Account lockouts on AD2K3 DCs from a workstation with no IP address

By richard.hale ·
We have a machine that is showing up on all of our DCs and locking out every account one after another. The machine can't be pinged, has no ip address on our network, and does not show up in any DNS or DHCP logs.

All we get is an event ID 680 on our DC showing the source machine (which is completely untraceable to this point)

Anyone else seen this - we are open to ideas.

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Wow! That's a tough one.

by dryflies In reply to Account lockouts on AD2K3 ...

Start by isolating one of your DCs to see if it is a local process odds are one of your machines has been pwned. use rootkit revealer (sysinternals) now owned by M$ to see if there is a rootkit on the DC. If it is dirty, repeat with another DC. if it is clean, still repeat with all other DC, but also stick a monitor on the network to find the source of the traffic that is manipulating your servers. capture all WMI traffic since that is the likely culprit.

Collapse -

Do you have a wireless network?

by taboga In reply to Wow! That's a tough one.

If you have a wireless network, see if anyone has their personal laptop with them that is initiating an ad hoc network.

Back to Software Forum
3 total posts (Page 1 of 1)  

Related Discussions

Related Forums