• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2586
  • Last Modified:

Netlogon help - user account locking out - random user names in our netlogon

Aloha, we have a user account that is getting locked out of AD constantly (every 5-10 minutes after 5 bad attempts). After tracing the issue from the DC back to their workstation, I've been unable to pinpoint what is causing the bad password attempts and inevitable lockout. Here is the part that is scaring the crap out of me: On their workstation, I ran netlogon and found that there are constant account logon tries with totally random usernames that have never been part of our domain. I've pasted a section of the log below, but you can see ADMINISTRATOR is a popular one, along with random first names (LAUREN, JAMES, TECH) as well as random first initial last name combinations (JQUACH, CALEXANDER). These are not users that have ever or currently exist in our domain. The domain field before the \ shows as (null) so I'm guessing it's not actually trying to login to network locations, and just trying for local accounts, but either way... what and why?

I've disconnected this machine and ran several virus detections to no avail. Does anyone have any idea what is going on here?

Mahalo nui loa for any insight.



10/19 15:55:07 [LOGON] SamLogon: Network logon of (null)\JQUACH from  Entered
10/19 15:55:07 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:55:07 [LOGON] SamLogon: Network logon of (null)\JQUACH from  Returns 0xC0000064
10/19 15:55:17 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:55:17 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:55:17 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:55:34 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:55:34 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:55:34 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:55:50 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:55:50 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:55:50 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:55:57 [LOGON] SamLogon: Network logon of (null)\ACOINGTON from  Entered
10/19 15:55:57 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:55:57 [LOGON] SamLogon: Network logon of (null)\ACOINGTON from  Returns 0xC0000064
10/19 15:56:06 [LOGON] SamLogon: Network logon of (null)\LAUREN from  Entered
10/19 15:56:06 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:56:06 [LOGON] SamLogon: Network logon of (null)\LAUREN from  Returns 0xC0000064
10/19 15:56:10 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:56:10 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:56:10 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:56:26 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:56:26 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:56:26 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:56:43 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:56:43 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:56:43 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:57:01 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:57:01 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:57:01 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:57:18 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:57:18 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:57:18 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:57:20 [LOGON] SamLogon: Network logon of (null)\JAMES from  Entered
10/19 15:57:20 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000234)
10/19 15:57:20 [LOGON] SamLogon: Network logon of (null)\JAMES from  Returns 0xC0000234
10/19 15:57:33 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:57:33 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:57:33 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:57:34 [LOGON] SamLogon: Network logon of (null)\JACH from  Entered
10/19 15:57:34 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000234)
10/19 15:57:34 [LOGON] SamLogon: Network logon of (null)\JACH from  Returns 0xC0000234
10/19 15:57:48 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:57:48 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:57:48 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:58:07 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:58:07 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:58:07 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:58:21 [LOGON] SamLogon: Network logon of (null)\JOYCE from  Entered
10/19 15:58:21 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:58:21 [LOGON] SamLogon: Network logon of (null)\JOYCE from  Returns 0xC0000064
10/19 15:58:23 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:58:23 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:58:23 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:58:27 [LOGON] SamLogon: Network logon of (null)\JESSICA from  Entered
10/19 15:58:27 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:58:27 [LOGON] SamLogon: Network logon of (null)\JESSICA from  Returns 0xC0000064
10/19 15:58:37 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:58:37 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:58:37 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:58:54 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:58:54 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:58:54 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:59:00 [LOGON] SamLogon: Network logon of (null)\JERI from  Entered
10/19 15:59:00 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:59:00 [LOGON] SamLogon: Network logon of (null)\JERI from  Returns 0xC0000064
10/19 15:59:11 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:59:11 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:59:11 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:59:27 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:59:27 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:59:27 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:59:32 [LOGON] SamLogon: Network logon of (null)\SOURCEMED from  Entered
10/19 15:59:32 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:59:32 [LOGON] SamLogon: Network logon of (null)\SOURCEMED from  Returns 0xC0000064
10/19 15:59:42 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:59:42 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:59:42 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:59:51 [LOGON] SamLogon: Network logon of (null)\INGOTS from  Entered
10/19 15:59:51 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:59:51 [LOGON] SamLogon: Network logon of (null)\INGOTS from  Returns 0xC0000064
10/19 16:00:00 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 16:00:00 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 16:00:00 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 16:00:15 [LOGON] SamLogon: Network logon of (null)\CALEXANDER from  Entered
10/19 16:00:15 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 16:00:15 [LOGON] SamLogon: Network logon of (null)\CALEXANDER from  Returns 0xC0000064
10/19 16:00:16 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 16:00:16 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 16:00:16 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 16:00:29 [LOGON] SamLogon: Network logon of (null)\ADMIN from  Entered
10/19 16:00:29 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 16:00:29 [LOGON] SamLogon: Network logon of (null)\ADMIN from  Returns 0xC0000064
10/19 16:00:31 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 16:00:31 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 16:00:31 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 16:00:47 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 16:00:47 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 16:00:47 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
0
Steph Dames
Asked:
Steph Dames
  • 3
  • 2
  • 2
  • +2
1 Solution
 
Gabriel CliftonNet AdminCommented:
My first guys, I have seen similar before, ids that someone out something is trying to use that Austen to crack local admin account to install something more maliciousabd possibly try to get network access. vlan that system off so it does not touch your network and run wireshark to see what network communication it is doing.
0
 
Dr. KlahnPrincipal Software EngineerCommented:
Download a copy of Microsoft TCP View and install it on the afflicted machine.  Reboot so that the system is supposedly idle.  Run TCP View, watch it, and see what opens connections open to the DC.  One of those processes should be the culprit.

If TCP View fails to reveal the problem process, then Microsoft Process Monitor will reveal it; but this is a high-overhead proposition, so try the easy one first.

Also download a copy of Malwarebytes (run it in stealth mode), and a copy of Spybot - Search and Destroy.

(It would arguably be less work to reload the system from scratch, but it sounds like you want to repair the issue rather than hammer it.)
0
 
Steph DamesAuthor Commented:
Yes, unfortunately the machine is a high priority user and rebuilding it may actually end up being more work for me depending on how far I let myself go down this rabbit hole.

Thanks for the help, Gabriel and Dr. Klahn. I'm going to try TCP view first and see what I can find out. mwb unfortunately didn't grab anything as of yet, but I will try spybot also.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
arnoldCommented:
Run control keymgr.dll and make sure there are no shared resources there that were saved with a password that the user has recently changed.
Make sure there is no service running with the user's credential.

The event log on the server what type of login is being attempted. The type if network would suggest that this system has a shared resource that is being accessed.
Does your auditing policy include the local workstation/system revord login/logout events in the local security eventlog?

What development is occurring on this system?
Any changes within the week prior to this issue?
0
 
Steph DamesAuthor Commented:
So, it ended up being an RDP exploit. After a fresh reboot, I ran TCPView while disconnected from the network. After the full boot process seemed to be complete, I connected to the network and watched for anything to try. Nothing came up after several minutes and the netlogon log stayed clean of those random attempts. I one by one started to open programs that use connection, starting with our company's management software. Still no attempts in the log after several minutes and nothing odd in TCPView. I open Outlook and BAM, TCPView shows protocol ms-wbt-server connecting to some remote address in London. I've attached a screenshot. The netlogon also immediately starts showing the random username attempts at this point. I did some quick research and learned that ms-wbt-server is likely the RDP service, so I closed the connected in TCPView and stopped and disabled the RDP service. Instantly, the netlogon was clean and no further connections showed up in TCPView. Just checked again and the log is still clean.

I've since looked into some articles regarding RDP exploits and am running some more scans, as well as a registry clean.

Crazy! Thanks for all your help!
0
 
Steph DamesAuthor Commented:
TCPView to isolate the issue worked perfectly. Mahalo nui loa!
0
 
Dr. KlahnPrincipal Software EngineerCommented:
Remote Desktop.  Immensely useful, but something that Microsoft should have made "disabled unless manually enabled for this session only by a local user."  Glad to see you got the issue resolved.
1
 
Gabriel CliftonNet AdminCommented:
Great to see you going again.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now