Solved

Backscatter spam, then account keep being locked out

Posted on 2014-02-12
5
492 Views
Last Modified: 2014-02-12
Hi,

Yesterday my email has been spoof and someone has been using it to send thousands of spam, i kept receiving bounce back mail. I changed my password, and the password of our web host.

The bounce back has stop, but my account is being locked out every 30 minutes or so. I looked every other place I could have a remote session open, and there is none.

Any idea on what I could do ?

Thank you

Guillaume
0
Comment
Question by:ti-guy
  • 2
  • 2
5 Comments
 
LVL 8

Accepted Solution

by:
Amit Khilnaney earned 250 total points
ID: 39854419
I believe its a domain account which is locking out.

Please check the account using lockout tool to find out from where it is being locked out

http://www.microsoft.com/en-us/download/details.aspx?id=18465

Moreover to go into further details, log on to domain controller on which the account is being locked out.

open up event log, click the security log and scroll through or filter the log.
0
 
LVL 19

Assisted Solution

by:Patricksr1972
Patricksr1972 earned 250 total points
ID: 39854476
Are there services running under your old credentials? Could be service, backupjob or scheduled task.
0
 

Author Comment

by:ti-guy
ID: 39854482
This is what I found at the exact time there was a bad pwd with the tool:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/12/2014 3:34:32 PM
Event ID:      4771
Task Category: Kerberos Authentication Service
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      Terrapex01.terrapex.msft
Description:
Kerberos pre-authentication failed.

Account Information:
      Security ID:            TERRAPEX\gsain
      Account Name:            gsain

Service Information:
      Service Name:            krbtgt/TERRAPEX

Network Information:
      Client Address:            ::ffff:192.168.20.217
      Client Port:            4051

Additional Information:
      Ticket Options:            0x40810010
      Failure Code:            0x18
      Pre-Authentication Type:      2

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:       
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4771</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14339</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2014-02-12T20:34:32.897500000Z" />
    <EventRecordID>5458274658</EventRecordID>
    <Correlation />
    <Execution ProcessID="548" ThreadID="4776" />
    <Channel>Security</Channel>
    <Computer>Terrapex01.terrapex.msft</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserName">gsain</Data>
    <Data Name="TargetSid">S-1-5-21-1606980848-1682526488-839522115-2695</Data>
    <Data Name="ServiceName">krbtgt/TERRAPEX</Data>
    <Data Name="TicketOptions">0x40810010</Data>
    <Data Name="Status">0x18</Data>
    <Data Name="PreAuthType">2</Data>
    <Data Name="IpAddress">::ffff:192.168.20.217</Data>
    <Data Name="IpPort">4051</Data>
    <Data Name="CertIssuerName">
    </Data>
    <Data Name="CertSerialNumber">
    </Data>
    <Data Name="CertThumbprint">
    </Data>
  </EventData>
</Event>
0
 

Author Comment

by:ti-guy
ID: 39854509
Yes, I found out that several ip address we're tryin to connect with my account, and there is services running under my account... I did not think about it, thanks a lot !!

Guillaume
0
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39854609
Youre welcome.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Normally after a failure of Domain Controller, when promoting new DC the DC is renamed, we will discuss the options in Dcpromo to re-create the DC with the same name. Scenario: You are a small IT shop with two Domain Controllers (Domain Contr…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now