I have a friend who is battling the same type of thing for the last 2 days. He thinks it is the Corn Flicker worm:
http://forums.mcafeehelp.com/showthread.php?t=225901 http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-24 08-99 <http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2 408-99&tabid=2> &tabid=2 But so far has been unable to verify this. From what he's saying Trend is supposed to catch it (he has the latest definitions), but isn't. Then again, most of his systems are very far out of patch status so that is part of the issue. Are your systems patched for MS08-067 ? Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected] Phone: 610-807-6459 Fax: 610-807-6003 _____ From: Andy Crellin [mailto:[email protected]] Sent: Thursday, January 08, 2009 11:29 AM To: NT System Admin Issues Subject: All AD Accounts getting gradually locked out OK, here's a teaser... All of our AD accounts are gradually being locked out. I have one guy searching for locked out accounts and unlocking them (and they do not get re-locked out) but with 2500 accounts this is more than a PITA. Now, this stinks of a brute force attack on an enumerated list of accounts on the network (we allow 10 attempts then lockout for 30mins), but we can't find _anything_ that looks like this. To compound matters, we have also had a small outbreak of WORM_DOWNAD.AD which has been contained and managed well, but I think this is a red herring as that worm's symptoms are nothing like what we are seeing (and there is no correlation). Does anyone know of a way to find out what processes are attempting to make a logon attempt (we have about 10 DCs spread about the place) to an account - bearing in mind it could be any one of 2500 accounts? Also, is it possible to find out where the logon attempt that caused an account lock came from? Cheers, and TIA, Andy. Andy Crellin Technical Services Manager Leonard Cheshire Disability Telephone: 01904 479200 Email: [email protected] Change the way you see disability. Find out more at www.CreatureDiscomforts.org <http://www.creaturediscomforts.org/> Our London Marathon places are almost sold out! Call 020 3242 0376 now to reserve one of the last few places available, or e-mail [email protected] Internet communications are not secure and therefore Leonard Cheshire Disability does not accept any liability for the content of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of Leonard Cheshire Disability. If you have received this transmission in error, please contact the sender and delete it immediately. Leonard Cheshire Disability is a company limited by guarantee, registered in England no: 552847, and a registered charity no: 218186 (England & Wales) and no: SC005117 (Scotland) VAT no: 899 3223 75. Registered office: 66 South Lambeth Road, London, SW8 1RL. ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
