Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

E-mail locks out every day, something attempts to log in with the wron

Started by Katia Q , Sep 14 2018 01:09 PM

  • Please log in to reply

#1
Katia Q
Posted 14 September 2018 - 01:09 PM

Katia Q

    New Member

  • Member
  • Pip
  • 3 posts

I start to believe aliens do exist.

 

My husband's work e-mail gets locked out almost every day, saying that someone attempted to log in several times with the wrong password. He works at the university, and it's been already 4 months their IT specialists can't fix this problem. Almost every day he has to ask them to unblock his e-mail, although it was not him who attempted incorrect log-ins! At first we thought it was somebody's bad joke, but after 4 months it looks more like a bug. We need to find this "something" that automatically tries to log into his e-mail. He uses only two computers and never saves his passwords anywhere. Windows 7, Office 365.

We desperately need your help... We appreciate your time!

 

Katia


  • 0

Advertisements

#2
RKinner
Posted 14 September 2018 - 01:38 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

I would think the IT guys should be able to monitor the sources of logins to their email server and block the IP address of the offender.  Are they saying it is from one of his PCs? 

If that's the case we can probably help but I'll have to get this moved to the malware forum.

 

 

If all else fails I would ask them to assign a new email address.  See if that one gets attacked too.


  • 0

#3
Katia Q
Posted 14 September 2018 - 02:00 PM

Katia Q

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts

I would think the IT guys should be able to monitor the sources of logins to their email server and block the IP address of the offender.  Are they saying it is from one of his PCs? 

If that's the case we can probably help but I'll have to get this moved to the malware forum.

 

 

If all else fails I would ask them to assign a new email address.  See if that one gets attacked too.

 

They did not even try to identify the source, they only said to check if we logged out on other computers (which we are). Just different IT people come every day, unblock his email, and nobody wants to do anything beyond it... If you could recommend us what to do to check our computers somehow it would be very helpful...


  • 0

#4
RKinner
Posted 14 September 2018 - 02:25 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

They come to your PC to unlock the email?  They should be able to do it at the server.

 

Do you have admin rights on your PCs?  If so:

  • Get FRST from http://www.bleepingc...very-scan-tool/You need to download the appropriate tool for your PC.  If you don't know if you have a 32 or 64 bit system get them both.  Only one will work and that's the right one.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Check the Addition.txt box
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.  
  • Please copy and paste log back here.
  • It will generate another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.


 


  • 0

#5
Katia Q
Posted 14 September 2018 - 03:16 PM

Katia Q

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts

Thank you so much for your reply! We'll try to do it, and here what we've just got from the IT guys:

 

Hi, Ryan: Unfortunately all we have is where you are getting locked out: "r.karkkainen","UMADFS02","9/14/2018 11:21:46 AM" "r.karkkainen","UMADFS02","9/14/2018 1:07:37 AM" "r.karkkainen","UMADFS02","9/13/2018 5:33:15 PM" "r.karkkainen","UMADFS02","9/13/2018 3:42:03 AM" If we go to that server it does not capture lockout information so we don’t know where it’s happening. The only thing I can tell you is that it’s O365 related. So it’s either email or one of the Office 365 applications where you’ve saved your credentials and it keeps trying to login.

 

r.karkkainen is my husband's name... I have no idea what UMADFS02 means, something University-of-Miami-related...

He already checked O365 for possible saved old credentials...


  • 0

#6
RKinner
Posted 14 September 2018 - 07:59 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

Probably the second of Active Directory Federation Services (AD FS), "a software component developed by Microsoft, can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. "   Is the UM the one in Florida?

 

Expect if they knew what they were doing they could capture the IP with something like Snort 

https://www.snort.org/

That's what I would have used back when I was a working network engineer.

 

Look at the times from the lockout log.  Which computer was on at the times that the attempts were made?  That's the one we want to look at.


  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP