Hacker locking my accounts

Microsoft wizards please help me as I am desperate. Someone continues to
lock all my admin accounts. My firewall is working properly (allowing only
port 53) so I think the guy is using one of the 120 PC's or another server
on my network to read my user database and identify the admin accounts and
send a command to lock them. We've got the latest Symantec antivirus
corporate edition installed and updated on all the machines and it's
supposed to identify spyware, etc. Why is it so easy for this guy to do
this? I have downloaded all the high priority updates for all machines,
servers and PC's. We've also used the server lockdown tool. Why doesn't this
help? Most importantly, why does Microsoft not give me more detailed info on
which machine this guy is using? The event log just has a random spoof
machine name. Last time he did this he spoofed the machine name field to say
"sorry". I got lucky there was one admin account he missed and I was able
to unlock the accounts. Next time I fear I will not be so lucky.

If there is a better group or forum to use or consultant I can call to get
help please advise.

just bob wrote:
> Microsoft wizards please help me as I am desperate. Someone continues to
> lock all my admin accounts. My firewall is working properly (allowing only
> port 53) so I think the guy is using one of the 120 PC's or another server
> on my network to read my user database and identify the admin accounts and
> send a command to lock them. We've got the latest Symantec antivirus
> corporate edition installed and updated on all the machines and it's
> supposed to identify spyware, etc. Why is it so easy for this guy to do
> this? I have downloaded all the high priority updates for all machines,
> servers and PC's. We've also used the server lockdown tool. Why doesn't this
> help? Most importantly, why does Microsoft not give me more detailed info on
> which machine this guy is using? The event log just has a random spoof
> machine name. Last time he did this he spoofed the machine name field to say
> "sorry". I got lucky there was one admin account he missed and I was able
> to unlock the accounts. Next time I fear I will not be so lucky.
>
> If there is a better group or forum to use or consultant I can call to get
> help please advise.

It doesn't necessary has to be a hacker trying to breach your network -
it might be (and it is more likely ) old service or mapped network share
which is using old administrator account.

Try to use these tools to troubleshoot the cause of your problems:
http://www.microsoft.com/downloads/d...displaylang=en

--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)

Bob,

The best suggestion for you would be to reinstall all network computers
(including the server), BUT if you want to find out where is the noise
coming from, you might want to capture network traffic, and then try to
analyze it, or see if someone here can help you to analyze it.
You can try to capture traffic using tool called `wireshark` -
www.wireshark.org, but also you need to identify how is hacker getting into
your network...

Regards,

Andrew

"just bob" <(E-Mail Removed)> wrote in message
news:47dd8adc$0$84236$(E-Mail Removed)...
> Microsoft wizards please help me as I am desperate. Someone continues to
> lock all my admin accounts. My firewall is working properly (allowing only
> port 53) so I think the guy is using one of the 120 PC's or another server
> on my network to read my user database and identify the admin accounts and
> send a command to lock them. We've got the latest Symantec antivirus
> corporate edition installed and updated on all the machines and it's
> supposed to identify spyware, etc. Why is it so easy for this guy to do
> this? I have downloaded all the high priority updates for all machines,
> servers and PC's. We've also used the server lockdown tool. Why doesn't
> this help? Most importantly, why does Microsoft not give me more detailed
> info on which machine this guy is using? The event log just has a random
> spoof machine name. Last time he did this he spoofed the machine name
> field to say "sorry". I got lucky there was one admin account he missed
> and I was able to unlock the accounts. Next time I fear I will not be so
> lucky.
>
> If there is a better group or forum to use or consultant I can call to get
> help please advise.
>

Hey Bob, Didn't we talk before on this? I recall advising WireShark.

However, reading the below I'm getting a better impression of what is
happening. Microsoft IS giving you the correct information to find the
person doing this, depending on how you have things running.

Forgive me if below I'm going too 'low level', it's pretty basic stuff,
but your mail sounds like your at the end of your rope, and I just want
to make sure we've covered all the bases, including the obvious ones.

From what your writing this sounds like a brute force password guessing
tools that is being used against your administrative accounts. To start
there's a few things your can do with group policies to at least make
sure you don't get into trouble, while making things harder for the
'hacker'.

The following steps are just to 'temporarily protect yourself' while
investigating further, to make sure you accounts aren't getting locked
out. Again: I'm not trying to sound demeaning, just covering the
bases/basics, so I'll go through every step, even though this may be
peanuts for you.

Chapter one: protection.

In the Group and Policy Manager; make sure to edit the Default Domain
Policy and go to the Windows Settings\Security Settings\Account Lockout
Policy.

Define the Account lockout duration to be not defined
Account lockout threshold: 0 invalid logon attempts
Reset account lockout counter after: not defined

Now your accounts will no longer be locked out. Be careful, as this also
allows the hacker to run his tools now unlimitedly against the accounts.
(the lockout slowed him down considerably). I'm only proposing this as
you point our that you fear losing your administrative accounts, but put
this lockout threshold back in place a.s.a.p. if you decide to go this
route in the first place.


Chapter two: identifying the hacker

This we can do by making sure Audit account logon events are being
audited correctly. To do this, we again are using Group Policy
Management and we'll define the Default Domain Controllers Policy.
INthat policy, go to Windows Settings\Security Settings\Local
Policies/Audit Policy and make sure to change 'Audit account logon
events'. See to it that Success as well as Failure (especially that one)
are being logged.

To ensure your Domain controllers have the policy applied as quickly as
possible you might consider runninf 'GPUpdate /force' from the command
prompt on your CD's. Otherwise allow some time to pass.

Now each logon event will get logges in the eventlog, with the IP
address of the person attempting to logon. The problem is that a user
can logon using any domain controller, however; each failed logon on any
DC gets 'double checked' by that DC by sending it to the domains PDC
emulator (on of the FSMO roles as you may recall) so it makes most sense
to check the eventlogs of the PCD emulator Domain Controller. You can
easily find out who the PDC emulator is by opening Active Directory User
and computers, right-clicking your domain name, and selecting
'operations masters'.

The event-ID you are looking for is event: 575, Source: Security,
Category: Account Logon.

In the Description field you can see the user name of the account being
attempted, but more importantly: the IP number of the system from where
the attempt is being done.


I hope this helps you, sorry for wasting your time if you had already
done the above.

regards,

Paul




just bob wrote:
> Microsoft wizards please help me as I am desperate. Someone continues to
> lock all my admin accounts. My firewall is working properly (allowing only
> port 53) so I think the guy is using one of the 120 PC's or another server
> on my network to read my user database and identify the admin accounts and
> send a command to lock them. We've got the latest Symantec antivirus
> corporate edition installed and updated on all the machines and it's
> supposed to identify spyware, etc. Why is it so easy for this guy to do
> this? I have downloaded all the high priority updates for all machines,
> servers and PC's. We've also used the server lockdown tool. Why doesn't this
> help? Most importantly, why does Microsoft not give me more detailed info on
> which machine this guy is using? The event log just has a random spoof
> machine name. Last time he did this he spoofed the machine name field to say
> "sorry". I got lucky there was one admin account he missed and I was able
> to unlock the accounts. Next time I fear I will not be so lucky.
>
> If there is a better group or forum to use or consultant I can call to get
> help please advise.
>
>

"Tomasz Onyszko" <t.onyszko_spam_@w2k.pl> wrote in message
news:(E-Mail Removed)...
> just bob wrote:
>> Microsoft wizards please help me as I am desperate. Someone continues to
>> lock all my admin accounts. My firewall is working properly (allowing
>> only port 53) so I think the guy is using one of the 120 PC's or another
>> server on my network to read my user database and identify the admin
>> accounts and send a command to lock them. We've got the latest Symantec
>> antivirus corporate edition installed and updated on all the machines and
>> it's supposed to identify spyware, etc. Why is it so easy for this guy to
>> do this? I have downloaded all the high priority updates for all
>> machines, servers and PC's. We've also used the server lockdown tool. Why
>> doesn't this help? Most importantly, why does Microsoft not give me more
>> detailed info on which machine this guy is using? The event log just has
>> a random spoof machine name. Last time he did this he spoofed the machine
>> name field to say "sorry". I got lucky there was one admin account he
>> missed and I was able to unlock the accounts. Next time I fear I will not
>> be so lucky.
>>
>> If there is a better group or forum to use or consultant I can call to
>> get help please advise.
>
> It doesn't necessary has to be a hacker trying to breach your network - it
> might be (and it is more likely ) old service or mapped network share
> which is using old administrator account.

???? The guy spoofs the machine name different every time. Last time he
called it "sorry"

Hi Paul, Thanks, no not a waste of time at all. I might turn the locking off
as you describe. Also I'm pretty sure I have my logging setup OK as I am
using a program to copy the logs from the OM to another machine and also it
sends me an email when it sees a string which indicates an account is locked
which is forwarded to my Blackberry. So I got the logging but... the problem
is the guy is making up random names for the machine and it does not show me
a IP address.

I used wireshark and am capturing all traffic to the ops master. But I do
not see any unknown IP addresses and I don't know wireshark well enough to
know how to look for the packets causing the attack to determine if it *is*
coming from one of my machines.

Thanks again for your help.


"Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message
news:47dd9c88$0$7548$(E-Mail Removed)4al l.nl...
> Hey Bob, Didn't we talk before on this? I recall advising WireShark.
>
> However, reading the below I'm getting a better impression of what is
> happening. Microsoft IS giving you the correct information to find the
> person doing this, depending on how you have things running.
>
> Forgive me if below I'm going too 'low level', it's pretty basic stuff,
> but your mail sounds like your at the end of your rope, and I just want to
> make sure we've covered all the bases, including the obvious ones.
>
> From what your writing this sounds like a brute force password guessing
> tools that is being used against your administrative accounts. To start
> there's a few things your can do with group policies to at least make sure
> you don't get into trouble, while making things harder for the 'hacker'.
>
> The following steps are just to 'temporarily protect yourself' while
> investigating further, to make sure you accounts aren't getting locked
> out. Again: I'm not trying to sound demeaning, just covering the
> bases/basics, so I'll go through every step, even though this may be
> peanuts for you.
>
> Chapter one: protection.
>
> In the Group and Policy Manager; make sure to edit the Default Domain
> Policy and go to the Windows Settings\Security Settings\Account Lockout
> Policy.
>
> Define the Account lockout duration to be not defined
> Account lockout threshold: 0 invalid logon attempts
> Reset account lockout counter after: not defined
>
> Now your accounts will no longer be locked out. Be careful, as this also
> allows the hacker to run his tools now unlimitedly against the accounts.
> (the lockout slowed him down considerably). I'm only proposing this as you
> point our that you fear losing your administrative accounts, but put this
> lockout threshold back in place a.s.a.p. if you decide to go this route in
> the first place.
>
>
> Chapter two: identifying the hacker
>
> This we can do by making sure Audit account logon events are being audited
> correctly. To do this, we again are using Group Policy Management and
> we'll define the Default Domain Controllers Policy. INthat policy, go to
> Windows Settings\Security Settings\Local Policies/Audit Policy and make
> sure to change 'Audit account logon events'. See to it that Success as
> well as Failure (especially that one) are being logged.
>
> To ensure your Domain controllers have the policy applied as quickly as
> possible you might consider runninf 'GPUpdate /force' from the command
> prompt on your CD's. Otherwise allow some time to pass.
>
> Now each logon event will get logges in the eventlog, with the IP address
> of the person attempting to logon. The problem is that a user can logon
> using any domain controller, however; each failed logon on any DC gets
> 'double checked' by that DC by sending it to the domains PDC emulator (on
> of the FSMO roles as you may recall) so it makes most sense to check the
> eventlogs of the PCD emulator Domain Controller. You can easily find out
> who the PDC emulator is by opening Active Directory User and computers,
> right-clicking your domain name, and selecting 'operations masters'.
>
> The event-ID you are looking for is event: 575, Source: Security,
> Category: Account Logon.
>
> In the Description field you can see the user name of the account being
> attempted, but more importantly: the IP number of the system from where
> the attempt is being done.
>
>
> I hope this helps you, sorry for wasting your time if you had already done
> the above.
>
> regards,
>
> Paul
>
>
>
>
> just bob wrote:
>> Microsoft wizards please help me as I am desperate. Someone continues to
>> lock all my admin accounts. My firewall is working properly (allowing
>> only port 53) so I think the guy is using one of the 120 PC's or another
>> server on my network to read my user database and identify the admin
>> accounts and send a command to lock them. We've got the latest Symantec
>> antivirus corporate edition installed and updated on all the machines and
>> it's supposed to identify spyware, etc. Why is it so easy for this guy to
>> do this? I have downloaded all the high priority updates for all
>> machines, servers and PC's. We've also used the server lockdown tool. Why
>> doesn't this help? Most importantly, why does Microsoft not give me more
>> detailed info on which machine this guy is using? The event log just has
>> a random spoof machine name. Last time he did this he spoofed the machine
>> name field to say "sorry". I got lucky there was one admin account he
>> missed and I was able to unlock the accounts. Next time I fear I will not
>> be so lucky.
>>
>> If there is a better group or forum to use or consultant I can call to
>> get help please advise.

I should have said he is making up random machine names, not "spoofing" as I
said.

Thanks for the link - I am going to see if I can find something there to
help.


"Tomasz Onyszko" <t.onyszko_spam_@w2k.pl> wrote in message
news:(E-Mail Removed)...
> just bob wrote:
>> Microsoft wizards please help me as I am desperate. Someone continues to
>> lock all my admin accounts. My firewall is working properly (allowing
>> only port 53) so I think the guy is using one of the 120 PC's or another
>> server on my network to read my user database and identify the admin
>> accounts and send a command to lock them. We've got the latest Symantec
>> antivirus corporate edition installed and updated on all the machines and
>> it's supposed to identify spyware, etc. Why is it so easy for this guy to
>> do this? I have downloaded all the high priority updates for all
>> machines, servers and PC's. We've also used the server lockdown tool. Why
>> doesn't this help? Most importantly, why does Microsoft not give me more
>> detailed info on which machine this guy is using? The event log just has
>> a random spoof machine name. Last time he did this he spoofed the machine
>> name field to say "sorry". I got lucky there was one admin account he
>> missed and I was able to unlock the accounts. Next time I fear I will not
>> be so lucky.
>>
>> If there is a better group or forum to use or consultant I can call to
>> get help please advise.
>
> It doesn't necessary has to be a hacker trying to breach your network - it
> might be (and it is more likely ) old service or mapped network share
> which is using old administrator account.
>
> Try to use these tools to troubleshoot the cause of your problems:
> http://www.microsoft.com/downloads/d...displaylang=en
>
> --
> Tomasz Onyszko
> http://www.w2k.pl/ - (PL)
> http://blogs.dirteam.com/blogs/tomek/ - (EN)

"Tomasz Onyszko" <t.onyszko_spam_@w2k.pl> wrote in message
news:(E-Mail Removed)...
> just bob wrote:
>> Microsoft wizards please help me as I am desperate. Someone continues to
>> lock all my admin accounts. My firewall is working properly (allowing
>> only port 53) so I think the guy is using one of the 120 PC's or another
>> server on my network to read my user database and identify the admin
>> accounts and send a command to lock them. We've got the latest Symantec
>> antivirus corporate edition installed and updated on all the machines and
>> it's supposed to identify spyware, etc. Why is it so easy for this guy to
>> do this? I have downloaded all the high priority updates for all
>> machines, servers and PC's. We've also used the server lockdown tool. Why
>> doesn't this help? Most importantly, why does Microsoft not give me more
>> detailed info on which machine this guy is using? The event log just has
>> a random spoof machine name. Last time he did this he spoofed the machine
>> name field to say "sorry". I got lucky there was one admin account he
>> missed and I was able to unlock the accounts. Next time I fear I will not
>> be so lucky.
>>
>> If there is a better group or forum to use or consultant I can call to
>> get help please advise.
>
> It doesn't necessary has to be a hacker trying to breach your network - it
> might be (and it is more likely ) old service or mapped network share
> which is using old administrator account.
>
> Try to use these tools to troubleshoot the cause of your problems:
> http://www.microsoft.com/downloads/d...displaylang=en
>

Also I said he locked all my admin accounts which did include service
accounts for exchange and more. This is no accident - he knew exactly which
accounts were domain admins. I got lucky he missed the original local admin
account on his first pass because it turned out to be my only backdoor into
my own AD console. Then minutes later he locked that account too. And yes,
it is no longer called administrator.

One more thing:

Is there a way to lock account without even trying three times? Is there
some way to send a packet which locks it on the first try? Because that is
how it looks. I could see how someone could send a packet to disable the
account but that is not what is happening.


"Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message
news:47dd9c88$0$7548$(E-Mail Removed)4al l.nl...
> Hey Bob, Didn't we talk before on this? I recall advising WireShark.
>
> However, reading the below I'm getting a better impression of what is
> happening. Microsoft IS giving you the correct information to find the
> person doing this, depending on how you have things running.
>
> Forgive me if below I'm going too 'low level', it's pretty basic stuff,
> but your mail sounds like your at the end of your rope, and I just want to
> make sure we've covered all the bases, including the obvious ones.
>
> From what your writing this sounds like a brute force password guessing
> tools that is being used against your administrative accounts. To start
> there's a few things your can do with group policies to at least make sure
> you don't get into trouble, while making things harder for the 'hacker'.
>
> The following steps are just to 'temporarily protect yourself' while
> investigating further, to make sure you accounts aren't getting locked
> out. Again: I'm not trying to sound demeaning, just covering the
> bases/basics, so I'll go through every step, even though this may be
> peanuts for you.
>
> Chapter one: protection.
>
> In the Group and Policy Manager; make sure to edit the Default Domain
> Policy and go to the Windows Settings\Security Settings\Account Lockout
> Policy.
>
> Define the Account lockout duration to be not defined
> Account lockout threshold: 0 invalid logon attempts
> Reset account lockout counter after: not defined
>
> Now your accounts will no longer be locked out. Be careful, as this also
> allows the hacker to run his tools now unlimitedly against the accounts.
> (the lockout slowed him down considerably). I'm only proposing this as you
> point our that you fear losing your administrative accounts, but put this
> lockout threshold back in place a.s.a.p. if you decide to go this route in
> the first place.
>
>
> Chapter two: identifying the hacker
>
> This we can do by making sure Audit account logon events are being audited
> correctly. To do this, we again are using Group Policy Management and
> we'll define the Default Domain Controllers Policy. INthat policy, go to
> Windows Settings\Security Settings\Local Policies/Audit Policy and make
> sure to change 'Audit account logon events'. See to it that Success as
> well as Failure (especially that one) are being logged.
>
> To ensure your Domain controllers have the policy applied as quickly as
> possible you might consider runninf 'GPUpdate /force' from the command
> prompt on your CD's. Otherwise allow some time to pass.
>
> Now each logon event will get logges in the eventlog, with the IP address
> of the person attempting to logon. The problem is that a user can logon
> using any domain controller, however; each failed logon on any DC gets
> 'double checked' by that DC by sending it to the domains PDC emulator (on
> of the FSMO roles as you may recall) so it makes most sense to check the
> eventlogs of the PCD emulator Domain Controller. You can easily find out
> who the PDC emulator is by opening Active Directory User and computers,
> right-clicking your domain name, and selecting 'operations masters'.
>
> The event-ID you are looking for is event: 575, Source: Security,
> Category: Account Logon.
>
> In the Description field you can see the user name of the account being
> attempted, but more importantly: the IP number of the system from where
> the attempt is being done.
>
>
> I hope this helps you, sorry for wasting your time if you had already done
> the above.
>
> regards,
>
> Paul
>
>
>
>
> just bob wrote:
>> Microsoft wizards please help me as I am desperate. Someone continues to
>> lock all my admin accounts. My firewall is working properly (allowing
>> only port 53) so I think the guy is using one of the 120 PC's or another
>> server on my network to read my user database and identify the admin
>> accounts and send a command to lock them. We've got the latest Symantec
>> antivirus corporate edition installed and updated on all the machines and
>> it's supposed to identify spyware, etc. Why is it so easy for this guy to
>> do this? I have downloaded all the high priority updates for all
>> machines, servers and PC's. We've also used the server lockdown tool. Why
>> doesn't this help? Most importantly, why does Microsoft not give me more
>> detailed info on which machine this guy is using? The event log just has
>> a random spoof machine name. Last time he did this he spoofed the machine
>> name field to say "sorry". I got lucky there was one admin account he
>> missed and I was able to unlock the accounts. Next time I fear I will not
>> be so lucky.
>>
>> If there is a better group or forum to use or consultant I can call to
>> get help please advise.

The guy just created a user account called "sorry". Strange he did not give
it domain admin access.

"Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message
news:47dd9c88$0$7548$(E-Mail Removed)4al l.nl...
> Hey Bob, Didn't we talk before on this? I recall advising WireShark.
>
> However, reading the below I'm getting a better impression of what is
> happening. Microsoft IS giving you the correct information to find the
> person doing this, depending on how you have things running.
>
> Forgive me if below I'm going too 'low level', it's pretty basic stuff,
> but your mail sounds like your at the end of your rope, and I just want to
> make sure we've covered all the bases, including the obvious ones.
>
> From what your writing this sounds like a brute force password guessing
> tools that is being used against your administrative accounts. To start
> there's a few things your can do with group policies to at least make sure
> you don't get into trouble, while making things harder for the 'hacker'.
>
> The following steps are just to 'temporarily protect yourself' while
> investigating further, to make sure you accounts aren't getting locked
> out. Again: I'm not trying to sound demeaning, just covering the
> bases/basics, so I'll go through every step, even though this may be
> peanuts for you.
>
> Chapter one: protection.
>
> In the Group and Policy Manager; make sure to edit the Default Domain
> Policy and go to the Windows Settings\Security Settings\Account Lockout
> Policy.
>
> Define the Account lockout duration to be not defined
> Account lockout threshold: 0 invalid logon attempts
> Reset account lockout counter after: not defined
>
> Now your accounts will no longer be locked out. Be careful, as this also
> allows the hacker to run his tools now unlimitedly against the accounts.
> (the lockout slowed him down considerably). I'm only proposing this as you
> point our that you fear losing your administrative accounts, but put this
> lockout threshold back in place a.s.a.p. if you decide to go this route in
> the first place.
>
>
> Chapter two: identifying the hacker
>
> This we can do by making sure Audit account logon events are being audited
> correctly. To do this, we again are using Group Policy Management and
> we'll define the Default Domain Controllers Policy. INthat policy, go to
> Windows Settings\Security Settings\Local Policies/Audit Policy and make
> sure to change 'Audit account logon events'. See to it that Success as
> well as Failure (especially that one) are being logged.
>
> To ensure your Domain controllers have the policy applied as quickly as
> possible you might consider runninf 'GPUpdate /force' from the command
> prompt on your CD's. Otherwise allow some time to pass.
>
> Now each logon event will get logges in the eventlog, with the IP address
> of the person attempting to logon. The problem is that a user can logon
> using any domain controller, however; each failed logon on any DC gets
> 'double checked' by that DC by sending it to the domains PDC emulator (on
> of the FSMO roles as you may recall) so it makes most sense to check the
> eventlogs of the PCD emulator Domain Controller. You can easily find out
> who the PDC emulator is by opening Active Directory User and computers,
> right-clicking your domain name, and selecting 'operations masters'.
>
> The event-ID you are looking for is event: 575, Source: Security,
> Category: Account Logon.
>
> In the Description field you can see the user name of the account being
> attempted, but more importantly: the IP number of the system from where
> the attempt is being done.
>
>
> I hope this helps you, sorry for wasting your time if you had already done
> the above.
>
> regards,
>
> Paul
>
>
>
>
> just bob wrote:
>> Microsoft wizards please help me as I am desperate. Someone continues to
>> lock all my admin accounts. My firewall is working properly (allowing
>> only port 53) so I think the guy is using one of the 120 PC's or another
>> server on my network to read my user database and identify the admin
>> accounts and send a command to lock them. We've got the latest Symantec
>> antivirus corporate edition installed and updated on all the machines and
>> it's supposed to identify spyware, etc. Why is it so easy for this guy to
>> do this? I have downloaded all the high priority updates for all
>> machines, servers and PC's. We've also used the server lockdown tool. Why
>> doesn't this help? Most importantly, why does Microsoft not give me more
>> detailed info on which machine this guy is using? The event log just has
>> a random spoof machine name. Last time he did this he spoofed the machine
>> name field to say "sorry". I got lucky there was one admin account he
>> missed and I was able to unlock the accounts. Next time I fear I will not
>> be so lucky.
>>
>> If there is a better group or forum to use or consultant I can call to
>> get help please advise.