Solved

Frequent account lockouts for no apparent reason

Posted on 2011-09-21
23
955 Views
Last Modified: 2012-05-12
Yesterday I got 30 account lockouts (Event ID 539) on my own user account, but only 5 incorrect logins (Event ID 529 - logon type 3) - which mostly don't even match up with the lockouts. Nothing seems to be coming from an external IP address, or even from a workstation on the domain. Today there are no login errors at all.

What could this be? Should I just ignore it?

SBS 2003 Standard, SP2

Thank you in advance,
Gary
0
Comment
Question by:Clapador
  • 10
  • 6
  • 5
  • +1
23 Comments
 
LVL 26

Expert Comment

by:MidnightOne
ID: 36584299
I wouldn't ignore it. For the events you did get, what PID (and process) did match? Is it possible the IP address is from the VPN side of the house?
0
 

Author Comment

by:Clapador
ID: 36585439
If I understand your question correctly, the Process ID was 6192 (once) and 6472 (29 times) and the process is Advapi. No IP address is listed.

Yes, I had connected frrom home to my office by VPN that morning and forgot to disconnect when I left for work.

Is this a clue?

Thank you for your help,
Gary
0
 
LVL 26

Expert Comment

by:MidnightOne
ID: 36588937
Yep, that does help ADVAPI is kind of integral to Kerberos logons, much like four wheels is kind of important to drive my car. :)

I've found some references to ADVAPI being a virus as well, however these reports are from 2005 or so and presuming you've got any anti-virus at all that should be a non-starter.

Without a holistic view of event logs I'm less certain, but it would seem to relate to the open VPN connection. Were the 30 account lockouts on 30 different accounts, or on your account only?
0
 

Author Comment

by:Clapador
ID: 36589009
Thank you for the quick response. The lockouts were on my account only. The bad password errors were on my account also (though a few days before I got failed logons to nonexistent accounts). The lockouts did not match up with the failed logons.

I use Symantec Endpoint Protection on the server and workstations, all of which are managed by the server, and there are no risks mentioned in the Symantec logs.
0
 
LVL 61

Expert Comment

by:btan
ID: 36591893
probably also to check if there are any processes and port listening using netstat [1]. If there are ports that are high and unusual, it may called upon further checks on the process using process explorer [2]

[1] http://www.youtube.com/watch?v=RlKxI8HcdWI
[2] http://technet.microsoft.com/en-us/sysinternals/bb896653

Also if your account is administrator it is can be exploited by malware to escalate privilege and do further damage. Also if you reboot, hopefully the malware if any will survive that else can use autoruns [3] to inspect too (run registry etc)

[3] http://technet.microsoft.com/en-us/sysinternals/bb963902

Morto [4] and conficker [5] are typically bruting forcing account using the infected machine. But SEP would alert you on their presence but do have latest signature minimally

[4] http://www.f-secure.com/weblog/archives/00002227.html
[5] http://nakedsecurity.sophos.com/2009/01/16/passwords-conficker-worm/
0
 

Author Comment

by:Clapador
ID: 36594024
I don't see any unfamiliar processes or connections except for one foreign address:

TCP    SERVER1:1849           63-217-8-74.static.pccwglobal.net:http  TIME_WAIT
TCP    SERVER1:1972           63-217-8-74.static.pccwglobal.net:http  ESTABLISHED

Endpoint Protection shows nothing. I am now running MalwareBytes.

More soon,
Gary
0
 

Author Comment

by:Clapador
ID: 36594138
P.S. The account lockouts last night were on my own user account and a second valid user account! No other names were tried.Maybe it's an internal process that's misconfigured?
0
 
LVL 61

Expert Comment

by:btan
ID: 36594903
did a quick check on pccw.global.net and it does not have a good reputation and was previously blacklisted

http://www.robtex.com/dns/63-217-8-74.static.pccwglobal.net.html#result
http://www.rfc-ignorant.org/tools/lookup.php?domain=63-217-8-74.static.pccwglobal.net
http://www.robtex.com/dns/www.pccwglobal.net.html

the process id for the second account should be available in the security log in event viewer
0
 

Author Comment

by:Clapador
ID: 36720738
No login errors for a few days, then last night a lot, this time on the Administrator account. (see attached file). (Previous failed logons were for oa variety of real and nonexistent user names.) The attempts were at 22:54 - 22:55 pm. I am puzzled that there is no internal or external IP address specified.But if there is a machine misconifguration, why do I not get these errors every day?

Are these Samba errors? I do not have any Linux workstations. I do have a Cisco router with attached storage that has a Linux interface, but it is always on with no changes, and these errors just started recently.

Also, can this article be useful? http://support.microsoft.com/kb/276541(it is for an earlier version of W indows Server). "Unexpected Account Lockouts Caused When Logging On to Outlook from an Untrusted Domain". I often work from home using Remote Web Workplace, but at the time of the errors, I am usually alseep and my home computer is turned off. At those times, the office is empty but the computers are on.

Thank you all for your help.
Gary

 logon-log.txt
0
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 37126657
Sorry for the late reply. Taking a look at the log, the 0xC000006A error code represent Username (in this case administrator) is correct but logon with Misspelled or bad Password. The null is just for the domain which in this case is excluded since it is stated out front as "dasilva.local"

Apparently to get more information from the log, we can try enabling the debugging mode of Netlogon.dll at the DC side, but there are no specific to state IP address in view for the log

http://support.microsoft.com/kb/109626
http://support.microsoft.com/kb/189541

Not that straightforward to record those but if we will to put a sniffer and run in accordance then we may have some correlation of the IP or even a FW before the DC...
0
 

Author Comment

by:Clapador
ID: 37148507
One day I got 4500 failed logon attempts, but most days I get none. It seems like a hacker, but there is no IP address. That is what puzzles me. My passwords are strong, but still, where are these logins coming from? Why is there no IP address?

I turned on logon logging over a month ago so I do have a log. Unfortunately, the interesting days' activities have been purged, so I have nothing to show you.

Thank you for your help,
Gary
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 61

Expert Comment

by:btan
ID: 37149599
Since it is constantly coming maybe sniffer can help at the gateway to trace down likely source ip. especially it seems to be from local machine instead, I supposed. Another way I am thinking is if there is lockout account enabled, more info can be shedded, maybe include src host or ip address. Likely to be some intentional attempts but possible also a remote controlled infect ed machine doing on behalf.
0
 
LVL 39

Assisted Solution

by:footech
footech earned 250 total points
ID: 37149666
In the past I have tried to determine the exact source of failed logon attempts myself, but have never come up with a 100% answer.  That is why I was monitoring this thread, hoping someone else could shed some light.  However, I will share what I know.
Here's a link to a page with the different logon types explained.
http://www.windowsecurity.com/articles/Logon-Types.html
One thing that I read was that the IP is not always able to be logged.  Best bet is to turn on logging for IIS (if logon type=3) to try to capture.  Also saw a note where someone was getting this by attempts to authenticate against Exchange (SMTP) in order to relay, and saw this by increasing the SMTP logging.
0
 

Author Comment

by:Clapador
ID: 37156732
I will increase my logging. Account lockout is enabled, but that only works with valid accounts, not incorrect account names, and not Administrator, so lockouts are rare. Interesting you (footech) mention SMTP relaying. I have relaying disabled (at least it was set up that way a few years ago after a spate of hacking attempts). How do I turn on IIS logging? I think I know how to turn on SMTP logging (at least I once knew!).

Thank you agaoin,
Gary
0
 
LVL 39

Expert Comment

by:footech
ID: 37156963
In IIS Manager, go to properties of your web site.  On the Web Site tab, select "Enable logging".  On the Home Directory tab, select "Log visits".  You also have to have "Log visits" selected in the properties of any virtual directories you want.

Not 100% sure on this one, but I think the correct one for SMTP is under System Manager > properties of Exchange server > Diagnostics Logging tab > MSExchangeTransport > SMTP protocol set to Maximum.
0
 
LVL 61

Expert Comment

by:btan
ID: 37157031
0
 

Author Comment

by:Clapador
ID: 37157550
Well, shiver my timbers! I already have logging turned on for Web Site and Home Directory in IIS, and for SMTP (which I had enabled via a setting for the SMTP Virtual Server), but not Diagnostics Logging >...> SMTP protocol, which I just set to Maximum. I wonder if I can find anything in my existing logs for October 23, 2011 when I got 4500 failed logons, but no lockouts. I'm not sure where the Web Site and Home Directory logs are, or where Diagnostic Logging keeps its logs. I will investigate, More later...

Breadtan - the article was interesting. At least now I know why there are no IP addresses in the logs.

Gary
0
 
LVL 39

Expert Comment

by:footech
ID: 37157626
For the SMTP, that should all be present in your event logs.  For IIS, under
C:\Windows\system32\LogFiles\  There will be different folders here for different things, but default website should be W3SVC1.
0
 

Author Comment

by:Clapador
ID: 37157680
I think it does have something to do with SMTP relaying. I am attaching the SMTP log file showing thousands of connections that correspond in time to the failed logon entries in my event log.I don't know how the logon names in the event log fit in, but I am convinced this explains what is going on. I notice lots of 250 responses, which indicates (I think) a successful communication at some level, but I know that the loogons failed.

I can add the source IP address to my drop list in my firewall, but the spammer seems to have gone away.

One last question, can you tell if my server is adequately protected against this type of attack, or is there something more I should be worrying about?
ex111023.log
0
 
LVL 39

Expert Comment

by:footech
ID: 37157685
BTW, whenever I had a bunch of failed logon attempts seen in the security event log, they were almost always for common usernames.  When the username wasn't even present on my system, I usually didn't care, but when it was for something like administrator (which I hadn't renamed at the time), it was a little more concerning.  I cut down on a huge number of those by not allowing direct RDP connections from external.

As far as lockouts go, about the only time I experience frequent lockouts is when a user has a misconfigured program using wrong credentials, or with a VPN configuration that is passing wrong credentials.  Let me explain that last one.  In our setup, the VPN credentials are different than the credentials needed to logon to the domain.  The Windows7 VPN client will by default try to the use the credentials used to establish the VPN to access the domain resources, and so the problem.  The fix is to edit a line the Rasphone.pbk file for each user, changing it from UseRasCredentials=1 to =0.  May not apply to you, but thought I'd mention it.
0
 

Author Closing Comment

by:Clapador
ID: 37157733
I wish I could give all of you points.

Like footech, I do not have a definite answer, as different failed logons may have different causes. But at least now I know what to look for, and where. I also understand why IP addresses may be missing from the event logs, and I am glad that I know where to find them in other logs. I am comforted that hackers and spammers are not getting in (I was not so sure when I posted my original question). I would still like to know how "they" got some of my actual account names, but it could have been from e-mail addresses in e-mails that they saw.

I had Wireshark running for a while, and it did not indicate anything alarming.

As these attacks come only sporadically, separated by weeks of calm,  I guess it's just random hacking, foiled by using strong passwords and disabling relaying.

Thank you again to all of you.
0
 
LVL 39

Expert Comment

by:footech
ID: 37158069
Yeah, it can be disconcerting at first to see the myriad of attempts to access or break your system.  As usual, the best defense is to learn what is happening behind these, and peace of mind comes from knowing that an attempt doesn't (always) equal compromise.  Trust (as much as you can) that your defenses are doing their job, and then continue to monitor for obvious signs of problems.

It's difficult to determine what's adequate, but mostly it's making sure that you're not "low hanging fruit", which you appear to have done.

Regards.
0
 
LVL 61

Expert Comment

by:btan
ID: 37158603
Simply said that there is no 100% security achievable as what is even that threshold, no one see it or can have different meaning. At least, for those known vulnerability, due diligence and care is taken constantly to reduce window of exposure. Secure by default and deployment make the aggressor tougher life to sieve out the cracks.

At least , you are aware of the attack and have safe guards to blacklist and deter those attempt. I suggest regular pentest if possible and increasing your visibility with a central log collection and correlation to stay ahead of the threat landscape in your environment. safe guard your critical asser as priority. Thks
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now