Backscatter spam, then account keep being locked out

Hi,

Yesterday my email has been spoof and someone has been using it to send thousands of spam, i kept receiving bounce back mail. I changed my password, and the password of our web host.

The bounce back has stop, but my account is being locked out every 30 minutes or so. I looked every other place I could have a remote session open, and there is none.

Any idea on what I could do ?

Thank you

Guillaume
ti-guyAsked:
Who is Participating?
 
Amit KhilnaneyCommented:
I believe its a domain account which is locking out.

Please check the account using lockout tool to find out from where it is being locked out

http://www.microsoft.com/en-us/download/details.aspx?id=18465

Moreover to go into further details, log on to domain controller on which the account is being locked out.

open up event log, click the security log and scroll through or filter the log.
0
 
Patrick BogersDatacenter platform engineer LindowsCommented:
Are there services running under your old credentials? Could be service, backupjob or scheduled task.
0
 
ti-guyAuthor Commented:
This is what I found at the exact time there was a bad pwd with the tool:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/12/2014 3:34:32 PM
Event ID:      4771
Task Category: Kerberos Authentication Service
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      Terrapex01.terrapex.msft
Description:
Kerberos pre-authentication failed.

Account Information:
      Security ID:            TERRAPEX\gsain
      Account Name:            gsain

Service Information:
      Service Name:            krbtgt/TERRAPEX

Network Information:
      Client Address:            ::ffff:192.168.20.217
      Client Port:            4051

Additional Information:
      Ticket Options:            0x40810010
      Failure Code:            0x18
      Pre-Authentication Type:      2

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:       
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4771</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14339</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2014-02-12T20:34:32.897500000Z" />
    <EventRecordID>5458274658</EventRecordID>
    <Correlation />
    <Execution ProcessID="548" ThreadID="4776" />
    <Channel>Security</Channel>
    <Computer>Terrapex01.terrapex.msft</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserName">gsain</Data>
    <Data Name="TargetSid">S-1-5-21-1606980848-1682526488-839522115-2695</Data>
    <Data Name="ServiceName">krbtgt/TERRAPEX</Data>
    <Data Name="TicketOptions">0x40810010</Data>
    <Data Name="Status">0x18</Data>
    <Data Name="PreAuthType">2</Data>
    <Data Name="IpAddress">::ffff:192.168.20.217</Data>
    <Data Name="IpPort">4051</Data>
    <Data Name="CertIssuerName">
    </Data>
    <Data Name="CertSerialNumber">
    </Data>
    <Data Name="CertThumbprint">
    </Data>
  </EventData>
</Event>
0
 
ti-guyAuthor Commented:
Yes, I found out that several ip address we're tryin to connect with my account, and there is services running under my account... I did not think about it, thanks a lot !!

Guillaume
0
 
Patrick BogersDatacenter platform engineer LindowsCommented:
Youre welcome.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.