?
Solved

Backscatter spam, then account keep being locked out

Posted on 2014-02-12
5
Medium Priority
?
502 Views
Last Modified: 2014-02-12
Hi,

Yesterday my email has been spoof and someone has been using it to send thousands of spam, i kept receiving bounce back mail. I changed my password, and the password of our web host.

The bounce back has stop, but my account is being locked out every 30 minutes or so. I looked every other place I could have a remote session open, and there is none.

Any idea on what I could do ?

Thank you

Guillaume
0
Comment
Question by:ti-guy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 8

Accepted Solution

by:
Amit Khilnaney earned 1000 total points
ID: 39854419
I believe its a domain account which is locking out.

Please check the account using lockout tool to find out from where it is being locked out

http://www.microsoft.com/en-us/download/details.aspx?id=18465

Moreover to go into further details, log on to domain controller on which the account is being locked out.

open up event log, click the security log and scroll through or filter the log.
0
 
LVL 23

Assisted Solution

by:Patrick Bogers
Patrick Bogers earned 1000 total points
ID: 39854476
Are there services running under your old credentials? Could be service, backupjob or scheduled task.
0
 

Author Comment

by:ti-guy
ID: 39854482
This is what I found at the exact time there was a bad pwd with the tool:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/12/2014 3:34:32 PM
Event ID:      4771
Task Category: Kerberos Authentication Service
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      Terrapex01.terrapex.msft
Description:
Kerberos pre-authentication failed.

Account Information:
      Security ID:            TERRAPEX\gsain
      Account Name:            gsain

Service Information:
      Service Name:            krbtgt/TERRAPEX

Network Information:
      Client Address:            ::ffff:192.168.20.217
      Client Port:            4051

Additional Information:
      Ticket Options:            0x40810010
      Failure Code:            0x18
      Pre-Authentication Type:      2

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:       
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4771</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14339</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2014-02-12T20:34:32.897500000Z" />
    <EventRecordID>5458274658</EventRecordID>
    <Correlation />
    <Execution ProcessID="548" ThreadID="4776" />
    <Channel>Security</Channel>
    <Computer>Terrapex01.terrapex.msft</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserName">gsain</Data>
    <Data Name="TargetSid">S-1-5-21-1606980848-1682526488-839522115-2695</Data>
    <Data Name="ServiceName">krbtgt/TERRAPEX</Data>
    <Data Name="TicketOptions">0x40810010</Data>
    <Data Name="Status">0x18</Data>
    <Data Name="PreAuthType">2</Data>
    <Data Name="IpAddress">::ffff:192.168.20.217</Data>
    <Data Name="IpPort">4051</Data>
    <Data Name="CertIssuerName">
    </Data>
    <Data Name="CertSerialNumber">
    </Data>
    <Data Name="CertThumbprint">
    </Data>
  </EventData>
</Event>
0
 

Author Comment

by:ti-guy
ID: 39854509
Yes, I found out that several ip address we're tryin to connect with my account, and there is services running under my account... I did not think about it, thanks a lot !!

Guillaume
0
 
LVL 23

Expert Comment

by:Patrick Bogers
ID: 39854609
Youre welcome.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question