usually I would imagine - perhaps based on email address harvesting or just random name generation and then when the account fires back a cannot login message - then they know the username is correct (all guesswork on my part - I am a good computer user - not a hacker ; )  )
0
 

Author Comment

by:netw-virgo
ID: 33516401
So the reason the account will eventually let me unlock it is because the program remote system has stopped trying at that point?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33516452
I would imagine so - one it is locked out - they presumably know and back off for a time and then try again.
0
 
LVL 4

Expert Comment

by:kenycl
ID: 33516880
when this first started happening did the user just changed their password on the day? if so it could be some services the user may have their account against that uses their account to logon to possibly? say a nokia device that just keep trying with their old password or something like that.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 33518399
I would concentrate efforts on the NTScan machine. Do you have a computer by that name? If not go to the command prompt and type Net view to see if it is listed.

I am looking at the "machine name" that appears to be a Netbios UNC path. That has me a little taken back.

My guess is you have mapped network drives that are trying to logon, as you set them to logon with the user's credentials, and remain logged on. Once you boot a computer the mapped network drives will try to authenticate with these outdated and saved credentials and the user account will soon, thereafter, be disabled.

Go to that user's computer, logon as administrator, and remove mapped network drives to \\ntscan to see if the user becomes disabled in AD.  
0
 

Author Comment

by:netw-virgo
ID: 33521066
I do not have a computer by the name of NTScan, and it is not listed under net view.

i have unmapped network drives, and the account continues to become disabled. I'm using the lockoutstatus.exe program and can see the bad password count.  It happened when she was at my computer so I know she isn't typing in the wrong password.  It is going so fast that is must be automated.  She has not reset her password recently.

I'm trying to use the firewall logging to see something but so far nothing.  It appears that since i've been composing this response the issue has subsided.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33521460
Funny that - I have the same issue with my customer.  It has been about 4 days now and no additional account lockouts / invalid login attempts!
Waiting eagerly for the next attempts.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 33522260
OK, researching the topic it appears that some of your systems are infected with a memory resident virus called SDbot or a variant of the virus.

SDBot is a memory resident program that will use dictionary attacks against the Username and password to spread throughout the Netbios shares. If an administrator logs onto that computer it will quickly infect every computer on the network.  Users are getting locked out because the dictionary attacks are causing failed logons. At the fifth failed logon, the user is immediately logged out.

This is what trend micro says about the virus:
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSDBOT%2EZN&VSect=T

This is what McAfee says about it:
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=100454#none
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33523706
I just blocked an entire ISP IP Range from Greece that was trying to abuse an account for the customer mentioned earlier.
0
 

Author Comment

by:netw-virgo
ID: 33523790
Did your problem present itself as coming from \\NTScan ?  What were you looking for in the firewall logs that got you to the point of blocking that range?  
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33525483
The logs showed an IP constantly trying to use a particular port that was allowed through and the Security Log showed up Failed Login Attempts.
Cross referencing the Security log tim for the Failed Logins to the Firewall log, I saw the IP and the port it was trying to use to connect through, looked up the IP address, got the IP range for the ISP and blocked the Subnet on the firewall.  No further attempts so far.
Still waiting for others though.
No - it was not \\NTSCAN
0
 

Author Comment

by:netw-virgo
ID: 33525935
is is possible for you to share the IP and port so that I could search my firewall logs for the same when it happens to me again?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33526187
Sure - only too happy to.
It was : 79.129.3.91
IP Information - 79.129.3.91IP address:                     79.129.3.91
Reverse DNS:                    kozzmozz.static.otenet.gr.
Reverse DNS authenticity:       [Verified]
ASN:                            6799
ASN Name:                       OTENET-GR (OTEnet S.A. Multiprotocol Backbone & ISP)
IP range connectivity:          6
Registrar (per ASN):            RIPE
Country (per IP registrar):     GR [Greece]
Country Currency:               EUR [euros]
Country IP Range:               79.128.0.0 to 79.131.255.255
Country fraud profile:          Normal
City (per outside source):      Athens, Attiki
Country (per outside source):   GR [Greece]
Private (internal) IP?          No
IP address registrar:           whois.arin.net
Known Proxy?                    No
Link for WHOIS:                 79.129.3.91
0
 

Author Comment

by:netw-virgo
ID: 33537109
I found this happening again this afternoon to a users account who had left for the day and his computer was shut down.  So I looked at connections at our DC since that is where \\NTScan originates, and found 2 connections to outside IP addresses that I don't recognize.  I blocked them att he firewall and the account locks seem to have stopped.  Time will tell.
The IP's I found:  61.128.111.188 (61.128.96.0 - 61.128.127.255)  and  69.88.105.18 which routes to mail.sabas.us.  Not sure what either are.  After blocking at the firewall, one of the IP's disappeared from the DC from the netstat command.  One is still there, but so far so good.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33537185
The 61.128.111.188 IP address is from China.  I would imagine that you don't have many dealings with China, so blocking that range should be fine.
The Range for that IP Address I see is 61.128.0.0 - 61.191.255.255 which translates to:
61.128.0.0 with a Subnet Mask of 255.192.0.0
0
 

Author Comment

by:netw-virgo
ID: 33541689
thanks for the translation - Alan.  The other IP 69.88.105.18 is stilling showing as an established connection at the DC (netstat - however there is no activity to the IP in the firewall log.  Do I have to reboot for that connection to go away or is there a way to forcefully remove it?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33541731
The IP 69.88.105.18 is a mail server - I just telnetted to it.
What TCP port is it coming in on and connecting to on your server (via netstat)?
0
 

Author Comment

by:netw-virgo
ID: 33541767
52513 is the port
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33541811
Inbound?  What about your server?  What port is it connected to?  25 / 587?
You should see their IP:port and your server IP:port.
0
 

Author Comment

by:netw-virgo
ID: 33541835
our server side is 445 connected to 69.88.105.18:52513
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33541969
Port 445 is Microsoft-DS which is used for DFS (SMB).  Are you using a Distributed File System on your server?
0
 

Author Comment

by:netw-virgo
ID: 33542235
I'm not sure if I am or not? There are 12 other connections from 445 to Internal IP addresses.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33542351
How big is your company and do you have multiple sites?
If you are a single site - I would question the need for port 445 to be open at all.
0
 

Author Comment

by:netw-virgo
ID: 33542390
we used to have several sites when owned by bigger company, but now we are only this one site
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33542410
I would close the port down on your firewall then - assuming it is open.
Visit www.canyouseeme.org and test port 445 to see if it is open.  If you get a good response - re-configure your firewall to shut down port 445.
What other ports do you have open?
0
 
LVL 3

Expert Comment

by:Ardiseis
ID: 33542617
Were it my server I would only open the following ports to the outside and I would pair this down to as few openings as possible

SMTP 25 - Simple Mail Transfer Protocol
HTTP 80 - Web only open if you are hosting a public web site
HTTPS 443 - SSL Web for OWA or RWW in most cases
RWW 4125- Remote Web Worplace if SBS
PPTP 1723 - VPN Connections if hosting vpns
RDP 3389 - Remote Desktop Protocol (I try never to open this port but to do a Port address translation from say 3360 outside to 3389 inside
SBS Sharepoint 444 - Windows SharePoint Services intranet site
FTP 21 - If File transfer protocol is being used
POP3 110 - If using POP3 mail connections
0
 

Author Comment

by:netw-virgo
ID: 33543015
We do have one remote user.  What will blocking port 445 do to her?  I may know soon.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33543107
Remote users will not use port 445 - I guess it depends on what they are doing.
If they use VPN - port 1723 will be used.  If they use RPC oveer HTTPs, then port 443 will be used.  If they use Remote Desktop, then port 4125 / 3389 will be used.
Block it - wait for the phone to ring, but I think it won't be ringing based on what you have been saying.
Ironically, the firewall logs I get hourly now are littered with calls to port 445 on the server I am monitoring closely - all dropped of course, but attempts are being made to see if the port is open.
0
 

Author Comment

by:netw-virgo
ID: 33544358
what is the best way to see all the ports that I have open?
0
 

Expert Comment

by:rmin75
ID: 33544414
MS has a tool for port querying, but I use the one from RADMIN http://www.radmin.com/products/utilities/portscanner.php

0
 

Author Comment

by:netw-virgo
ID: 33544507
I found the port scanner on grc.com and it found that port 22 and 443 are the only open ports
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33544730
I am not convinced that is true.  What did canyouseeme show up for port 445?
0
 

Author Comment

by:netw-virgo
ID: 33544795
it could not see service on port (445) Reason:  connection timed out; port 22 was not blocked according to canyouseeme
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33544905
No idea why you have port 22 open!  Do you?

Presumably you don't host a mail server on-site?
0
 

Author Comment

by:netw-virgo
ID: 33544970
yes, we have an exchange server.  and yes 22 is open.  (or was)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33545027
Okay - if you have an Exchange server, do you collect your emails or do they get delivered?  Without port 25 open or port 587 you won't be getting any mail delivered!

Port 22 is for SSH.  Might be for remote access to your router / firewall perhaps?
0
 

Author Comment

by:netw-virgo
ID: 33545826
The IP that canyouseeme 'sees' me as is a different IP than our exchange server IP.  smtp to our exchange server ip is permitted as a seperate firewall access rule.

i'm not sure who needs remote access to the firewall - router is managed by ISP, so it sounds like I should probably close 22, and did.
0
 
LVL 3

Expert Comment

by:Ardiseis
ID: 33547666
Port 445 tends to be used by viruses to propigate to other systems or bring more home.
It sounds like you have a block of IP's and some one to one nat rules for secondary IP's.
Port Scan all your IP's make sure you do not have any holes elsewhere.

Also I would encourage breaking out the utility scanners to make sure your server(s) are virus free
Suggest
ComboFix
Superantispyware portable
HijackThis
malwarebytes
smitfraudfix (in safemode)
0
 

Author Comment

by:netw-virgo
ID: 33581025
Since configuring the firewall to deny ports 139/ 445/22, china IP range, and one more range, there have been NO more locked accounts or strange connections to our server.  Incidently, those blocks have had 2298, 451, 25, 32 and 107 Hit attempts, respectively, since adding them.  There have been no user comlaints except the remote user has seen a performance hit when checking in engineering drawings via the Teamcenter Express application.  Another user cannot get to Google Earth, but another can, so all in all it's been a great exercise and successful so far.

I have not taken the advice to run the utility scanners yet, but plan to do that as well when I can take it off-line.

thanks for getting me this far.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 33581755
Sounds good.  I have not seen any more account lockouts since blocking the IP range I blocked either : )

Let's hope it stays that way.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now