Solved

Backscatter spam, then account keep being locked out

Posted on 2014-02-12
5
496 Views
Last Modified: 2014-02-12
Hi,

Yesterday my email has been spoof and someone has been using it to send thousands of spam, i kept receiving bounce back mail. I changed my password, and the password of our web host.

The bounce back has stop, but my account is being locked out every 30 minutes or so. I looked every other place I could have a remote session open, and there is none.

Any idea on what I could do ?

Thank you

Guillaume
0
Comment
Question by:ti-guy
  • 2
  • 2
5 Comments
 
LVL 8

Accepted Solution

by:
Amit Khilnaney earned 250 total points
ID: 39854419
I believe its a domain account which is locking out.

Please check the account using lockout tool to find out from where it is being locked out

http://www.microsoft.com/en-us/download/details.aspx?id=18465

Moreover to go into further details, log on to domain controller on which the account is being locked out.

open up event log, click the security log and scroll through or filter the log.
0
 
LVL 22

Assisted Solution

by:Patrick Bogers
Patrick Bogers earned 250 total points
ID: 39854476
Are there services running under your old credentials? Could be service, backupjob or scheduled task.
0
 

Author Comment

by:ti-guy
ID: 39854482
This is what I found at the exact time there was a bad pwd with the tool:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/12/2014 3:34:32 PM
Event ID:      4771
Task Category: Kerberos Authentication Service
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      Terrapex01.terrapex.msft
Description:
Kerberos pre-authentication failed.

Account Information:
      Security ID:            TERRAPEX\gsain
      Account Name:            gsain

Service Information:
      Service Name:            krbtgt/TERRAPEX

Network Information:
      Client Address:            ::ffff:192.168.20.217
      Client Port:            4051

Additional Information:
      Ticket Options:            0x40810010
      Failure Code:            0x18
      Pre-Authentication Type:      2

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:       
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4771</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14339</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2014-02-12T20:34:32.897500000Z" />
    <EventRecordID>5458274658</EventRecordID>
    <Correlation />
    <Execution ProcessID="548" ThreadID="4776" />
    <Channel>Security</Channel>
    <Computer>Terrapex01.terrapex.msft</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserName">gsain</Data>
    <Data Name="TargetSid">S-1-5-21-1606980848-1682526488-839522115-2695</Data>
    <Data Name="ServiceName">krbtgt/TERRAPEX</Data>
    <Data Name="TicketOptions">0x40810010</Data>
    <Data Name="Status">0x18</Data>
    <Data Name="PreAuthType">2</Data>
    <Data Name="IpAddress">::ffff:192.168.20.217</Data>
    <Data Name="IpPort">4051</Data>
    <Data Name="CertIssuerName">
    </Data>
    <Data Name="CertSerialNumber">
    </Data>
    <Data Name="CertThumbprint">
    </Data>
  </EventData>
</Event>
0
 

Author Comment

by:ti-guy
ID: 39854509
Yes, I found out that several ip address we're tryin to connect with my account, and there is services running under my account... I did not think about it, thanks a lot !!

Guillaume
0
 
LVL 22

Expert Comment

by:Patrick Bogers
ID: 39854609
Youre welcome.
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question