account lockout hack?

Howdy-

Has anyone ever heard of a hack/malware that would lock out user accounts in AD
(presumably via bad logon attempts - wasn't auditing for that prior to the event)?

What's interesting is that the accounts that were locked were all common first names
(Dave, Matt, John, Sally, Stacey, Emily, etc.) and not oddly spelled (role accounts) or
exotic/foreign-type names...

TIA,
BM

Brian,

Brian MXP wrote:
> Has anyone ever heard of a hack/malware that would lock out user
> accounts in AD (presumably via bad logon attempts - wasn't auditing for
> that prior to the event)?
>
> What's interesting is that the accounts that were locked were all common
> first names (Dave, Matt, John, Sally, Stacey, Emily, etc.) and not oddly
> spelled (role accounts) or exotic/foreign-type names...

I think Conficker malware used to do this. Enable auditing of account
logon events on your DCs to check where those logon attempts originate
from and check the machines in question.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

Thanks, Florian. That hypothesis would make sense, as the event happened last week (3/31
- or 4/1 somewhere else : ) during the supposed Conficker flare-up.

I've since set auditing failed logon attempts on the DCs in question & we haven't seen a
re-occurrence, but the fact that the locked out accounts were common English first names
seemed to be too coincidental and wasn't sure if this was a known threat. Other than
identifying systems infected with Conficker, any other advice you may have?

Thanks,
Brian

Florian Frommherz [MVP] wrote:
> Brian,
>
> Brian MXP wrote:
>> Has anyone ever heard of a hack/malware that would lock out user
>> accounts in AD (presumably via bad logon attempts - wasn't auditing
>> for that prior to the event)?
>>
>> What's interesting is that the accounts that were locked were all
>> common first names (Dave, Matt, John, Sally, Stacey, Emily, etc.) and
>> not oddly spelled (role accounts) or exotic/foreign-type names...
>
> I think Conficker malware used to do this. Enable auditing of account
> logon events on your DCs to check where those logon attempts originate
> from and check the machines in question.
>
> Cheers,
> Florian

Brian,

Brian MXP wrote:
> and wasn't sure if this was a known threat. Other than identifying
> systems infected with Conficker, any other advice you may have?

Out of my pocket, no. It all boils down to see where those bad attempts
come from. Based on that, you can go on researching whether there is a
service with bad credentials trying to start or any rogue software
trying to do authentication on - but that is all really vague.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

Hello Brian MXP,

Turn on auditing and filter the security log for Event ID 680. This will
give you the users with account lockout and the source, look for a parttern
to help troubleshoot.

--
Isaac Oben [MCTIP:EA, MCSE]
"Brian MXP" <brian@nospam.mit.edu> wrote in message
news:uYM3k9EuJHA.4452@TK2MSFTNGP04.phx.gbl...
> Howdy-
>
> Has anyone ever heard of a hack/malware that would lock out user accounts
> in AD (presumably via bad logon attempts - wasn't auditing for that prior
> to the event)?
>
> What's interesting is that the accounts that were locked were all common
> first names (Dave, Matt, John, Sally, Stacey, Emily, etc.) and not oddly
> spelled (role accounts) or exotic/foreign-type names...
>
> TIA,
> BM

Brian MXP wrote:
>Howdy-
>
>Has anyone ever heard of a hack/malware that would lock out user accounts in AD
>(presumably via bad logon attempts - wasn't auditing for that prior to the event)?
>
>What's interesting is that the accounts that were locked were all common first names
>(Dave, Matt, John, Sally, Stacey, Emily, etc.) and not oddly spelled (role accounts) or
>exotic/foreign-type names...
>
>TIA,
>BM

Soulution: If you are administrator using domain. then never user watch wich
one user lock. if you face this type of problem then scan dial-a-fix and
trojon removal tool.

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forum...er-ad/200904/1

Hello Brian,

If you need more info about Conficker check this website:
http://www.confickerworkinggroup.org/wiki/

Also a test for local machines and networks are available.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thanks, Florian. That hypothesis would make sense, as the event
> happened last week (3/31 - or 4/1 somewhere else : ) during the
> supposed Conficker flare-up.
>
> I've since set auditing failed logon attempts on the DCs in question &
> we haven't seen a re-occurrence, but the fact that the locked out
> accounts were common English first names seemed to be too coincidental
> and wasn't sure if this was a known threat. Other than identifying
> systems infected with Conficker, any other advice you may have?
>
> Thanks,
> Brian
> Florian Frommherz [MVP] wrote:
>
>> Brian,
>>
>> Brian MXP wrote:
>>
>>> Has anyone ever heard of a hack/malware that would lock out user
>>> accounts in AD (presumably via bad logon attempts - wasn't auditing
>>> for that prior to the event)?
>>>
>>> What's interesting is that the accounts that were locked were all
>>> common first names (Dave, Matt, John, Sally, Stacey, Emily, etc.)
>>> and not oddly spelled (role accounts) or exotic/foreign-type
>>> names...
>>>
>> I think Conficker malware used to do this. Enable auditing of account
>> logon events on your DCs to check where those logon attempts
>> originate from and check the machines in question.
>>
>> Cheers,
>> Florian