AD user account lockouts
Windows 2003 DC's (2)
Recently, we 've had a few users that have had their user accounts locked out. currently, I'm looking at an account that is locked out, the user is not in the building or working remotely, and his PC is shut down. As soon as I un-lock his account, it is immediately locking out again. I'm using the Lockoutstatus.exe tool, and can see the bad password count increase to five (our limit). It shows as locked out on both DC's, but only one DC is showing the bad password count.
I've looked at the security event viewer logs, but I'm not sure what I'm seeing. I see the eventID 644 where the account is locked out with the caller machine name of \\NTscan. What does that mean?
I had a different user earlier today complain of being locked out, and I had to 'unlock' his account (before I had the tools) at least 15 times before it would stay unlocked.
If it's a virus, McAfee is not showing it to me. Any advice?
Recently, we 've had a few users that have had their user accounts locked out. currently, I'm looking at an account that is locked out, the user is not in the building or working remotely, and his PC is shut down. As soon as I un-lock his account, it is immediately locking out again. I'm using the Lockoutstatus.exe tool, and can see the bad password count increase to five (our limit). It shows as locked out on both DC's, but only one DC is showing the bad password count.
I've looked at the security event viewer logs, but I'm not sure what I'm seeing. I see the eventID 644 where the account is locked out with the caller machine name of \\NTscan. What does that mean?
I had a different user earlier today complain of being locked out, and I had to 'unlock' his account (before I had the tools) at least 15 times before it would stay unlocked.
If it's a virus, McAfee is not showing it to me. Any advice?
Under the machine name in the event viewer, does it list the IP address? Is it internal or external?
ASKER
The IP address is not listed, the Caller User Name is the computer name of our DC with a $ sign at the end, the Caller Domain is our network domain name, and the Caller Logon ID is (0x0,0x3E7)
I'll also look into the conficker virus.
I'll also look into the conficker virus.
It also sounds like the same problem I am waiting to happen again on an SBS 03 server I manage. Convinced it is a remote PC / Server which is a home user's PC (not switched on all the time) that is trying to crack the passwords on the server.
It is using names like 123 / admin / root etc. I have cranked up the logging on the firewall and get the logs emailed to me hourly, but the attack has not re-surfaced for 3 days (annoyingly).
It is using names like 123 / admin / root etc. I have cranked up the logging on the firewall and get the logs emailed to me hourly, but the attack has not re-surfaced for 3 days (annoyingly).
Sounds like the computer "NTScan" is attacking your domain controller trying to guess passwords on your user accounts. But... NTScan could be an external computer, internal, or even a virtual machine on an infected computer.
ASKER
so if it is happening to you both, I'm guessing you have checked for conficker and that is not it?
Before today, it was a week ago that it happened to a different user where I had to continually unlock the account until it stayed unlocked. When it happened again today, I knew I need to get the lockout tools and 'ask the experts' how to figure this out. i'm worried now that it's happening to you both.
Before today, it was a week ago that it happened to a different user where I had to continually unlock the account until it stayed unlocked. When it happened again today, I knew I need to get the lockout tools and 'ask the experts' how to figure this out. i'm worried now that it's happening to you both.
I would be fairly confident that if it is not consistently happening, that it is not conficker.
Most likely to be a remote system interrogating yours. Crank up the logging on the firewall / router and next time it happens, you should be able to cross reference the IP in the logs with the time / date of the account lockouts. Then you can block the IP Range from the ISP of the offending IP address and the problem should go away.
Most likely to be a remote system interrogating yours. Crank up the logging on the firewall / router and next time it happens, you should be able to cross reference the IP in the logs with the time / date of the account lockouts. Then you can block the IP Range from the ISP of the offending IP address and the problem should go away.
ASKER
thanks - i'll give that a try - how does it know whick user accounts names to try?
Guesswork usually I would imagine - perhaps based on email address harvesting or just random name generation and then when the account fires back a cannot login message - then they know the username is correct (all guesswork on my part - I am a good computer user - not a hacker ; ) )
ASKER
So the reason the account will eventually let me unlock it is because the program remote system has stopped trying at that point?
I would imagine so - one it is locked out - they presumably know and back off for a time and then try again.
when this first started happening did the user just changed their password on the day? if so it could be some services the user may have their account against that uses their account to logon to possibly? say a nokia device that just keep trying with their old password or something like that.
I would concentrate efforts on the NTScan machine. Do you have a computer by that name? If not go to the command prompt and type Net view to see if it is listed.
I am looking at the "machine name" that appears to be a Netbios UNC path. That has me a little taken back.
My guess is you have mapped network drives that are trying to logon, as you set them to logon with the user's credentials, and remain logged on. Once you boot a computer the mapped network drives will try to authenticate with these outdated and saved credentials and the user account will soon, thereafter, be disabled.
Go to that user's computer, logon as administrator, and remove mapped network drives to \\ntscan to see if the user becomes disabled in AD.
I am looking at the "machine name" that appears to be a Netbios UNC path. That has me a little taken back.
My guess is you have mapped network drives that are trying to logon, as you set them to logon with the user's credentials, and remain logged on. Once you boot a computer the mapped network drives will try to authenticate with these outdated and saved credentials and the user account will soon, thereafter, be disabled.
Go to that user's computer, logon as administrator, and remove mapped network drives to \\ntscan to see if the user becomes disabled in AD.
ASKER
I do not have a computer by the name of NTScan, and it is not listed under net view.
i have unmapped network drives, and the account continues to become disabled. I'm using the lockoutstatus.exe program and can see the bad password count. It happened when she was at my computer so I know she isn't typing in the wrong password. It is going so fast that is must be automated. She has not reset her password recently.
I'm trying to use the firewall logging to see something but so far nothing. It appears that since i've been composing this response the issue has subsided.
i have unmapped network drives, and the account continues to become disabled. I'm using the lockoutstatus.exe program and can see the bad password count. It happened when she was at my computer so I know she isn't typing in the wrong password. It is going so fast that is must be automated. She has not reset her password recently.
I'm trying to use the firewall logging to see something but so far nothing. It appears that since i've been composing this response the issue has subsided.
Funny that - I have the same issue with my customer. It has been about 4 days now and no additional account lockouts / invalid login attempts!
Waiting eagerly for the next attempts.
Waiting eagerly for the next attempts.
OK, researching the topic it appears that some of your systems are infected with a memory resident virus called SDbot or a variant of the virus.
SDBot is a memory resident program that will use dictionary attacks against the Username and password to spread throughout the Netbios shares. If an administrator logs onto that computer it will quickly infect every computer on the network. Users are getting locked out because the dictionary attacks are causing failed logons. At the fifth failed logon, the user is immediately logged out.
This is what trend micro says about the virus:
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSDBOT%2EZN&VSect=T
This is what McAfee says about it:
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=100454#none
SDBot is a memory resident program that will use dictionary attacks against the Username and password to spread throughout the Netbios shares. If an administrator logs onto that computer it will quickly infect every computer on the network. Users are getting locked out because the dictionary attacks are causing failed logons. At the fifth failed logon, the user is immediately logged out.
This is what trend micro says about the virus:
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSDBOT%2EZN&VSect=T
This is what McAfee says about it:
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=100454#none
I just blocked an entire ISP IP Range from Greece that was trying to abuse an account for the customer mentioned earlier.
ASKER
Did your problem present itself as coming from \\NTScan ? What were you looking for in the firewall logs that got you to the point of blocking that range?
The logs showed an IP constantly trying to use a particular port that was allowed through and the Security Log showed up Failed Login Attempts.
Cross referencing the Security log tim for the Failed Logins to the Firewall log, I saw the IP and the port it was trying to use to connect through, looked up the IP address, got the IP range for the ISP and blocked the Subnet on the firewall. No further attempts so far.
Still waiting for others though.
No - it was not \\NTSCAN
Cross referencing the Security log tim for the Failed Logins to the Firewall log, I saw the IP and the port it was trying to use to connect through, looked up the IP address, got the IP range for the ISP and blocked the Subnet on the firewall. No further attempts so far.
Still waiting for others though.
No - it was not \\NTSCAN
ASKER
is is possible for you to share the IP and port so that I could search my firewall logs for the same when it happens to me again?
Sure - only too happy to.
It was : 79.129.3.91
IP Information - 79.129.3.91IP address: 79.129.3.91
Reverse DNS: kozzmozz.static.otenet.gr.
Reverse DNS authenticity: [Verified]
ASN: 6799
ASN Name: OTENET-GR (OTEnet S.A. Multiprotocol Backbone & ISP)
IP range connectivity: 6
Registrar (per ASN): RIPE
Country (per IP registrar): GR [Greece]
Country Currency: EUR [euros]
Country IP Range: 79.128.0.0 to 79.131.255.255
Country fraud profile: Normal
City (per outside source): Athens, Attiki
Country (per outside source): GR [Greece]
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No
Link for WHOIS: 79.129.3.91
It was : 79.129.3.91
IP Information - 79.129.3.91IP address: 79.129.3.91
Reverse DNS: kozzmozz.static.otenet.gr.
Reverse DNS authenticity: [Verified]
ASN: 6799
ASN Name: OTENET-GR (OTEnet S.A. Multiprotocol Backbone & ISP)
IP range connectivity: 6
Registrar (per ASN): RIPE
Country (per IP registrar): GR [Greece]
Country Currency: EUR [euros]
Country IP Range: 79.128.0.0 to 79.131.255.255
Country fraud profile: Normal
City (per outside source): Athens, Attiki
Country (per outside source): GR [Greece]
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No
Link for WHOIS: 79.129.3.91
ASKER
I found this happening again this afternoon to a users account who had left for the day and his computer was shut down. So I looked at connections at our DC since that is where \\NTScan originates, and found 2 connections to outside IP addresses that I don't recognize. I blocked them att he firewall and the account locks seem to have stopped. Time will tell.
The IP's I found: 61.128.111.188 (61.128.96.0 - 61.128.127.255) and 69.88.105.18 which routes to mail.sabas.us. Not sure what either are. After blocking at the firewall, one of the IP's disappeared from the DC from the netstat command. One is still there, but so far so good.
The IP's I found: 61.128.111.188 (61.128.96.0 - 61.128.127.255) and 69.88.105.18 which routes to mail.sabas.us. Not sure what either are. After blocking at the firewall, one of the IP's disappeared from the DC from the netstat command. One is still there, but so far so good.
The 61.128.111.188 IP address is from China. I would imagine that you don't have many dealings with China, so blocking that range should be fine.
The Range for that IP Address I see is 61.128.0.0 - 61.191.255.255 which translates to:
61.128.0.0 with a Subnet Mask of 255.192.0.0
The Range for that IP Address I see is 61.128.0.0 - 61.191.255.255 which translates to:
61.128.0.0 with a Subnet Mask of 255.192.0.0
ASKER
thanks for the translation - Alan. The other IP 69.88.105.18 is stilling showing as an established connection at the DC (netstat - however there is no activity to the IP in the firewall log. Do I have to reboot for that connection to go away or is there a way to forcefully remove it?
The IP 69.88.105.18 is a mail server - I just telnetted to it.
What TCP port is it coming in on and connecting to on your server (via netstat)?
What TCP port is it coming in on and connecting to on your server (via netstat)?
ASKER
52513 is the port
Inbound? What about your server? What port is it connected to? 25 / 587?
You should see their IP:port and your server IP:port.
You should see their IP:port and your server IP:port.
ASKER
our server side is 445 connected to 69.88.105.18:52513
Port 445 is Microsoft-DS which is used for DFS (SMB). Are you using a Distributed File System on your server?
ASKER
I'm not sure if I am or not? There are 12 other connections from 445 to Internal IP addresses.
How big is your company and do you have multiple sites?
If you are a single site - I would question the need for port 445 to be open at all.
If you are a single site - I would question the need for port 445 to be open at all.
ASKER
we used to have several sites when owned by bigger company, but now we are only this one site
I would close the port down on your firewall then - assuming it is open.
Visit www.canyouseeme.org and test port 445 to see if it is open. If you get a good response - re-configure your firewall to shut down port 445.
What other ports do you have open?
Visit www.canyouseeme.org and test port 445 to see if it is open. If you get a good response - re-configure your firewall to shut down port 445.
What other ports do you have open?
Were it my server I would only open the following ports to the outside and I would pair this down to as few openings as possible
SMTP 25 - Simple Mail Transfer Protocol
HTTP 80 - Web only open if you are hosting a public web site
HTTPS 443 - SSL Web for OWA or RWW in most cases
RWW 4125- Remote Web Worplace if SBS
PPTP 1723 - VPN Connections if hosting vpns
RDP 3389 - Remote Desktop Protocol (I try never to open this port but to do a Port address translation from say 3360 outside to 3389 inside
SBS Sharepoint 444 - Windows SharePoint Services intranet site
FTP 21 - If File transfer protocol is being used
POP3 110 - If using POP3 mail connections
SMTP 25 - Simple Mail Transfer Protocol
HTTP 80 - Web only open if you are hosting a public web site
HTTPS 443 - SSL Web for OWA or RWW in most cases
RWW 4125- Remote Web Worplace if SBS
PPTP 1723 - VPN Connections if hosting vpns
RDP 3389 - Remote Desktop Protocol (I try never to open this port but to do a Port address translation from say 3360 outside to 3389 inside
SBS Sharepoint 444 - Windows SharePoint Services intranet site
FTP 21 - If File transfer protocol is being used
POP3 110 - If using POP3 mail connections
ASKER
We do have one remote user. What will blocking port 445 do to her? I may know soon.
Remote users will not use port 445 - I guess it depends on what they are doing.
If they use VPN - port 1723 will be used. If they use RPC oveer HTTPs, then port 443 will be used. If they use Remote Desktop, then port 4125 / 3389 will be used.
Block it - wait for the phone to ring, but I think it won't be ringing based on what you have been saying.
Ironically, the firewall logs I get hourly now are littered with calls to port 445 on the server I am monitoring closely - all dropped of course, but attempts are being made to see if the port is open.
If they use VPN - port 1723 will be used. If they use RPC oveer HTTPs, then port 443 will be used. If they use Remote Desktop, then port 4125 / 3389 will be used.
Block it - wait for the phone to ring, but I think it won't be ringing based on what you have been saying.
Ironically, the firewall logs I get hourly now are littered with calls to port 445 on the server I am monitoring closely - all dropped of course, but attempts are being made to see if the port is open.
ASKER
what is the best way to see all the ports that I have open?
MS has a tool for port querying, but I use the one from RADMIN http://www.radmin.com/products/utilities/portscanner.php
ASKER
I found the port scanner on grc.com and it found that port 22 and 443 are the only open ports
I am not convinced that is true. What did canyouseeme show up for port 445?
ASKER
it could not see service on port (445) Reason: connection timed out; port 22 was not blocked according to canyouseeme
No idea why you have port 22 open! Do you?
Presumably you don't host a mail server on-site?
Presumably you don't host a mail server on-site?
ASKER
yes, we have an exchange server. and yes 22 is open. (or was)
Okay - if you have an Exchange server, do you collect your emails or do they get delivered? Without port 25 open or port 587 you won't be getting any mail delivered!
Port 22 is for SSH. Might be for remote access to your router / firewall perhaps?
Port 22 is for SSH. Might be for remote access to your router / firewall perhaps?
ASKER
The IP that canyouseeme 'sees' me as is a different IP than our exchange server IP. smtp to our exchange server ip is permitted as a seperate firewall access rule.
i'm not sure who needs remote access to the firewall - router is managed by ISP, so it sounds like I should probably close 22, and did.
i'm not sure who needs remote access to the firewall - router is managed by ISP, so it sounds like I should probably close 22, and did.
Port 445 tends to be used by viruses to propigate to other systems or bring more home.
It sounds like you have a block of IP's and some one to one nat rules for secondary IP's.
Port Scan all your IP's make sure you do not have any holes elsewhere.
Also I would encourage breaking out the utility scanners to make sure your server(s) are virus free
Suggest
ComboFix
Superantispyware portable
HijackThis
malwarebytes
smitfraudfix (in safemode)
It sounds like you have a block of IP's and some one to one nat rules for secondary IP's.
Port Scan all your IP's make sure you do not have any holes elsewhere.
Also I would encourage breaking out the utility scanners to make sure your server(s) are virus free
Suggest
ComboFix
Superantispyware portable
HijackThis
malwarebytes
smitfraudfix (in safemode)
ASKER
Since configuring the firewall to deny ports 139/ 445/22, china IP range, and one more range, there have been NO more locked accounts or strange connections to our server. Incidently, those blocks have had 2298, 451, 25, 32 and 107 Hit attempts, respectively, since adding them. There have been no user comlaints except the remote user has seen a performance hit when checking in engineering drawings via the Teamcenter Express application. Another user cannot get to Google Earth, but another can, so all in all it's been a great exercise and successful so far.
I have not taken the advice to run the utility scanners yet, but plan to do that as well when I can take it off-line.
thanks for getting me this far.
I have not taken the advice to run the utility scanners yet, but plan to do that as well when I can take it off-line.
thanks for getting me this far.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I have seen a major increase in password guessing situtations / account lockouts on the servers I manage and this ultimately leads to Authenticated Relaying of spam and trouble.
Conficker is also known to cause account lockouts, so might be worth scanning your computers for this (also make sure they have the patch applied).
http://www.sophos.com/products/free-tools/conficker-removal-tool.html