Win2000 AD user account mass lockout - Strange !

From: Dan Sime (dansime_at_hotmail.com)
Date: 06/23/04 

Date: Wed, 23 Jun 2004 10:47:04 -0700

Hi

On the face of it, it appears you have a virus problem or
security problem on that laptop. I know this may appear
to be an obvious comment. A few things that might help
discover 'how' it happened could be things like:

> Is there a firewall in place?
> Are there any abnormal processes running in task
manager?
> Does the laptop connect to the internet through
anything other than your network? (i.e. is it using it's
own connection to the internet, providing an 'un-
protected' route into your network from the outside.
> Have you checked Anti-Virus provider websites for info
on Viruses that do this?

Sorry that these are perhaps obvious questions, but those
are the areas I would research to get an idea of 'How'.

Probably not much help, but just my thoughts on it.

Cheers
Dan

>-----Original Message-----
>Very strange - We had a mass lockout of every user
account in AD
>yesterday. It was traced to a laptop running WinXP-SP1.
>
>A check of the Security log on the DC shows about 3000
failure audits
>over a 2 minute period, at least 10 per user account. It
has somehow
>walked the AD tree as it's tried everything across
multiple OU's
>including disabled user accounts.
>
>The laptop is running Symantec Antivirus Corporate 8.1
with
>definitions from June 9th.
>
>Anyone ever seen anything like this?
>
>Event Log Sample
>================
>
>
>Event Type: Failure Audit
>Event Source: Security
>Event Category: Logon/Logoff
>Event ID: 539
>Date: 6/22/2004
>Time: 12:07:02 PM
>User: NT AUTHORITY\SYSTEM
>Computer: xxxxxxx-x
>Description:
>Logon Failure:
> Reason: Account locked out
> User Name: joeuser
> Domain: VENTURI-SA5BUXB
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: VENTURI-SA5BUXB
>.
>

Relevant Pages

  • Re: Windows Messenger Mystery
    ... I've fired up another laptop in the house and it's autologged into IM ... > that says "You have been signed out of Windows Messenger ... Do I have a security problem? ...
    (microsoft.public.security)
  • Re: Need some advice regarding viruses (if any)
    ... Her choices were between the numerous wintel laptops, HP's Linux laptop and due to my prodding, a Mac ibook G4. ... If so, what kind of issues can she expect to face (being spoilt in this respect, my definition of a virus problem is pretty liberal), and does she face the miserable existence of a windoze luser? ... doesn't have to worry about a Microsoft Office Macro Virus. ...
    (comp.sys.mac.misc)
  • System can not detect network adapter
    ... I am running XP sp2 in my laptop. ... I had some virus problem recently ... Now i can not connect to internet as my system don't detect any ...
    (microsoft.public.windowsxp.help_and_support)