?
Solved

Hundreds of failure Audit errors in Security log of DC

Posted on 2011-02-21
17
Medium Priority
?
857 Views
Last Modified: 2012-05-11
I am getting hundreds of Failed logon attempts.  Shows:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            2/21/2011
Time:            10:13:47 AM
User:            NT AUTHORITY\SYSTEM
Computer:      JAXZOODC3
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      jamisonl
 Source Workstation:      \\NTscan
 Error Code:      0xC0000234

Most of the logon accounts are old, or I'm just seeing those more.  There is no workstation NTscan (no ping to that name).  If someone needs to log in during their time, then it says they are locked out, and if I unlock the account it immediately locks again.  The user will be unusable for about 30 minutes.  I'm literally getting about 300 messages per minute.  This is a DC, with a web site.  

0
Comment
Question by:Geek_guy
  • 9
  • 5
  • 2
  • +1
17 Comments
 
LVL 20

Expert Comment

by:woolnoir
ID: 34944910
Have you checked your client machines for the conflicker worm ? this generally exhibits this behaviour i.e spamming random accounts with authentication requests causing lockouts.
0
 
LVL 18

Expert Comment

by:web_tracker
ID: 34944919
Is it possible an ex-employee is trying to remotely log into your network? Or maybe it may be a hacker.
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 

Author Comment

by:Geek_guy
ID: 34944974
Mmmmm,

Interesting.  I'll check.

Thanks for the idea.  
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945043
Let me know how it goes.
0
 

Author Comment

by:Geek_guy
ID: 34945079
IF this is the case, how would you be able to find it in all the clients?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945085
Assuming your clients have some Antivirus then just update the definitions and run a scan ? if not, then get some installed.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945089
0
 
LVL 44

Expert Comment

by:Amit
ID: 34945098
Apart from check virus as mentioned by woolnoir. There is one more possibility that user might configured the batch job or a service with this account and forget to change the new password.

There is a MS tool to check this.

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Download this tool on the affected machine and run ALoInfo.exe take output in a text file by appending > result.txt

or command will look like

c:\aloinfo.exe > result.txt

open the txt file and see if you can find that account. If you find that account, change the password or remove or unlink it from that service/batch job
0
 

Author Comment

by:Geek_guy
ID: 34945119
BUt it is from many many accounts.  Not one.  Most seem to be old disabled accounts.

0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945144
Yes... it does that, when we had an infection it spammed all our account and locked out about 1300 from 1 infected machine.
0
 

Author Comment

by:Geek_guy
ID: 34945353
Any clues why it would only show up on one DC.  Why wouldn't the errors show up on the other DC's?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945366
The Trojan is probably attacking only one DC with auth requests. Depends how many you have in one site.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945367
The Trojan is probably attacking only one DC with auth requests. Depends how many you have in one site.
0
 

Author Comment

by:Geek_guy
ID: 34952674
Do you have any clue about a way to isolate the source?  
0
 
LVL 44

Expert Comment

by:Amit
ID: 34952712
I suspect something wrong with your website. First IIS is not recommended on DC's at all. It seems, someone changed the password. Check IIS part.
0
 
LVL 20

Accepted Solution

by:
woolnoir earned 2000 total points
ID: 34952753
This gives some good info on how to network scan for any conficker infected machines.


http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_24084888.html
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question