I was going through some of our NT machines event logs here today (yes I'm bored) and I came across an odd entry that I had not seen before.
This happened right after a failed login of a user on that machine that was trying to log in local (he forgets his password on a regular basisCode:43 SEC,11/17/03,06:51:04,Security,528,Success,Logon/Logoff ,NT AUTHORITY\ANONYMOUS LOGON,MACHINE_NAME,Successful Logon:^` User Name: ^` Domain: ^` Logon ID: (0x0 0x1CCF)^` Logon Type: 3^` Logon Process: KSecDD^` Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0^` Workstation Name: ^M). I have checked that machine and verified that guest is disabled, and of course guest is disabled in the domain. Also there is no IIS/web/ftp server running on that box. It's just a plain basic NT 4.0 workstation with some monitoring software running on it (for our product). Also right after that event happened the following occured:
Then I don't see Anonymous log off the machine at all, nor do I see any more activity by Anonymous in the logs.Code:44 SEC,11/17/03,06:51:04,Security,576,Success,Privilege Use ,NT AUTHORITY\ANONYMOUS LOGON,MACHINE_NAME,Special privileges assigned to new logon:^` User Name: ^` Domain: ^` Logon ID: (0x0 0x1CCF)^` Assigned: SeChangeNotifyPrivilege ^M
How exactly do you log in local as anonymous? Did the logs just wig out and report things wrong? The machine in question does not see the outside world at all (not even email).
Reply With Quote