[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 408
  • Last Modified:

All Users Accounts getting locked

We have many users connected to a Domain Controller running on Windows 2003 Server. All users seem to be getting their accounts locked today. There is no password expiration set. Any idea why is this happening?
0
ben1211
Asked:
ben1211
  • 8
  • 5
  • 5
  • +3
2 Solutions
 
jmorourke80Commented:
Have you tried using Microsoft's account lockout tools, http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx, to identify what is happening?
0
 
yadayaCommented:
Looks like you have got Conficker virus.  http://en.wikipedia.org/wiki/Conficker

Use this Conficker removal tool http://www.kaspersky.com/technews?id=203038750

Install antivirus and update all of your system.

How find system with virus:
1. Open Security EventLog on your Domain Controller.
2. Find event by ID 644
3. In event description you find computer names with virus.

0
 
ben1211Author Commented:
Guys....I checked the Event Viewer and under security, I am seeing this:

Pre-authentication failed:
       User Name:      shellyl
       User ID:            WVM\shellyl
       Service Name:      krbtgt/WVM.COM
       Pre-Authentication Type:      0x2
       Failure Code:      0x12
       Client Address:      198.1.1.27

What does this mean?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
ben1211Author Commented:
Guys there are also now event logs with the ID 644. Nothing found. Please advise urgently.
0
 
ben1211Author Commented:
Guys I see alot of this:

Pre-authentication failed:
       User Name:      vfns01
       User ID:            WVM\vfns01
       Service Name:      krbtgt/WVM.COM
       Pre-Authentication Type:      0x2
       Failure Code:      0x12
       Client Address:      198.1.1.27
0
 
itubafCommented:
dear please check virus, one or more clients are infected in your network, you may see administrator locked as well but you will be able to logon locally.

Go to your DC, event viewer, check logs you will find many authenication request from many host but for sure 1 or 2 will have many. once you identify host go to client and unplug there network cables and than check logs in DC ( you may have to unlock accounts again) monitor your DC for 1-2 hours once fine, install AV in clints and scan for virus (Dont plug infected cleints with network)
0
 
itubafCommented:
unplug/shutdown Client Address:      198.1.1.27, ASAP
0
 
ben1211Author Commented:
Authentication Ticket Request:
       User Name:            Volunteer
       Supplied Realm Name:      WVM.COM
       User ID:                  -
       Service Name:            krbtgt/WVM.COM
       Service ID:            -
       Ticket Options:            0x40810010
       Result Code:            0x6
       Ticket Encryption Type:      -
       Pre-Authentication Type:      -
0
 
itubafCommented:
is there any Anti virus installed on your Server.

i faced this issue and based on my experience i am advicing you that in DC>Eventviewer>Security you will find "Failure Audit/Authentication Failure" identify your host. you may have to wait for 5-10 minutes after unpluging infected host.

 
0
 
itubafCommented:
any luck??
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
I would also recommend the following application

Free Conficker Worm Scanner

it will allow you to scan your network for unpatched workstations and servers, and also infected workstations and scanners.

http://www.eeye.com/Downloads/Security-Tools/Conficker-Worm-Scanning-Utility.aspx

also download

Account Lockout and Management Tools from Microsoft, which will allow you to check, why the accounts are being locked out.

http://www.microsoft.com/downloads/en/details.aspx?familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e&displaylang=en

Please find below links for help with conficker removal and prevention, so info is specific to Sophos AV Product, but there's some good information, on securing your network and Group Policies which you need to apply.

Article ID:110381
Title:Conficker Removal Tool: How to install and run the tool
URL: http://www.sophos.com/support/knowledgebase/article/110381.html 

Article ID:61259
Title:Sophos Anti-Virus: Tracking and finding Conficker infections
URL: http://www.sophos.com/support/knowledgebase/article/61259.html

Article ID:51169
Title:Sophos Anti-Virus for Windows 2000+: removing W32/Confick and Mal/Conficker with Sophos Anti-Virus
URL: http://www.sophos.com/support/knowledgebase/article/51169.html 
0
 
ben1211Author Commented:
guys, some of the PCs in the network are infected with a virus. We have identified 3 PC's. but believe there could be more. We are just uncertain which PC's could be infected. Any way of knowing this from the Security logs?

We have McAfee anti virus installed on the Server. I ran a scan on the server and no viruses were detected on the server.

Checking PC's now.
0
 
jawdatroumiCommented:
May be your client infected with Net-Worm.Win32.Kido
This worm lost the connection between client and server so the authentication will be failed

Try to use  Net-Worm.Win32.Kido removal tool KK.exe
0
 
yadayaCommented:
Check failed autorization request in event log, client with more than one or two failed autorization requesta are infected by virus. Disconnect them from network, remove antivirus, install hotfixes and antivirus.

I have posted how to remove conficker from machine and what hotfixes must bee installed. See my previos post(Use this Conficker removal tool http://www.kaspersky.com/technews?id=203038750)

After curing infected machines you need scan, update and install antivirus on all of your systems, or virus comes again.

0
 
yadayaCommented:
Here is complete description about security log event id: http://support.microsoft.com/kb/174074

Search your AD server eventlog-security for event ID:
644, 529, 539


0
 
itubafCommented:
please make sure to crate one user with admin rights and create seprate OU and nest new user in it, i suggest you dont use infected computers,even after removing confiker and other worm your users will face problems, better you take backup of infected pcs and format infected computers.  

Cheers
0
 
ben1211Author Commented:
han....this patch  http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

is it KB 958644 for WIndows 2003 Server?

Do I need to download and install this same patch for the clients as well?
0
 
yadayaCommented:
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
You need to install that patch everywhere to all servers and clients, using the correct download.
0
 
ben1211Author Commented:
hi guys, i'm going to keep this thread open for a few days till i resolve this problem. thanks for your help guys. will get back to you.
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Yes, it's going to take you longer than a few days to sort out the issue.
0
 
ben1211Author Commented:
guys....it was a virus, and we got it cleaned. thank you for the help.
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
What virus/trojan/malware for the record?
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 8
  • 5
  • 5
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now