-
October 28th, 2004, 04:04 PM
#1
Anonymous Logins
Hey All, perhaps I haven't had enough coffee yet but I have some of these in my event log. They started a few nights ago and I just caught them today. Always at night so that in itself is malicious since they are after 5 and before 8 am, outside of working hours. I wouldn't be posting except I do not have the built in Guest and Anonymous type account enabled and I am NOT running IIS as this is a domain controller for Active Directory, platform: Windows Server 2k, mixed mode with no additional proggies loaded. Thought I would open up some suggestions while I look at it. Sometime I miss the obvious in the normal storm of day to day IT.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 10/21/2004
Time: 6:10:24 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SERVER
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x93B47D7)
Logon Type: 3
WTF is this? //EDIT I know that's not a lot of info. Just tossing it our in case someone can tell by experience.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
-
October 28th, 2004, 04:36 PM
#2
I know you can see these if you have a network share being disconnected and reconnected due to a bad NIC or switchport or similar problem. Also power management may turn off a NIC only to turn it back on (on demand) through the night...Is a network application running that might do this?
Just a few guesses..
SGS
-
October 28th, 2004, 04:37 PM
#3
Interesting
Hmmm,
Very interesting , I would presume it's some sort of application (like exchange 2000 ) that uses the anonymous account , as talked about in this article :
Event 538
It also talks about tightening the security some more for the anonymous account but this has some consequences .
the logon type 3 means : Network logon - network mapping (net use/net view) so this could also be used by an application I would think.
This Microsoft article also talks about event ID 538.
If I find anything else I'll let you know ...
I know it's all abit vage but , then again it's a vage subject
C.
Back when I was a boy, we carved our own IC's out of wood.
-
October 28th, 2004, 04:40 PM
#4
IIRC, the "Anonymous" login/logoff is the System itself for items it has to do. Microsoft has some info. These Knowledge Base articles -- Part 1 and Part 2 -- might also help.
Although at first I thought you were having a huge rodent problem (based on the title).
-
October 28th, 2004, 04:41 PM
#5
I was concerned by those a year or three ago and dug into them.... It's a system issue and you don't need to worry about... I just don't remember the details....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
October 28th, 2004, 05:49 PM
#6
The more I looked the less concerned I became. It is noteworthy that they are happening at night so I'll dig a little more for fun. On a side thanks for the articles and time. I might put a packet sniffer off the nic just to see if anything funny is going on. Cheers.
\\EDIT Rodents? Ah yes "mouse" lol I tried to change it but it was too late. Any Mouse will do. Or in this case and anonymous Mouse.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|