|
|
|
Question : Virus Attack on Domain - Event ID 12294 (SAM) & Event ID 644, 675 = Net-Worm.Win32.Kido
|
|
Hi all
We've got a virus problem since today morning in our domain:
Most of the time the administrator account are attacked. But here the main events:
Event ID 644:
User Account Locked Out:
Target Account Name: mha
Target Account ID: mydomain\mha
Caller Machine Name: WST187
Caller User Name: SERVER-A01$
Caller Domain: mydomain
Caller Logon ID: (0x0,0x3E7)
and:
Pre-authentication failed:
User Name: mha
User ID: mydomain\mha
Service Name: krbtgt/mydomain
Pre-Authentication Type: 0x2
Failure Code: 0x12
Client Address: ip
Event ID: 12294 (got TONS of this error)
The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.
This Domain has about 100 workstations connected. All (most..) of them are using Kaspersky Scanner installed, are WSUS patched and just User rights.
However, somehow we have now a big mess because of this:
>>> Net-Worm.Win32.Kido.ix <<<
Some machines we found with this and removed it with an special tool from kaspersky.
But there are still some in the "wild" here.
What is the best way to track down what machines the attacks come from??
How i can use the event logging to track it down?
please help!
thank you!!
BTW; The domain servers (2) seems to be never infected at all - at least not the OS parts.
just on some data shares we've found the "autorun.inf" - Autorun is disabled by gpo in our domain.
|
Answer : Virus Attack on Domain - Event ID 12294 (SAM) & Event ID 644, 675 = Net-Worm.Win32.Kido
|
|
|
|
|
|
|
|
|
|
