Hey All, perhaps I haven't had enough coffee yet but I have some of these in my event log. They started a few nights ago and I just caught them today. Always at night so that in itself is malicious since they are after 5 and before 8 am, outside of working hours. I wouldn't be posting except I do not have the built in Guest and Anonymous type account enabled and I am NOT running IIS as this is a domain controller for Active Directory, platform: Windows Server 2k, mixed mode with no additional proggies loaded. Thought I would open up some suggestions while I look at it. Sometime I miss the obvious in the normal storm of day to day IT.


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 10/21/2004
Time: 6:10:24 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SERVER
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x93B47D7)
Logon Type: 3

WTF is this? //EDIT I know that's not a lot of info. Just tossing it our in case someone can tell by experience.