Endpoint Protection

 View Only
Expand all | Collapse all

Domain Controller Locking out AD accounts.

Migration User

Migration UserFeb 13, 2012 02:16 PM

  • 1.  Domain Controller Locking out AD accounts.

    Posted Feb 13, 2012 08:54 AM

    Good morning/Day everyone...we have several domain controllers in different countries...the scenario is as follows...

    There is a domain controller in Argentina that was infected with the W32.Downadup threat. This is a 2003 server with the most current service pack. I have SAV 10.1.7 on this server, the first issue is that it is not updating AV defs as it should. The second and MAIN issue is that this DC was locking out Active directory accounts. I cleaned this server up and installed KB958644 to patch it up....It seems to have done the trick, but the updates are still not going.

    The next thing that happens is a BRAND NEW DC that is also 2003 SP2 server BUT HAS SEP installed on it starts taking over the behavior from where the previous DC left off, this server is in the USA and it is now locking out accounts in AD, one by one and in sequence.  This server has SEP 11.0.7 installed, I have all of the DC exceptions listed and I ONLY installed it for AV and Spy-ware detection, NOT for NTP or PTP...

    I checked the event viewer and narrowed it down to the machine in the USA and once this machine was shutdown the lockouts stopped. I am not sure if it is AV related, but it initiated with the first server in Argentina which WAS infected. Once this infection was cleaned up in Argentina the lockouts moved to another server.



  • 2.  RE: Domain Controller Locking out AD accounts.

    Posted Feb 13, 2012 09:45 AM

    This seems to be interesting behavior.

    Although I think this is more an AD issue than an AV issue...

    Can you connect to the DC in question (the one locking the accounts).

    On the DC, open the Event Viewer (Start - Run - eventvwr) and go to the Security section.

    This is where the DC is logging the Audits of successful and unsuccesful login/logoff attempts.

    This is where we can acquire more information relating to the why the accounts are being logged off. 

    Find in here the failure audits from an account. 

    Can you please let me (us) know the error code and of the failed attempts or the information contained there in... 

    Thank you.



  • 3.  RE: Domain Controller Locking out AD accounts.

    Posted Feb 13, 2012 09:46 AM

    529 and 644

    I also notice that in SEP some of the functions are not available at all....



  • 4.  RE: Domain Controller Locking out AD accounts.
    Best Answer

    Broadcom Employee
    Posted Feb 13, 2012 09:52 AM

    if shutting down the server has stopped account lockout then remediate before plugging back to network.

    you can refer to this threat writeup and also use the removal tool if required

    http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=2

    also this thread

    https://www-secure.symantec.com/connect/forums/w32downadup



  • 5.  RE: Domain Controller Locking out AD accounts.

    Posted Feb 13, 2012 10:09 AM

    Have you attempted to scan and clear the virus from the ADC?

    If you are not receiving any Trust errors, than it is possible you are still infected.



  • 6.  RE: Domain Controller Locking out AD accounts.

    Posted Feb 13, 2012 10:59 AM

    Bryan, we have the same problem here. In the last few months, a number of admin accounts of our system administrators were locked out, also one by one in sequence. Because of some other problems, I decided to uninstall the SAV from the domain controller. When reading your article, I hope this problem will be solved too.

    I will let you know what the results are...



  • 7.  RE: Domain Controller Locking out AD accounts.

    Posted Feb 13, 2012 11:11 AM

    The only other thing I can think of, if no infection is detected, is when the second ADC takes over, it is locking out accounts because the trust relationship between the DCs has gone flaky.

    This was no indicated in either of the 2 Event IDs provided, but may still be the case.



  • 8.  RE: Domain Controller Locking out AD accounts.

    Posted Feb 13, 2012 01:25 PM

    It caught it and I do not see the lock outs any longer. Safe mode scan can not be done on a Domain Controller. I am not sure why this happened, this was a fresh roll...

    Running D.EXE to get rid of DowanAdUp seems to have done the trick and it is also suggesting that I add this patch, which I already did but I will do this once again.

    http://www.microsoft.com/download/en/confirmation.aspx?id=6185

    I guess the DC in Argentina infected the one in the USA before I cleaned it.



  • 9.  RE: Domain Controller Locking out AD accounts.

    Posted Feb 13, 2012 01:30 PM

    As soon as I saw the 644 and 529, I knew what server to pinpoint...without checking this, it was a guessing game.



  • 10.  RE: Domain Controller Locking out AD accounts.

    Posted Feb 13, 2012 01:39 PM

    Symantec W32.Downadup Removal Tool 1.1.0.7
    process: svchost.exe, thread: 000007B0 (terminated)
    process: svchost.exe, thread: 00000D04 (terminated)
    process: svchost.exe, thread: 00000D10 (terminated)
    process: svchost.exe, thread: 00000D14 (terminated)
    process: svchost.exe, thread: 00000D18 (terminated)
    process: svchost.exe, thread: 00000D20 (terminated)
    process: svchost.exe, thread: 00000EF8 (terminated)
    process: svchost.exe (terminated)

    C:\WINDOWS\system32\zgiak.dll: W32.Downadup.B (unrepairable) (deleted)


    registry: HKLM\system\CurrentControlSet\Services\BITS: Start (value set to 0x00000003 (3))
    registry: HKLM\system\CurrentControlSet\Services\ERSvc: Start (value set to 0x00000002 (2))
    registry: HKLM\system\CurrentControlSet\Services\wuauserv: Start (value set to 0x00000002 (2))

    W32.Downadup has been successfully removed from your computer!

    Here is the report:

    The total number of the scanned files: 30009
    The number of deleted threat files: 1
    The number of threat processes terminated: 1
    The number of threat threads terminated: 7
    The number of registry entries fixed: 3

    The tool initiated a system reboot.



  • 11.  RE: Domain Controller Locking out AD accounts.

    Posted Feb 13, 2012 02:11 PM

    Happy to hear that this was able to point you in the right direction.

    And moreso that your problem is resolved.

    For good measure, got anymore ADCs you might want to scan for sake.



  • 12.  RE: Domain Controller Locking out AD accounts.

    Posted Feb 13, 2012 02:12 PM

    AD Account lockouts is a common symptom of a downadup infection, looks like when the OP cleaned the infection the account lockouts are no longer happening.



  • 13.  RE: Domain Controller Locking out AD accounts.

    Posted Feb 13, 2012 02:16 PM

    That is my next step...



  • 14.  RE: Domain Controller Locking out AD accounts.

    Posted Feb 13, 2012 02:25 PM

    ...problem solved and now I know what to look for and where.



  • 15.  RE: Domain Controller Locking out AD accounts.

    Posted Feb 13, 2012 02:36 PM

    NetLogon and Sysvol were shared...I am guessing it was the welcome matt between servers for DownAdup as well...



  • 16.  RE: Domain Controller Locking out AD accounts.

    Posted Feb 13, 2012 02:43 PM

    ...and what a peculiar thing for a trogan to do...I know the shares have loose permissions..I am happy this is fixed though.