Geek_guy
asked on
Hundreds of failure Audit errors in Security log of DC
I am getting hundreds of Failed logon attempts. Shows:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 2/21/2011
Time: 10:13:47 AM
User: NT AUTHORITY\SYSTEM
Computer: JAXZOODC3
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
Logon account: jamisonl
Source Workstation: \\NTscan
Error Code: 0xC0000234
Most of the logon accounts are old, or I'm just seeing those more. There is no workstation NTscan (no ping to that name). If someone needs to log in during their time, then it says they are locked out, and if I unlock the account it immediately locks again. The user will be unusable for about 30 minutes. I'm literally getting about 300 messages per minute. This is a DC, with a web site.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 2/21/2011
Time: 10:13:47 AM
User: NT AUTHORITY\SYSTEM
Computer: JAXZOODC3
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P
Logon account: jamisonl
Source Workstation: \\NTscan
Error Code: 0xC0000234
Most of the logon accounts are old, or I'm just seeing those more. There is no workstation NTscan (no ping to that name). If someone needs to log in during their time, then it says they are locked out, and if I unlock the account it immediately locks again. The user will be unusable for about 30 minutes. I'm literally getting about 300 messages per minute. This is a DC, with a web site.
Have you checked your client machines for the conflicker worm ? this generally exhibits this behaviour i.e spamming random accounts with authentication requests causing lockouts.
Is it possible an ex-employee is trying to remotely log into your network? Or maybe it may be a hacker.
ASKER
Mmmmm,
Interesting. I'll check.
Thanks for the idea.
Interesting. I'll check.
Thanks for the idea.
Let me know how it goes.
ASKER
IF this is the case, how would you be able to find it in all the clients?
Assuming your clients have some Antivirus then just update the definitions and run a scan ? if not, then get some installed.
Apart from check virus as mentioned by woolnoir. There is one more possibility that user might configured the batch job or a service with this account and forget to change the new password.
There is a MS tool to check this.
http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
Download this tool on the affected machine and run ALoInfo.exe take output in a text file by appending > result.txt
or command will look like
c:\aloinfo.exe > result.txt
open the txt file and see if you can find that account. If you find that account, change the password or remove or unlink it from that service/batch job
There is a MS tool to check this.
http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
Download this tool on the affected machine and run ALoInfo.exe take output in a text file by appending > result.txt
or command will look like
c:\aloinfo.exe > result.txt
open the txt file and see if you can find that account. If you find that account, change the password or remove or unlink it from that service/batch job
ASKER
BUt it is from many many accounts. Not one. Most seem to be old disabled accounts.
Yes... it does that, when we had an infection it spammed all our account and locked out about 1300 from 1 infected machine.
ASKER
Any clues why it would only show up on one DC. Why wouldn't the errors show up on the other DC's?
The Trojan is probably attacking only one DC with auth requests. Depends how many you have in one site.
The Trojan is probably attacking only one DC with auth requests. Depends how many you have in one site.
ASKER
Do you have any clue about a way to isolate the source?
I suspect something wrong with your website. First IIS is not recommended on DC's at all. It seems, someone changed the password. Check IIS part.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.