Solved

Backscatter spam, then account keep being locked out

Posted on 2014-02-12
5
480 Views
Last Modified: 2014-02-12
Hi,

Yesterday my email has been spoof and someone has been using it to send thousands of spam, i kept receiving bounce back mail. I changed my password, and the password of our web host.

The bounce back has stop, but my account is being locked out every 30 minutes or so. I looked every other place I could have a remote session open, and there is none.

Any idea on what I could do ?

Thank you

Guillaume
0
Comment
Question by:ti-guy
  • 2
  • 2
5 Comments
 
LVL 8

Accepted Solution

by:
Amit Khilnaney earned 250 total points
Comment Utility
I believe its a domain account which is locking out.

Please check the account using lockout tool to find out from where it is being locked out

http://www.microsoft.com/en-us/download/details.aspx?id=18465

Moreover to go into further details, log on to domain controller on which the account is being locked out.

open up event log, click the security log and scroll through or filter the log.
0
 
LVL 19

Assisted Solution

by:Patricksr1972
Patricksr1972 earned 250 total points
Comment Utility
Are there services running under your old credentials? Could be service, backupjob or scheduled task.
0
 

Author Comment

by:ti-guy
Comment Utility
This is what I found at the exact time there was a bad pwd with the tool:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/12/2014 3:34:32 PM
Event ID:      4771
Task Category: Kerberos Authentication Service
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      Terrapex01.terrapex.msft
Description:
Kerberos pre-authentication failed.

Account Information:
      Security ID:            TERRAPEX\gsain
      Account Name:            gsain

Service Information:
      Service Name:            krbtgt/TERRAPEX

Network Information:
      Client Address:            ::ffff:192.168.20.217
      Client Port:            4051

Additional Information:
      Ticket Options:            0x40810010
      Failure Code:            0x18
      Pre-Authentication Type:      2

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:       
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4771</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14339</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2014-02-12T20:34:32.897500000Z" />
    <EventRecordID>5458274658</EventRecordID>
    <Correlation />
    <Execution ProcessID="548" ThreadID="4776" />
    <Channel>Security</Channel>
    <Computer>Terrapex01.terrapex.msft</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserName">gsain</Data>
    <Data Name="TargetSid">S-1-5-21-1606980848-1682526488-839522115-2695</Data>
    <Data Name="ServiceName">krbtgt/TERRAPEX</Data>
    <Data Name="TicketOptions">0x40810010</Data>
    <Data Name="Status">0x18</Data>
    <Data Name="PreAuthType">2</Data>
    <Data Name="IpAddress">::ffff:192.168.20.217</Data>
    <Data Name="IpPort">4051</Data>
    <Data Name="CertIssuerName">
    </Data>
    <Data Name="CertSerialNumber">
    </Data>
    <Data Name="CertThumbprint">
    </Data>
  </EventData>
</Event>
0
 

Author Comment

by:ti-guy
Comment Utility
Yes, I found out that several ip address we're tryin to connect with my account, and there is services running under my account... I did not think about it, thanks a lot !!

Guillaume
0
 
LVL 19

Expert Comment

by:Patricksr1972
Comment Utility
Youre welcome.
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now