[Dshield] User Account Locked.

Brenden Walker BKWalker at DRBSystems.com
Tue Mar 25 20:46:34 GMT 2003


There are a myriad of things that could be a problem here.  

Remove these systems from the internet!  

First off, remove all users (except administrator or just one user) from the
admin/domain admin groups.  Then change all the passwords of every user that
has administrative priveledges.

Do you have virus scanning software?  Does it detect backdoor software
(backorifice and the like)?

It's been a while since I've done any admin on NT4, but I think you can turn
of auditing for events like changing user permissions, that may let you
figure out who/what is disabling them?

Or, perhaps it's the result of a brute force attack (attempts to get user
passwords) and your account policy locks them out after a few tries.  Turn
on auditing for login attempts, and track down who's doing it.

Presumably these systems are not behind a firewall, they probably should be
;-).




> -----Original Message-----
> From: Pablo Vittori [mailto:pablo at desarrollosdelsur.com.ar] 
> Sent: Tuesday, March 25, 2003 1:33 PM
> To: list at dshield.org
> Subject: [Dshield] User Account Locked.
> Importance: High
> 
> 
> We are an IT Consulting Firm in Argentina, since 2 or 3 weeks 
> ago we are experiencing an increment of the attempts to 
> attack the networks in our customers. Today 2 of them, one 
> with 15 users and other with more than 120 user, are having 
> the same issue, all the account of the domain of Windows NT 4 
> have been locked. When our technician correct the account and 
> unlock, 10 or 15 minutes later the problem is again. After 
> several resets and test the problem disapear but we don't 
> know how to correct this or the origin of the problem. 
> In this two cases we are also using Microsoft Exchange Server 
> 5.5. Anyone hear something about a backdoor or bug over this 
> configuration and this effects. We update daily with all the 
> service packs and patches.
>  
> Thanks.
>  
> Pablo Vittori
> Desarrollos del Sur - Argentina
>  
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 



More information about the list mailing list