Most of our login problems here are caused by Android device not getting password updated.
On Tue, Sep 10, 2013 at 3:42 PM, David McSpadden <[email protected]> wrote: > Not rootkit, no conficker, but 3 logon hits on the dc’s from the dc’s > using my creds while I was offline scanning???**** > > ** ** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kelsey, John > *Sent:* Tuesday, September 10, 2013 11:45 AM > > *To:* '[email protected]' > *Subject:* RE: [NTSysADM] RE: Logon sniffing tool**** > > ** ** > > Had a similar issue here, I think it was a conficker variant causing the > problem. The event gave the address of the offending PC though so it was > easier to track down.**** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Webster > *Sent:* Tuesday, September 10, 2013 11:31 AM > > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: Logon sniffing tool**** > > ** ** > > After 3 days of looking, we gave up for now. But this will need to be > resolved before they do their AD migration into the parent company.**** > > ** ** > > Thanks**** > > ** ** > > ** ** > > Webster**** > > ** ** > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *David McSpadden > *Sent:* Tuesday, September 10, 2013 10:23 AM > > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: Logon sniffing tool**** > > ** ** > > Have you found the bad process yet?**** > > I am watching my event viewer on the DC’s right now waiting for the hit so > I can then go into my Procmon and Netmon processes to find it on my machine. > **** > > ** ** > > ** ** > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Webster > *Sent:* Tuesday, September 10, 2013 11:09 AM > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: Logon sniffing tool**** > > ** ** > > The built-in administrator account. Tens of thousands of 0x12 and 0x18 > every day.**** > > ** ** > > I saved and cleared all the event logs at 7PM on Wednesday and when we > showed up at 8AM Thursday there were already over 358,000 failed logon > attempts!**** > > ** ** > > Thanks**** > > ** ** > > ** ** > > Webster**** > > ** ** > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *David McSpadden > *Sent:* Tuesday, September 10, 2013 10:02 AM > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: Logon sniffing tool**** > > ** ** > > Just Domain admins?**** > > ** ** > > ** ** > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Webster > *Sent:* Tuesday, September 10, 2013 10:54 AM > *To:* [email protected] > *Subject:* [NTSysADM] RE: Logon sniffing tool**** > > ** ** > > I faced the same issue last week. We were unable to determine the cause > of the mysterious attempts to lockout the domain admin administrator > account. There were no services or scheduled tasks that used that account > and even using “rundll32 keymgr.dll,KRShowKeyMgr” showed no cached > credentials on any of the computers.**** > > ** ** > > The DC’s security event logs are being flooded with 0x12 and 0x18 errors > for eventids 675 and 680.**** > > ** ** > > I am interested in also seeing what the lists suggests for tracking this > down.**** > > ** ** > > Thanks**** > > ** ** > > ** ** > > Webster**** > > ** ** > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *David McSpadden > *Sent:* Tuesday, September 10, 2013 9:25 AM > *To:* [email protected] > *Subject:* [NTSysADM] Logon sniffing tool**** > > ** ** > > My machine is trying and failing to log into the domain about every 6 > minutes.**** > > What tool can I use to find the process, service, or program that is > attempting to log in with a bad password?**** > > Windows 8 64 bit failing with a 2008 AD.**** > > Event id 675 code 0x18**** > > ** ** > > ** ** > > *Thank you* > > * * > > *David W. McSpadden* > > * * > > *B*egin Planning**** > > *A*rrange for Reconnaissance and Coordination**** > > *M*ake Reconnaissance**** > > *C*omplete Plan**** > > *I*ssue Order**** > > *S*upervise**** > > ** ** > > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for the use > of the individual or entity to whom this e-mail is addressed. If you are > not one of the named recipient(s) or otherwise have reason to believe that > you have received this message in error, please notify the sender and > delete this message immediately from your computer. Any other use, > retention, dissemination, forwarding, printing, or copying of this email is > strictly prohibited.**** > > ** ** > > Please consider the environment before printing this email.**** > > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for the use > of the individual or entity to whom this e-mail is addressed. If you are > not one of the named recipient(s) or otherwise have reason to believe that > you have received this message in error, please notify the sender and > delete this message immediately from your computer. Any other use, > retention, dissemination, forwarding, printing, or copying of this email is > strictly prohibited.**** > > ** ** > > Please consider the environment before printing this email.**** > > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for the use > of the individual or entity to whom this e-mail is addressed. If you are > not one of the named recipient(s) or otherwise have reason to believe that > you have received this message in error, please notify the sender and > delete this message immediately from your computer. Any other use, > retention, dissemination, forwarding, printing, or copying of this email is > strictly prohibited.**** > > ** ** > > Please consider the environment before printing this email.**** > > This email and any attached files are confidential and intended solely for > the intended recipient(s). If you are not the named recipient you should > not read, distribute, copy or alter this email. Any views or opinions > expressed in this email are those of the author and do not represent those > of the company. Warning: Although precautions have been taken to make sure > no viruses are present in this email, the company cannot accept > responsibility for any loss or damage that arise from the use of this email > or attachments.**** > > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for the use > of the individual or entity to whom this e-mail is addressed. If you are > not one of the named recipient(s) or otherwise have reason to believe that > you have received this message in error, please notify the sender and > delete this message immediately from your computer. Any other use, > retention, dissemination, forwarding, printing, or copying of this email is > strictly prohibited. > > Please consider the environment before printing this email. > -- smsadm
