• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 861
  • Last Modified:

Hundreds of failure Audit errors in Security log of DC

I am getting hundreds of Failed logon attempts.  Shows:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            2/21/2011
Time:            10:13:47 AM
User:            NT AUTHORITY\SYSTEM
Computer:      JAXZOODC3
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      jamisonl
 Source Workstation:      \\NTscan
 Error Code:      0xC0000234

Most of the logon accounts are old, or I'm just seeing those more.  There is no workstation NTscan (no ping to that name).  If someone needs to log in during their time, then it says they are locked out, and if I unlock the account it immediately locks again.  The user will be unusable for about 30 minutes.  I'm literally getting about 300 messages per minute.  This is a DC, with a web site.  

0
Geek_guy
Asked:
Geek_guy
  • 9
  • 5
  • 2
  • +1
1 Solution
 
woolnoirCommented:
Have you checked your client machines for the conflicker worm ? this generally exhibits this behaviour i.e spamming random accounts with authentication requests causing lockouts.
0
 
web_trackerCommented:
Is it possible an ex-employee is trying to remotely log into your network? Or maybe it may be a hacker.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell┬« is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Geek_guyAuthor Commented:
Mmmmm,

Interesting.  I'll check.

Thanks for the idea.  
0
 
woolnoirCommented:
Let me know how it goes.
0
 
Geek_guyAuthor Commented:
IF this is the case, how would you be able to find it in all the clients?
0
 
woolnoirCommented:
Assuming your clients have some Antivirus then just update the definitions and run a scan ? if not, then get some installed.
0
 
AmitIT ArchitectCommented:
Apart from check virus as mentioned by woolnoir. There is one more possibility that user might configured the batch job or a service with this account and forget to change the new password.

There is a MS tool to check this.

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Download this tool on the affected machine and run ALoInfo.exe take output in a text file by appending > result.txt

or command will look like

c:\aloinfo.exe > result.txt

open the txt file and see if you can find that account. If you find that account, change the password or remove or unlink it from that service/batch job
0
 
Geek_guyAuthor Commented:
BUt it is from many many accounts.  Not one.  Most seem to be old disabled accounts.

0
 
woolnoirCommented:
Yes... it does that, when we had an infection it spammed all our account and locked out about 1300 from 1 infected machine.
0
 
Geek_guyAuthor Commented:
Any clues why it would only show up on one DC.  Why wouldn't the errors show up on the other DC's?
0
 
woolnoirCommented:
The Trojan is probably attacking only one DC with auth requests. Depends how many you have in one site.
0
 
woolnoirCommented:
The Trojan is probably attacking only one DC with auth requests. Depends how many you have in one site.
0
 
Geek_guyAuthor Commented:
Do you have any clue about a way to isolate the source?  
0
 
AmitIT ArchitectCommented:
I suspect something wrong with your website. First IIS is not recommended on DC's at all. It seems, someone changed the password. Check IIS part.
0
 
woolnoirCommented:
This gives some good info on how to network scan for any conficker infected machines.


http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_24084888.html
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 9
  • 5
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now