repeated mass account lockouts 1

[pehi]

Hi - we have a serious problem in our User domain, recently an increasing number of users are having their accounts locked out, whilst in any state from attempting to log on, to logged on, to not logged on at all.

I've reset all users in the domain multiple times to clear the locked out check box, and it still recurs.

I've also synchronized the entire domain repeatedly.

 

[JerryUSA]

Servers are NT4 sp6...some workstations are W2K Http:\\

http://www.Jerrys-Computers.Com

"It's the 21st Century I was promised a flying car! Where is my flying car?"

 

[pehi]

We're having this under NT4 sp6a

 

[Gray99]

We had a similar problem, but only with users from one particular office. Traced the lockouts to an OWA server, stopped Outlook Web Access and the accounts stopped locking out. Enabled it and the account's locked out. We left the OWA sservice disabled on that server, now we have the same problem with a second OWA server, once again, just after users have changed passwords. The users are convinced they are not logged in when they change passeords. This has been happening for over 1 year, current solution, delete and recreate account, then when it comes back, same again.
Seem to get around 16 - 18 login attempts passed through from the owa server, then 10 to 20 mins break then the same again.

 

[AgentK]

Please check the followings, if the following exit, you server has been compromised input manipulation.

any batch file on C: normally (a.bat or secure/secure1/secure3...) these bat file will change registry setting and create backdoor entry.

check registry entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\TelnetServer\1.0\]
This will open telnet to get your sam database

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr\Start"=dword:00000002]
This to start telnet service.

C:\winnt\temp\temp.mdb /CFG temp (this is to copy your file such as username for offline cracking)

Suggestion, if one of the above is fit your situation.
-Reinstall promised server (I am not sure if this work since sam db already compromised) if you have better solution, please let me know.
-block telnet traffic on router/firewall
-changes all password

best wish,

k

 

[JamesLut]

Thanks for the information AgentK. I didnt have anything in any of my servers, but atleast I feel a little better. I still wish I could figure this out. I am still working on it, but with no support from Microsoft for Windows NT 4.0 I dont see how I am ging to figure this one out!

Thanks again.

 

[thedorknextdoor]

Hi we have the same problem, we are running w2k servers.
In the event list the user login is locked out the same time. The closest I can narrow it down to is that every time the user uses a file on the server and work with it for some time thy suddenly get lockout (not able to save work). We are running Mcafee av and Lotus Smart Suite and Ms office. The Lockout's happen at random and intervals (day, week). I went so far as to write a vb script to unlock all the accounts when needed (about every hour).
I really would like a solution.

 

[JerryUSA]

Hey Dork, Great Idea! What is the scripy you wrote? Http:\\

http://www.Jerrys-Computers.Com

"It's the 21st Century I was promised a flying car! Where is my flying car?"

 

[thedorknextdoor]

hey Jerry here is you script just rename compaq1 with your server name:

On Error Resume Next
strComputer = "compaq1"
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2&quot
Set colItems = objWMIService.ExecQuery("Select * from Win32_UserAccount",,48)
count = 0
countUnlock = 0
For Each objItem in colItems
if objItem.Lockout=True then
count = count + 1
'Wscript.Echo "Description: " & objItem.Description
'Wscript.Echo "Disabled: " & objItem.Disabled
'Wscript.Echo "FullName: " & objItem.FullName
'Wscript.Echo "Lockout: " & objItem.Lockout
'Wscript.Echo "Name: " & objItem.Name
'Wscript.Echo "PasswordChangeable: " & objItem.PasswordChangeable
'Wscript.Echo "PasswordExpires: " & objItem.PasswordExpires
'Wscript.Echo "PasswordRequired: " & objItem.PasswordRequired
'Wscript.Echo "-----------------------------------------------------------"
response = msgbox("Unlock: " & objItem.Name,[vbOkCancel])
if response = vbOK then
Set UsrObj = GetObject("WinNT://dagama.co.za/" & objItem.Name)
If UsrObj.IsAccountLocked = TRUE Then
UsrObj.IsAccountLocked = FALSE
UsrObj.SetInfo
countUnlock = countUnlock + 1
End If
end if

end if
Next
msgbox "Locked: "& count & " Unlocked: "& countUnlock

 

[thedorknextdoor]

hey Jerry you probly whant to change the dagama.co.za to you company domain siffix

 

[JamesLut]

Hey Dork (or anyone else who can help!!),
I needed to use your script today and was unable to. I changed strComputer to the name of my PDC and dagama.co.za to my suffix. I get this error (when I rem'ed out line 1):

Running it on the server:

Title of dialogbox = Windows Script Host
Script: C:\ChangeLockedStatus.vbs
Line: 3
Char: 1
Error: Invalid Syntax
Code: 800401E4
Source: (null)

Running it from my Windows2000 Pro wrkstn:

Title of dialogbox = Windows Script Host
Script : \\PDCServer\c$\ChangeLockedStatus.vbs
Line: 3
Char: 1
Error: ActiveX component can't create object: 'GetObject'
Code: 800A01AD
Source: Microsoft VBScript runtime error


Got any ideas?

 

[thedorknextdoor]

Hay James post the script so I can see the chenges you have made.

 

[JamesLut]

Here is the script changes I have made:

rem On Error Resume Next
strComputer = "cmisokc"
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2&quot
Set colItems = objWMIService.ExecQuery("Select * from Win32_UserAccount",,48)
count = 0
countUnlock = 0
For Each objItem in colItems
if objItem.Lockout=True then
count = count + 1
'Wscript.Echo "Description: " & objItem.Description
'Wscript.Echo "Disabled: " & objItem.Disabled
'Wscript.Echo "FullName: " & objItem.FullName
'Wscript.Echo "Lockout: " & objItem.Lockout
'Wscript.Echo "Name: " & objItem.Name
'Wscript.Echo "PasswordChangeable: " & objItem.PasswordChangeable
'Wscript.Echo "PasswordExpires: " & objItem.PasswordExpires
'Wscript.Echo "PasswordRequired: " & objItem.PasswordRequired
'Wscript.Echo "-----------------------------------------------------------"
response = msgbox("Unlock: " & objItem.Name,[vbOkCancel])
if response = vbOK then
Set UsrObj = GetObject("WinNT://oklaosf.state.ok.us/" & objItem.Name)
If UsrObj.IsAccountLocked = TRUE Then
UsrObj.IsAccountLocked = FALSE
UsrObj.SetInfo
countUnlock = countUnlock + 1
End If
end if

end if
Next
msgbox "Locked: "& count & " Unlocked: "& countUnlock

 

[ysk9818]

am having the same problem as well where all the user accounts got lock out due to 5 bad login attemps.

I read something called "Null session" attack on window NT and 2000 in which hackers can utilize the "null session" to get domain user names with blank username and password. Similar to anonymous log on.

To Test if ur Server is vulnerable.

http://www.loxbox.net

has a software tool called InternetPeriscope and explaination about "NULL Session" attack. Make sure u read the entire article how to test if ur server is vulnerable to "NUll Session" attack.

More detail article posted by

http://www.securityfocus.com

Please do a search on Restrict Anonymous or null session on securityfocus.com because i forgot the exact link (sorry)

I have implemented to restrict Null Session yesterday and there was no account locked out this morning. Hope this help. if u have any question let me know.

Thank

 

[Steene]

YSK9818,

HOW have you implemented to restrict Null Session attacks on your server?
I have tested our system with InternetPeriscope, and the results showed me that our server seems to be rather vulnerable.

YSK9818, you can contact me at dj_stone@hotmail.com

Thanks.

 

[PDVTech]

I have the same problem with my Win2k servers. My major concern is with our accounts with administrative privileges. They get locked-out frequently. What if all of them get lock-out at the same time? How will be able to unlock them?

Thanks.

 

[PDVTech]

We have win2k servers in our environment.

 

[KingJerky]

I'm having the same problem. We are running NT4.0 sp6a servers with a few Windows 2000 member servers.

We are also using Mcafee EPO and VirusScan.

A security audit we conducted required us to enable Account Lockout policies... Now we get very random account lockouts.

 

[JamesLut]

Our deal was someone was obviously trying to hack us. We had a completely open 1-to-1 NAT to one of our domain servers that we did not know about. Hackers were getting usernames and groups by using the NULL SESSION attack and attempting to guess passwords. We installed a firewall box and the lockouts have stopped.

This would have been a very bad deal if we had not had the 5 wrong passwords lockout, because people could have just ran l0pt crak on it remotly indefinatly and would have had our admin password. Hope that helps you.

I suggest making sure you dont have any 1-1 NATs to your system, and if you do they are properly firewalled or in a DMZ. And for godsakes keep your 5 wrong passwords lockout ENABLED!!!

IMHO

 

[sneek]

We are getting this as well. Everyday!! we recently rerouted all computers through a new ISA server and feel confident we are not to exposed to the outside... There was also some creative routing done.

For a couple days it was quite but now we are right back to the same ol thing!! any new ideas?

 

[spudmurphy]

Hi we are experiencing the same - has there been an update

Thanks