Domain Controller Locking out AD accounts.
Good morning/Day everyone...we have several domain controllers in different countries...the scenario is as follows...
There is a domain controller in Argentina that was infected with the W32.Downadup threat. This is a 2003 server with the most current service pack. I have SAV 10.1.7 on this server, the first issue is that it is not updating AV defs as it should. The second and MAIN issue is that this DC was locking out Active directory accounts. I cleaned this server up and installed KB958644 to patch it up....It seems to have done the trick, but the updates are still not going.
The next thing that happens is a BRAND NEW DC that is also 2003 SP2 server BUT HAS SEP installed on it starts taking over the behavior from where the previous DC left off, this server is in the USA and it is now locking out accounts in AD, one by one and in sequence. This server has SEP 11.0.7 installed, I have all of the DC exceptions listed and I ONLY installed it for AV and Spy-ware detection, NOT for NTP or PTP...
I checked the event viewer and narrowed it down to the machine in the USA and once this machine was shutdown the lockouts stopped. I am not sure if it is AV related, but it initiated with the first server in Argentina which WAS infected. Once this infection was cleaned up in Argentina the lockouts moved to another server.
Comments
Interesting behavior
This seems to be interesting behavior.
Although I think this is more an AD issue than an AV issue...
Can you connect to the DC in question (the one locking the accounts).
On the DC, open the Event Viewer (Start - Run - eventvwr) and go to the Security section.
This is where the DC is logging the Audits of successful and unsuccesful login/logoff attempts.
This is where we can acquire more information relating to the why the accounts are being logged off.
Find in here the failure audits from an account.
Can you please let me (us) know the error code and of the failed attempts or the information contained there in...
Thank you.
AD Account lockouts is a
AD Account lockouts is a common symptom of a downadup infection, looks like when the OP cleaned the infection the account lockouts are no longer happening.
If I was able to help resolve your issue please mark my post as solution.
Error codes are
529 and 644
I also notice that in SEP some of the functions are not available at all....
if shutting down the server
if shutting down the server has stopped account lockout then remediate before plugging back to network.
you can refer to this threat writeup and also use the removal tool if required
http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=2
also this thread
https://www-secure.symantec.com/connect/forums/w32downadup
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
This answer pointed me in the right direction
...problem solved and now I know what to look for and where.
+1 for pete
Have you attempted to scan and clear the virus from the ADC?
If you are not receiving any Trust errors, than it is possible you are still infected.
also some locked out accounts...
Bryan, we have the same problem here. In the last few months, a number of admin accounts of our system administrators were locked out, also one by one in sequence. Because of some other problems, I decided to uninstall the SAV from the domain controller. When reading your article, I hope this problem will be solved too.
I will let you know what the results are...
The only other thing I can think of
The only other thing I can think of, if no infection is detected, is when the second ADC takes over, it is locking out accounts because the trust relationship between the DCs has gone flaky.
This was no indicated in either of the 2 Event IDs provided, but may still be the case.
D.Exe caught and removed DownAdup...
It caught it and I do not see the lock outs any longer. Safe mode scan can not be done on a Domain Controller. I am not sure why this happened, this was a fresh roll...
Running D.EXE to get rid of DowanAdUp seems to have done the trick and it is also suggesting that I add this patch, which I already did but I will do this once again.
http://www.microsoft.com/download/en/confirmation.aspx?id=6185
I guess the DC in Argentina infected the one in the USA before I cleaned it.
Looking through the security logs was the smoking gun for me
As soon as I saw the 644 and 529, I knew what server to pinpoint...without checking this, it was a guessing game.
Happy times.
Happy to hear that this was able to point you in the right direction.
And moreso that your problem is resolved.
For good measure, got anymore ADCs you might want to scan for sake.
Agreed
That is my next step...
Here is the log
Symantec W32.Downadup Removal Tool 1.1.0.7
process: svchost.exe, thread: 000007B0 (terminated)
process: svchost.exe, thread: 00000D04 (terminated)
process: svchost.exe, thread: 00000D10 (terminated)
process: svchost.exe, thread: 00000D14 (terminated)
process: svchost.exe, thread: 00000D18 (terminated)
process: svchost.exe, thread: 00000D20 (terminated)
process: svchost.exe, thread: 00000EF8 (terminated)
process: svchost.exe (terminated)
C:\WINDOWS\system32\zgiak.dll: W32.Downadup.B (unrepairable) (deleted)
registry: HKLM\system\CurrentControlSet\Services\BITS: Start (value set to 0x00000003 (3))
registry: HKLM\system\CurrentControlSet\Services\ERSvc: Start (value set to 0x00000002 (2))
registry: HKLM\system\CurrentControlSet\Services\wuauserv: Start (value set to 0x00000002 (2))
W32.Downadup has been successfully removed from your computer!
Here is the report:
The total number of the scanned files: 30009
The number of deleted threat files: 1
The number of threat processes terminated: 1
The number of threat threads terminated: 7
The number of registry entries fixed: 3
The tool initiated a system reboot.
Virus must have passed through shared folders
NetLogon and Sysvol were shared...I am guessing it was the welcome matt between servers for DownAdup as well...
I wonder why this only hits DC's though
...and what a peculiar thing for a trogan to do...I know the shares have loose permissions..I am happy this is fixed though.
Would you like to reply?
Login or Register to post your comment.