Solved

Hundreds of failure Audit errors in Security log of DC

Posted on 2011-02-21
17
849 Views
Last Modified: 2012-05-11
I am getting hundreds of Failed logon attempts.  Shows:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            2/21/2011
Time:            10:13:47 AM
User:            NT AUTHORITY\SYSTEM
Computer:      JAXZOODC3
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      jamisonl
 Source Workstation:      \\NTscan
 Error Code:      0xC0000234

Most of the logon accounts are old, or I'm just seeing those more.  There is no workstation NTscan (no ping to that name).  If someone needs to log in during their time, then it says they are locked out, and if I unlock the account it immediately locks again.  The user will be unusable for about 30 minutes.  I'm literally getting about 300 messages per minute.  This is a DC, with a web site.  

0
Comment
Question by:Geek_guy
  • 9
  • 5
  • 2
  • +1
17 Comments
 
LVL 20

Expert Comment

by:woolnoir
ID: 34944910
Have you checked your client machines for the conflicker worm ? this generally exhibits this behaviour i.e spamming random accounts with authentication requests causing lockouts.
0
 
LVL 18

Expert Comment

by:web_tracker
ID: 34944919
Is it possible an ex-employee is trying to remotely log into your network? Or maybe it may be a hacker.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34944920
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:Geek_guy
ID: 34944974
Mmmmm,

Interesting.  I'll check.

Thanks for the idea.  
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945043
Let me know how it goes.
0
 

Author Comment

by:Geek_guy
ID: 34945079
IF this is the case, how would you be able to find it in all the clients?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945085
Assuming your clients have some Antivirus then just update the definitions and run a scan ? if not, then get some installed.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945089
0
 
LVL 42

Expert Comment

by:Amit
ID: 34945098
Apart from check virus as mentioned by woolnoir. There is one more possibility that user might configured the batch job or a service with this account and forget to change the new password.

There is a MS tool to check this.

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Download this tool on the affected machine and run ALoInfo.exe take output in a text file by appending > result.txt

or command will look like

c:\aloinfo.exe > result.txt

open the txt file and see if you can find that account. If you find that account, change the password or remove or unlink it from that service/batch job
0
 

Author Comment

by:Geek_guy
ID: 34945119
BUt it is from many many accounts.  Not one.  Most seem to be old disabled accounts.

0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945144
Yes... it does that, when we had an infection it spammed all our account and locked out about 1300 from 1 infected machine.
0
 

Author Comment

by:Geek_guy
ID: 34945353
Any clues why it would only show up on one DC.  Why wouldn't the errors show up on the other DC's?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945366
The Trojan is probably attacking only one DC with auth requests. Depends how many you have in one site.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945367
The Trojan is probably attacking only one DC with auth requests. Depends how many you have in one site.
0
 

Author Comment

by:Geek_guy
ID: 34952674
Do you have any clue about a way to isolate the source?  
0
 
LVL 42

Expert Comment

by:Amit
ID: 34952712
I suspect something wrong with your website. First IIS is not recommended on DC's at all. It seems, someone changed the password. Check IIS part.
0
 
LVL 20

Accepted Solution

by:
woolnoir earned 500 total points
ID: 34952753
This gives some good info on how to network scan for any conficker infected machines.


http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_24084888.html
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
how to add IIS SMTP to handle application/Scanner relays into office 365.

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question