PC Review


Reply
Thread Tools Rating: Thread Rating: 1 votes, 5.00 average.

Successive Anonymous Logon events in security log

 
 
BG
Guest
Posts: n/a
 
      6th Nov 2003
At times I may have 30 or 40 successful Anonymous Logons or Logoffs within
virtually the same timeframe. The only thing that changes is the LogonID.
This occurs on a Win2K IIS 5.1 server. Web log files show activity at that
time from one authenticated user. What can be causing this and is it
suspicious activity?

Event Type: Success Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 538

Date: 11/6/2003

Time: 8:50:16 AM

User: NT AUTHORITY\ANONYMOUS LOGON

Computer: SERVER

Description:

User Logoff:

User Name: ANONYMOUS LOGON

Domain: NT AUTHORITY

Logon ID: (0x0,0x12F88DE5)

Logon Type: 3


 
Reply With Quote
 
 
 
 
gazebo
Guest
Posts: n/a
 
      12th Nov 2003
I got the same. I wonder what is going on? At the same
time, I got series of logon attempts by someone with all
combination of names.

Gazebo
>-----Original Message-----
>At times I may have 30 or 40 successful Anonymous Logons

or Logoffs within
>virtually the same timeframe. The only thing that changes

is the LogonID.
>This occurs on a Win2K IIS 5.1 server. Web log files show

activity at that
>time from one authenticated user. What can be causing

this and is it
>suspicious activity?
>
>Event Type: Success Audit
>
>Event Source: Security
>
>Event Category: Logon/Logoff
>
>Event ID: 538
>
>Date: 11/6/2003
>
>Time: 8:50:16 AM
>
>User: NT AUTHORITY\ANONYMOUS LOGON
>
>Computer: SERVER
>
>Description:
>
>User Logoff:
>
>User Name: ANONYMOUS LOGON
>
>Domain: NT AUTHORITY
>
>Logon ID: (0x0,0x12F88DE5)
>
>Logon Type: 3
>
>
>.
>

 
Reply With Quote
 
 
 
 
BG
Guest
Posts: n/a
 
      25th Nov 2003
Did you ever get an answer? My LOGON entries continue to occur.

"gazebo" <(E-Mail Removed)> wrote in message
news:006001c3a8d5$040ce440$(E-Mail Removed)...
> I got the same. I wonder what is going on? At the same
> time, I got series of logon attempts by someone with all
> combination of names.
>
> Gazebo
> >-----Original Message-----
> >At times I may have 30 or 40 successful Anonymous Logons

> or Logoffs within
> >virtually the same timeframe. The only thing that changes

> is the LogonID.
> >This occurs on a Win2K IIS 5.1 server. Web log files show

> activity at that
> >time from one authenticated user. What can be causing

> this and is it
> >suspicious activity?
> >
> >Event Type: Success Audit
> >
> >Event Source: Security
> >
> >Event Category: Logon/Logoff
> >
> >Event ID: 538
> >
> >Date: 11/6/2003
> >
> >Time: 8:50:16 AM
> >
> >User: NT AUTHORITY\ANONYMOUS LOGON
> >
> >Computer: SERVER
> >
> >Description:
> >
> >User Logoff:
> >
> >User Name: ANONYMOUS LOGON
> >
> >Domain: NT AUTHORITY
> >
> >Logon ID: (0x0,0x12F88DE5)
> >
> >Logon Type: 3
> >
> >
> >.
> >



 
Reply With Quote
 
Steven L Umbach
Guest
Posts: n/a
 
      26th Nov 2003
Those may be normal "null" sessions used by the operating system for various network
activity including maintaining the browse list. Null sessions can be exploited which
is why those ports for file and print sharing need to be blocked to prevent access
from the internet or other untrusted networks. The link below describes the use of
these null sessions and a setting that can be used to secure them assuming that
network configuration would not suffer as explained in the KB. --- Steve

http://support.microsoft.com/?kbid=246261
http://www.sans.org/rr/papers/index.php?id=286

"BG" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Did you ever get an answer? My LOGON entries continue to occur.
>
> "gazebo" <(E-Mail Removed)> wrote in message
> news:006001c3a8d5$040ce440$(E-Mail Removed)...
> > I got the same. I wonder what is going on? At the same
> > time, I got series of logon attempts by someone with all
> > combination of names.
> >
> > Gazebo
> > >-----Original Message-----
> > >At times I may have 30 or 40 successful Anonymous Logons

> > or Logoffs within
> > >virtually the same timeframe. The only thing that changes

> > is the LogonID.
> > >This occurs on a Win2K IIS 5.1 server. Web log files show

> > activity at that
> > >time from one authenticated user. What can be causing

> > this and is it
> > >suspicious activity?
> > >
> > >Event Type: Success Audit
> > >
> > >Event Source: Security
> > >
> > >Event Category: Logon/Logoff
> > >
> > >Event ID: 538
> > >
> > >Date: 11/6/2003
> > >
> > >Time: 8:50:16 AM
> > >
> > >User: NT AUTHORITY\ANONYMOUS LOGON
> > >
> > >Computer: SERVER
> > >
> > >Description:
> > >
> > >User Logoff:
> > >
> > >User Name: ANONYMOUS LOGON
> > >
> > >Domain: NT AUTHORITY
> > >
> > >Logon ID: (0x0,0x12F88DE5)
> > >
> > >Logon Type: 3
> > >
> > >
> > >.
> > >

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Many ANONYMOUS LOGON in Security Event Log =?Utf-8?B?R3VtcA==?= Windows XP Security 8 25th Oct 2004 02:19 PM
Security log: Hundred of anonymous logon! vince Windows XP Security 0 14th Oct 2004 02:05 PM
Security event log "Logon/Logoff - Anonymous Logon" =?Utf-8?B?TmFzYXJlbmU=?= Windows XP Security 1 22nd Mar 2004 02:05 AM
Security log shows multiple ANONYMOUS LOGON Shon Microsoft Windows 2000 Security 2 10th Sep 2003 05:22 PM
security log event 540 anonymous logon =?iso-8859-1?Q?niels_gr=F8nb=E6k?= Windows XP General 1 7th Sep 2003 02:38 PM


Features
 

Advertising
 

Newsgroups
 


All times are GMT +1. The time now is 08:14 PM.