Update: Looks like it was CONFICKER taking advantage of unpatched systems. We are no longer getting any reports of lockouts (patches all applied). Typical - the time you suspend patching to move to a new system is always going to be when you are hit with a new virus. Oh well, it didn't kill our network so our containment procedures worked well.
Andy Crellin Technical Services Manager Leonard Cheshire Disability Telephone: 01904 479200 E-mail: andy.crel...@lcdisability.org From: Andy Crellin Sent: 09 January 2009 11:55 To: NT System Admin Issues Subject: RE: All AD Accounts getting gradually locked out Ok - we are rolling out this patch to all PCs and servers now and expect it solve the problem (the description fits, etc). Typically we had just moved to WSUS and have been testing it on a control group for the last couple of months, meaning that we're short a few patches! I'll let you know how it goes. Cheers, Andy Crellin Technical Services Manager Leonard Cheshire Disability Telephone: 01904 479200 E-mail: andy.crel...@lcdisability.org From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 08 January 2009 17:15 To: NT System Admin Issues Subject: RE: All AD Accounts getting gradually locked out http://news.zdnet.com/2424-9595_22-257980.html?tag=nl.e539 John Hornbuckle MIS Department Taylor County School District 318 North Clark Street Perry, FL 32347 www.taylor.k12.fl.us ________________________________ From: Andy Crellin [mailto:andy.crel...@lcdisability.org] Sent: Thursday, January 08, 2009 11:29 AM To: NT System Admin Issues Subject: All AD Accounts getting gradually locked out OK, here's a teaser... All of our AD accounts are gradually being locked out. I have one guy searching for locked out accounts and unlocking them (and they do not get re-locked out) but with 2500 accounts this is more than a PITA. Now, this stinks of a brute force attack on an enumerated list of accounts on the network (we allow 10 attempts then lockout for 30mins), but we can't find _anything_ that looks like this. To compound matters, we have also had a small outbreak of WORM_DOWNAD.AD which has been contained and managed well, but I think this is a red herring as that worm's symptoms are nothing like what we are seeing (and there is no correlation). Does anyone know of a way to find out what processes are attempting to make a logon attempt (we have about 10 DCs spread about the place) to an account - bearing in mind it could be any one of 2500 accounts? Also, is it possible to find out where the logon attempt that caused an account lock came from? Cheers, and TIA, Andy. Andy Crellin Technical Services Manager Leonard Cheshire Disability Telephone: 01904 479200 Email: andy.crel...@lcdisability.org Change the way you see disability. Find out more at www.CreatureDiscomforts.org <http://www.creaturediscomforts.org/> Our London Marathon places are almost sold out! Call 020 3242 0376 now to reserve one of the last few places available, or e-mail eve...@lcdisability.org Internet communications are not secure and therefore Leonard Cheshire Disability does not accept any liability for the content of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of Leonard Cheshire Disability. If you have received this transmission in error, please contact the sender and delete it immediately. Leonard Cheshire Disability is a company limited by guarantee, registered in England no: 552847, and a registered charity no: 218186 (England & Wales) and no: SC005117 (Scotland) VAT no: 899 3223 75. Registered office: 66 South Lambeth Road, London, SW8 1RL. ________________________________ This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. Internet communications are not secure and therefore Leonard Cheshire Disability does not accept any liability for the content of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of Leonard Cheshire Disability. If you have received this transmission in error, please contact the sender and delete it immediately. Leonard Cheshire Disability is a company limited by guarantee, registered in England no: 552847, and a registered charity no: 218186 (England & Wales) and no: SC005117 (Scotland) VAT no: 899 3223 75. Registered office: 66 South Lambeth Road, London, SW8 1RL. Internet communications are not secure and therefore Leonard Cheshire Disability does not accept any liability for the content of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of Leonard Cheshire Disability. If you have received this transmission in error, please contact the sender and delete it immediately. Leonard Cheshire Disability is a company limited by guarantee, registered in England no: 552847, and a registered charity no: 218186 (England & Wales) and no: SC005117 (Scotland) VAT no: 899 3223 75. Registered office: 66 South Lambeth Road, London, SW8 1RL. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~