Those may be normal "null" sessions used by the operating system for various network
activity including maintaining the browse list. Null sessions can be exploited which
is why those ports for file and print sharing need to be blocked to prevent access
from the internet or other untrusted networks. The link below describes the use of
these null sessions and a setting that can be used to secure them assuming that
network configuration would not suffer as explained in the KB. --- Steve
http://support.microsoft.com/?kbid=246261
http://www.sans.org/rr/papers/index.php?id=286
"BG" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Did you ever get an answer? My LOGON entries continue to occur.
>
> "gazebo" <(E-Mail Removed)> wrote in message
> news:006001c3a8d5$040ce440$(E-Mail Removed)...
> > I got the same. I wonder what is going on? At the same
> > time, I got series of logon attempts by someone with all
> > combination of names.
> >
> > Gazebo
> > >-----Original Message-----
> > >At times I may have 30 or 40 successful Anonymous Logons
> > or Logoffs within
> > >virtually the same timeframe. The only thing that changes
> > is the LogonID.
> > >This occurs on a Win2K IIS 5.1 server. Web log files show
> > activity at that
> > >time from one authenticated user. What can be causing
> > this and is it
> > >suspicious activity?
> > >
> > >Event Type: Success Audit
> > >
> > >Event Source: Security
> > >
> > >Event Category: Logon/Logoff
> > >
> > >Event ID: 538
> > >
> > >Date: 11/6/2003
> > >
> > >Time: 8:50:16 AM
> > >
> > >User: NT AUTHORITY\ANONYMOUS LOGON
> > >
> > >Computer: SERVER
> > >
> > >Description:
> > >
> > >User Logoff:
> > >
> > >User Name: ANONYMOUS LOGON
> > >
> > >Domain: NT AUTHORITY
> > >
> > >Logon ID: (0x0,0x12F88DE5)
> > >
> > >Logon Type: 3
> > >
> > >
> > >.
> > >
>
>
Similar Threads
