Solved

Hundreds of failure Audit errors in Security log of DC

Posted on 2011-02-21
17
846 Views
Last Modified: 2012-05-11
I am getting hundreds of Failed logon attempts.  Shows:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            2/21/2011
Time:            10:13:47 AM
User:            NT AUTHORITY\SYSTEM
Computer:      JAXZOODC3
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      jamisonl
 Source Workstation:      \\NTscan
 Error Code:      0xC0000234

Most of the logon accounts are old, or I'm just seeing those more.  There is no workstation NTscan (no ping to that name).  If someone needs to log in during their time, then it says they are locked out, and if I unlock the account it immediately locks again.  The user will be unusable for about 30 minutes.  I'm literally getting about 300 messages per minute.  This is a DC, with a web site.  

0
Comment
Question by:Geek_guy
  • 9
  • 5
  • 2
  • +1
17 Comments
 
LVL 20

Expert Comment

by:woolnoir
ID: 34944910
Have you checked your client machines for the conflicker worm ? this generally exhibits this behaviour i.e spamming random accounts with authentication requests causing lockouts.
0
 
LVL 18

Expert Comment

by:web_tracker
ID: 34944919
Is it possible an ex-employee is trying to remotely log into your network? Or maybe it may be a hacker.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34944920
0
 

Author Comment

by:Geek_guy
ID: 34944974
Mmmmm,

Interesting.  I'll check.

Thanks for the idea.  
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945043
Let me know how it goes.
0
 

Author Comment

by:Geek_guy
ID: 34945079
IF this is the case, how would you be able to find it in all the clients?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945085
Assuming your clients have some Antivirus then just update the definitions and run a scan ? if not, then get some installed.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945089
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 41

Expert Comment

by:Amit
ID: 34945098
Apart from check virus as mentioned by woolnoir. There is one more possibility that user might configured the batch job or a service with this account and forget to change the new password.

There is a MS tool to check this.

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Download this tool on the affected machine and run ALoInfo.exe take output in a text file by appending > result.txt

or command will look like

c:\aloinfo.exe > result.txt

open the txt file and see if you can find that account. If you find that account, change the password or remove or unlink it from that service/batch job
0
 

Author Comment

by:Geek_guy
ID: 34945119
BUt it is from many many accounts.  Not one.  Most seem to be old disabled accounts.

0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945144
Yes... it does that, when we had an infection it spammed all our account and locked out about 1300 from 1 infected machine.
0
 

Author Comment

by:Geek_guy
ID: 34945353
Any clues why it would only show up on one DC.  Why wouldn't the errors show up on the other DC's?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945366
The Trojan is probably attacking only one DC with auth requests. Depends how many you have in one site.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945367
The Trojan is probably attacking only one DC with auth requests. Depends how many you have in one site.
0
 

Author Comment

by:Geek_guy
ID: 34952674
Do you have any clue about a way to isolate the source?  
0
 
LVL 41

Expert Comment

by:Amit
ID: 34952712
I suspect something wrong with your website. First IIS is not recommended on DC's at all. It seems, someone changed the password. Check IIS part.
0
 
LVL 20

Accepted Solution

by:
woolnoir earned 500 total points
ID: 34952753
This gives some good info on how to network scan for any conficker infected machines.


http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_24084888.html
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now