repeated mass account lockouts 1

[pehi]

Hi - we have a serious problem in our User domain, recently an increasing number of users are having their accounts locked out, whilst in any state from attempting to log on, to logged on, to not logged on at all.

I've reset all users in the domain multiple times to clear the locked out check box, and it still recurs.

I've also synchronized the entire domain repeatedly.

 

[kalamitykatie]

We found BKDR_IROFFER.A and are investigating its connection to this problem. Has anyone else with the problem found this backdoor? I'm investigating how this irc bot found its way onto our server.

 

[kalamitykatie]

I was mistaken in stating that BKDR_IROFFER.A was found on our server. It was found on a workstation in the LAN on which the administrator account may have been compromised due to the keystroke logging capability of the backdoor bot.

 

[Spud179]

Hello Kalamitykatie

I will check the workstations which are been logged in the Security logs for the bkdr_iroffer.A tomorrow and will come back to you

Thank you for your response

 

[sneek]

Didnt find any instances of this on a workstation... Trend Anti Virus says this came out in Jan of 2003 (or maybe it was then they caught it) which puts us before the timeline here ;( I have been checking alot of sites through google and NO ONE has a answer to this yet! Please let us know if you find anything pointing to that bot though... It could be hiding!

 

[JamesLut]

Please se emy last post above. It is what cleard up this problem for us. You might take a look at the same things...

 

[JamesLut]

I might add (to my previous post) that if you have a mail server on your LAN then you probably have atleast port 25 (SMTP) open to that server. Check to make sure thats the ONLY public port open to it.

 

[geniph]

I've seen this happen a few times. It always panics our users, because I work for a school district, and we've had...um..."incidents" with the kids hacking when not properly supervised. We're heavily firewalled to the outside world, so these kinds of things nearly always come from inside, not outside, for us.

What I've concluded is that some of this is happening when a domain gets a hosed-up SAM on one of the DCs. I don't know WHY a DC gets a hosed-up SAM, but I have my suspicions about browser service. I believe the DC gets confused about the timestamp on a user SID or ACL, and thinks the 90 days or whatever to password reset has passed. Sometimes taking the offending DC out of the loop stops the problem, and sometimes bringing up a new, clean DC stops the problem.

 

[spudmurphy]

Hi geniph

Thank you for your response - unsure what you mean when you state "hosed-up" SAM could you explain pls

Rgds........spudmurphy

 

[IceHockeyRock]

I experienced this in my company the problem was affecting an NT4 domain...turned out to be virus trying to probe our domain coming in from one of our regional offices in mexico.

Still awaiting for the trip out there to turn their network of...!!