I feel your pain. We're just now getting past it. We had 200+ lab machines w/o AV and latest patches. Said machines have deep freeze so they didn't stay infected after reboot but seems like every day a new one would get infected and spread. We're in the process of isolating each lab via vlans and have added AV and updates. Even got a nightly maintenance schedule working so hopefully were in a much better position next week when students return from spring break. Hope you get all the mess cleaned up. BTW, we did end up reloading a couple machines as they didn't have freeze so the infection was permenant. Glen.
-----Original Message----- From: Kennedy, Jim [mailto:[email protected]] Sent: Tuesday, March 10, 2009 3:33 PM To: NT System Admin Issues Subject: RE: Account lockouts Officially conflicker. We were/are fully patched. Must have been via a thumb drive or website download. It then hit almost every xp machine on the same subnet and infected it. I hope I am the only one on this list that gets it, it is ugly. Thanks for all the help, hints and ideas gang, it was of great value. > -----Original Message----- > From: Kennedy, Jim [mailto:[email protected]] > Sent: Tuesday, March 10, 2009 12:41 PM > To: NT System Admin Issues > Subject: RE: Account lockouts > > Appreciate the responses...I am digging into your ideas now. I now see > syn floods on two dc's that are in the same subnet from 169.254.2.x > addresses. > > Looking like a virus now...... > > > > > > -----Original Message----- > > From: Glen Johnson [mailto:[email protected]] > > Sent: Tuesday, March 10, 2009 12:34 PM > > To: NT System Admin Issues > > Subject: RE: Account lockouts > > > > Sounds like you've got the conflicker virus running somewhere. > > We had that one for a while. > > Many locked accounts. > > Check the account you are using on the server to make sure it isn't > > locked out. If it is, you wont be able to use it to unlock anyone. > > We had to use the "administrator" account to unlock my account so I > > could unlock others. I'm pretty sure the "administrator" account > can't > > be locked out. > > We also found a script that we could run to unlock all of them. > Saved > > lots of time. > > Also, if you look at the event logs you should see where the infected > > computer has failed login for different user accounts. > > It was event 539 on server 2003. Not sure what the server 08 > > equivalent > > event number is. > > > > -----Original Message----- > > From: Kennedy, Jim [mailto:[email protected]] > > Sent: Tuesday, March 10, 2009 12:07 PM > > To: NT System Admin Issues > > Subject: RE: Account lockouts > > > > I should have added 2008 DC's. Seeing this in 3 of the 5 DC's. The > > killer is I can't unlock the locked accounts. > > > > > > > > > -----Original Message----- > > > From: Kennedy, Jim [mailto:[email protected]] > > > Sent: Tuesday, March 10, 2009 11:53 AM > > > To: NT System Admin Issues > > > Subject: Account lockouts > > > > > > I am getting hammered with these in the event log: > > > > > > The SAM database was unable to lockout the account of USERNAME due > to > > a > > > resource error, such as a hard disk write failure (the specific > error > > > code is in the error data) . Accounts are locked after a certain > > number > > > of bad passwords are provided so please consider resetting the > > password > > > of the account mentioned above. > > > > > > > > > And accounts are getting locked out left and right, others are not. > I > > > have reset the passwords on some of them and disabled/enabled and > > they > > > still remain locked out. > > > > > > At first glance you/I might think a dictionary attack, but it feels > > > more like Kerberos blowing up....... > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
