Appreciate the responses...I am digging into your ideas now. I now see syn floods on two dc's that are in the same subnet from 169.254.2.x addresses.
Looking like a virus now...... > -----Original Message----- > From: Glen Johnson [mailto:gjohn...@vhcc.edu] > Sent: Tuesday, March 10, 2009 12:34 PM > To: NT System Admin Issues > Subject: RE: Account lockouts > > Sounds like you've got the conflicker virus running somewhere. > We had that one for a while. > Many locked accounts. > Check the account you are using on the server to make sure it isn't > locked out. If it is, you wont be able to use it to unlock anyone. > We had to use the "administrator" account to unlock my account so I > could unlock others. I'm pretty sure the "administrator" account can't > be locked out. > We also found a script that we could run to unlock all of them. Saved > lots of time. > Also, if you look at the event logs you should see where the infected > computer has failed login for different user accounts. > It was event 539 on server 2003. Not sure what the server 08 > equivalent > event number is. > > -----Original Message----- > From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] > Sent: Tuesday, March 10, 2009 12:07 PM > To: NT System Admin Issues > Subject: RE: Account lockouts > > I should have added 2008 DC's. Seeing this in 3 of the 5 DC's. The > killer is I can't unlock the locked accounts. > > > > > -----Original Message----- > > From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] > > Sent: Tuesday, March 10, 2009 11:53 AM > > To: NT System Admin Issues > > Subject: Account lockouts > > > > I am getting hammered with these in the event log: > > > > The SAM database was unable to lockout the account of USERNAME due to > a > > resource error, such as a hard disk write failure (the specific error > > code is in the error data) . Accounts are locked after a certain > number > > of bad passwords are provided so please consider resetting the > password > > of the account mentioned above. > > > > > > And accounts are getting locked out left and right, others are not. I > > have reset the passwords on some of them and disabled/enabled and > they > > still remain locked out. > > > > At first glance you/I might think a dictionary attack, but it feels > > more like Kerberos blowing up....... > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~