Solved

Hundreds of failure Audit errors in Security log of DC

Posted on 2011-02-21
17
852 Views
Last Modified: 2012-05-11
I am getting hundreds of Failed logon attempts.  Shows:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            2/21/2011
Time:            10:13:47 AM
User:            NT AUTHORITY\SYSTEM
Computer:      JAXZOODC3
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      jamisonl
 Source Workstation:      \\NTscan
 Error Code:      0xC0000234

Most of the logon accounts are old, or I'm just seeing those more.  There is no workstation NTscan (no ping to that name).  If someone needs to log in during their time, then it says they are locked out, and if I unlock the account it immediately locks again.  The user will be unusable for about 30 minutes.  I'm literally getting about 300 messages per minute.  This is a DC, with a web site.  

0
Comment
Question by:Geek_guy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 5
  • 2
  • +1
17 Comments
 
LVL 20

Expert Comment

by:woolnoir
ID: 34944910
Have you checked your client machines for the conflicker worm ? this generally exhibits this behaviour i.e spamming random accounts with authentication requests causing lockouts.
0
 
LVL 18

Expert Comment

by:web_tracker
ID: 34944919
Is it possible an ex-employee is trying to remotely log into your network? Or maybe it may be a hacker.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:Geek_guy
ID: 34944974
Mmmmm,

Interesting.  I'll check.

Thanks for the idea.  
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945043
Let me know how it goes.
0
 

Author Comment

by:Geek_guy
ID: 34945079
IF this is the case, how would you be able to find it in all the clients?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945085
Assuming your clients have some Antivirus then just update the definitions and run a scan ? if not, then get some installed.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945089
0
 
LVL 43

Expert Comment

by:Amit
ID: 34945098
Apart from check virus as mentioned by woolnoir. There is one more possibility that user might configured the batch job or a service with this account and forget to change the new password.

There is a MS tool to check this.

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Download this tool on the affected machine and run ALoInfo.exe take output in a text file by appending > result.txt

or command will look like

c:\aloinfo.exe > result.txt

open the txt file and see if you can find that account. If you find that account, change the password or remove or unlink it from that service/batch job
0
 

Author Comment

by:Geek_guy
ID: 34945119
BUt it is from many many accounts.  Not one.  Most seem to be old disabled accounts.

0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945144
Yes... it does that, when we had an infection it spammed all our account and locked out about 1300 from 1 infected machine.
0
 

Author Comment

by:Geek_guy
ID: 34945353
Any clues why it would only show up on one DC.  Why wouldn't the errors show up on the other DC's?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945366
The Trojan is probably attacking only one DC with auth requests. Depends how many you have in one site.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 34945367
The Trojan is probably attacking only one DC with auth requests. Depends how many you have in one site.
0
 

Author Comment

by:Geek_guy
ID: 34952674
Do you have any clue about a way to isolate the source?  
0
 
LVL 43

Expert Comment

by:Amit
ID: 34952712
I suspect something wrong with your website. First IIS is not recommended on DC's at all. It seems, someone changed the password. Check IIS part.
0
 
LVL 20

Accepted Solution

by:
woolnoir earned 500 total points
ID: 34952753
This gives some good info on how to network scan for any conficker infected machines.


http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_24084888.html
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
This video discusses moving either the default database or any database to a new volume.

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question