Anonymouse Logins
Results 1 to 6 of 6

Thread: Anonymouse Logins

  1. #1
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834

    Anonymous Logins

    Hey All, perhaps I haven't had enough coffee yet but I have some of these in my event log. They started a few nights ago and I just caught them today. Always at night so that in itself is malicious since they are after 5 and before 8 am, outside of working hours. I wouldn't be posting except I do not have the built in Guest and Anonymous type account enabled and I am NOT running IIS as this is a domain controller for Active Directory, platform: Windows Server 2k, mixed mode with no additional proggies loaded. Thought I would open up some suggestions while I look at it. Sometime I miss the obvious in the normal storm of day to day IT.


    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 538
    Date: 10/21/2004
    Time: 6:10:24 PM
    User: NT AUTHORITY\ANONYMOUS LOGON
    Computer: SERVER
    Description:
    User Logoff:
    User Name: ANONYMOUS LOGON
    Domain: NT AUTHORITY
    Logon ID: (0x0,0x93B47D7)
    Logon Type: 3

    WTF is this? //EDIT I know that's not a lot of info. Just tossing it our in case someone can tell by experience.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    I know you can see these if you have a network share being disconnected and reconnected due to a bad NIC or switchport or similar problem. Also power management may turn off a NIC only to turn it back on (on demand) through the night...Is a network application running that might do this?

    Just a few guesses..

    SGS

  3. #3
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491

    Interesting

    Hmmm,

    Very interesting , I would presume it's some sort of application (like exchange 2000 ) that uses the anonymous account , as talked about in this article :

    Event 538

    It also talks about tightening the security some more for the anonymous account but this has some consequences .

    the logon type 3 means : Network logon - network mapping (net use/net view) so this could also be used by an application I would think.

    This Microsoft article also talks about event ID 538.

    If I find anything else I'll let you know ...

    I know it's all abit vage but , then again it's a vage subject

    C.
    Back when I was a boy, we carved our own IC's out of wood.

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    IIRC, the "Anonymous" login/logoff is the System itself for items it has to do. Microsoft has some info. These Knowledge Base articles -- Part 1 and Part 2 -- might also help.

    Although at first I thought you were having a huge rodent problem (based on the title).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I was concerned by those a year or three ago and dug into them.... It's a system issue and you don't need to worry about... I just don't remember the details....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    The more I looked the less concerned I became. It is noteworthy that they are happening at night so I'll dig a little more for fun. On a side thanks for the articles and time. I might put a packet sniffer off the nic just to see if anything funny is going on. Cheers.

    \\EDIT Rodents? Ah yes "mouse" lol I tried to change it but it was too late. Any Mouse will do. Or in this case and anonymous Mouse.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides