I feel your pain.
We're just now getting past it.
We had 200+ lab machines w/o AV and latest patches.  Said machines have
deep freeze so they didn't stay infected after reboot but seems like
every day a new one would get infected and spread.
We're in the process of isolating each lab via vlans and have added AV
and updates.  Even got a nightly maintenance schedule working so
hopefully were in a much better position next week when students return
from spring break.
Hope you get all the mess cleaned up.  
BTW, we did end up reloading a couple machines as they didn't have
freeze so the infection was permenant.
Glen.

-----Original Message-----
From: Kennedy, Jim [mailto:[email protected]] 
Sent: Tuesday, March 10, 2009 3:33 PM
To: NT System Admin Issues
Subject: RE: Account lockouts

Officially conflicker.  We were/are fully patched. Must have been via a
thumb drive or website download. It then hit almost every xp machine on
the same subnet and infected it. I hope I am the only one on this list
that gets it, it is ugly.

Thanks for all the help, hints and ideas gang, it was of great value.



> -----Original Message-----
> From: Kennedy, Jim [mailto:[email protected]]
> Sent: Tuesday, March 10, 2009 12:41 PM
> To: NT System Admin Issues
> Subject: RE: Account lockouts
> 
> Appreciate the responses...I am digging into your ideas now. I now see
> syn floods on two dc's that are in the same subnet from 169.254.2.x
> addresses.
> 
> Looking like a virus now......
> 
> 
> 
> 
> > -----Original Message-----
> > From: Glen Johnson [mailto:[email protected]]
> > Sent: Tuesday, March 10, 2009 12:34 PM
> > To: NT System Admin Issues
> > Subject: RE: Account lockouts
> >
> > Sounds like you've got the conflicker virus running somewhere.
> > We had that one for a while.
> > Many locked accounts.
> > Check the account you are using on the server to make sure it isn't
> > locked out.  If it is, you wont be able to use it to unlock anyone.
> > We had to use the "administrator" account to unlock my account so I
> > could unlock others.  I'm pretty sure the "administrator" account
> can't
> > be locked out.
> > We also found a script that we could run to unlock all of them.
> Saved
> > lots of time.
> > Also, if you look at the event logs you should see where the
infected
> > computer has failed login for different user accounts.
> > It was event 539 on server 2003.  Not sure what the server 08
> > equivalent
> > event number is.
> >
> > -----Original Message-----
> > From: Kennedy, Jim [mailto:[email protected]]
> > Sent: Tuesday, March 10, 2009 12:07 PM
> > To: NT System Admin Issues
> > Subject: RE: Account lockouts
> >
> > I should have added 2008 DC's. Seeing this in 3 of the 5 DC's. The
> > killer is I can't unlock the locked accounts.
> >
> >
> >
> > > -----Original Message-----
> > > From: Kennedy, Jim [mailto:[email protected]]
> > > Sent: Tuesday, March 10, 2009 11:53 AM
> > > To: NT System Admin Issues
> > > Subject: Account lockouts
> > >
> > > I am getting hammered with these in the event log:
> > >
> > > The SAM database was unable to lockout the account of USERNAME due
> to
> > a
> > > resource error, such as a hard disk write failure (the specific
> error
> > > code is in the error data) . Accounts are locked after a certain
> > number
> > > of bad passwords are provided so please consider resetting the
> > password
> > > of the account mentioned above.
> > >
> > >
> > > And accounts are getting locked out left and right, others are
not.
> I
> > > have reset the passwords on some of them and disabled/enabled and
> > they
> > > still remain locked out.
> > >
> > > At first glance you/I might think a dictionary attack, but it
feels
> > > more like Kerberos blowing up.......
> > >
> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> 
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Reply via email to