[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Hundreds of failure Audit errors in Security log of DC

Posted on 2011-02-21
17
Medium Priority
?
855 Views
Last Modified: 2012-05-11
I am getting hundreds of Failed logon attempts.  Shows:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            2/21/2011
Time:            10:13:47 AM
User:            NT AUTHORITY\SYSTEM
Computer:      JAXZOODC3
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      jamisonl
 Source Workstation:      \\NTscan
 Error Code:      0xC0000234

Most of the logon accounts are old, or I'm just seeing those more.  There is no workstation NTscan (no ping to that name).  If someone needs to log in during their time, then it says they are locked out, and if I unlock the account it immediately locks again.  The user will be unusable for about 30 minutes.  I'm literally getting about 300 messages per minute.  This is a DC, with a web site.  

0
Comment
Question by:Geek_guy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 5
  • 2
  • +1
17 Comments
 
LVL 20

Expert Comment

by:woolnoir
ID: 34944910
Have you checked your client machines for the conflicker worm ? this generally exhibits this behaviour i.e spamming random accounts with authentication requests causing lockouts.
0
 
LVL 18

Expert Comment

by:web_tracker
ID: 34944919
Is it possible an ex-employee is trying to remotely log into your network? Or maybe it may be a hacker.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:Geek_guy
ID: 34944974
Mmmmm,

Interesting.  I'll check.

Thanks for the idea.  
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945043
Let me know how it goes.
0
 

Author Comment

by:Geek_guy
ID: 34945079
IF this is the case, how would you be able to find it in all the clients?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945085
Assuming your clients have some Antivirus then just update the definitions and run a scan ? if not, then get some installed.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945089
0
 
LVL 44

Expert Comment

by:Amit
ID: 34945098
Apart from check virus as mentioned by woolnoir. There is one more possibility that user might configured the batch job or a service with this account and forget to change the new password.

There is a MS tool to check this.

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Download this tool on the affected machine and run ALoInfo.exe take output in a text file by appending > result.txt

or command will look like

c:\aloinfo.exe > result.txt

open the txt file and see if you can find that account. If you find that account, change the password or remove or unlink it from that service/batch job
0
 

Author Comment

by:Geek_guy
ID: 34945119
BUt it is from many many accounts.  Not one.  Most seem to be old disabled accounts.

0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945144
Yes... it does that, when we had an infection it spammed all our account and locked out about 1300 from 1 infected machine.
0
 

Author Comment

by:Geek_guy
ID: 34945353
Any clues why it would only show up on one DC.  Why wouldn't the errors show up on the other DC's?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945366
The Trojan is probably attacking only one DC with auth requests. Depends how many you have in one site.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945367
The Trojan is probably attacking only one DC with auth requests. Depends how many you have in one site.
0
 

Author Comment

by:Geek_guy
ID: 34952674
Do you have any clue about a way to isolate the source?  
0
 
LVL 44

Expert Comment

by:Amit
ID: 34952712
I suspect something wrong with your website. First IIS is not recommended on DC's at all. It seems, someone changed the password. Check IIS part.
0
 
LVL 20

Accepted Solution

by:
woolnoir earned 2000 total points
ID: 34952753
This gives some good info on how to network scan for any conficker infected machines.


http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_24084888.html
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question