Questions

Account lockouts on AD2K3 DCs from a workstation with no IP address

+
0 Votes
Locked

Account lockouts on AD2K3 DCs from a workstation with no IP address

richard.hale
We have a machine that is showing up on all of our DCs and locking out every account one after another. The machine can't be pinged, has no ip address on our network, and does not show up in any DNS or DHCP logs.

All we get is an event ID 680 on our DC showing the source machine (which is completely untraceable to this point)


Anyone else seen this - we are open to ideas.
  • +
    0 Votes
    dryflies

    Start by isolating one of your DCs to see if it is a local process odds are one of your machines has been pwned. use rootkit revealer (sysinternals) now owned by M$ to see if there is a rootkit on the DC. If it is dirty, repeat with another DC. if it is clean, still repeat with all other DC, but also stick a monitor on the network to find the source of the traffic that is manipulating your servers. capture all WMI traffic since that is the likely culprit.

    +
    0 Votes
    taboga

    If you have a wireless network, see if anyone has their personal laptop with them that is initiating an ad hoc network.

  • +
    0 Votes
    dryflies

    Start by isolating one of your DCs to see if it is a local process odds are one of your machines has been pwned. use rootkit revealer (sysinternals) now owned by M$ to see if there is a rootkit on the DC. If it is dirty, repeat with another DC. if it is clean, still repeat with all other DC, but also stick a monitor on the network to find the source of the traffic that is manipulating your servers. capture all WMI traffic since that is the likely culprit.

    +
    0 Votes
    taboga

    If you have a wireless network, see if anyone has their personal laptop with them that is initiating an ad hoc network.