Successive Anonymous Logon events in security log

Discussion in 'Microsoft Windows 2000 Security' started by BG, Nov 6, 2003.

  1. BG

    BG Guest

    At times I may have 30 or 40 successful Anonymous Logons or Logoffs within
    virtually the same timeframe. The only thing that changes is the LogonID.
    This occurs on a Win2K IIS 5.1 server. Web log files show activity at that
    time from one authenticated user. What can be causing this and is it
    suspicious activity?

    Event Type: Success Audit

    Event Source: Security

    Event Category: Logon/Logoff

    Event ID: 538

    Date: 11/6/2003

    Time: 8:50:16 AM

    User: NT AUTHORITY\ANONYMOUS LOGON

    Computer: SERVER

    Description:

    User Logoff:

    User Name: ANONYMOUS LOGON

    Domain: NT AUTHORITY

    Logon ID: (0x0,0x12F88DE5)

    Logon Type: 3
     
    BG, Nov 6, 2003
    #1
    1. Advertisements

  2. BG

    gazebo Guest

    I got the same. I wonder what is going on? At the same
    time, I got series of logon attempts by someone with all
    combination of names.

    Gazebo
    >-----Original Message-----
    >At times I may have 30 or 40 successful Anonymous Logons

    or Logoffs within
    >virtually the same timeframe. The only thing that changes

    is the LogonID.
    >This occurs on a Win2K IIS 5.1 server. Web log files show

    activity at that
    >time from one authenticated user. What can be causing

    this and is it
    >suspicious activity?
    >
    >Event Type: Success Audit
    >
    >Event Source: Security
    >
    >Event Category: Logon/Logoff
    >
    >Event ID: 538
    >
    >Date: 11/6/2003
    >
    >Time: 8:50:16 AM
    >
    >User: NT AUTHORITY\ANONYMOUS LOGON
    >
    >Computer: SERVER
    >
    >Description:
    >
    >User Logoff:
    >
    >User Name: ANONYMOUS LOGON
    >
    >Domain: NT AUTHORITY
    >
    >Logon ID: (0x0,0x12F88DE5)
    >
    >Logon Type: 3
    >
    >
    >.
    >
     
    gazebo, Nov 12, 2003
    #2
    1. Advertisements

  3. BG

    BG Guest

    Did you ever get an answer? My LOGON entries continue to occur.

    "gazebo" <> wrote in message
    news:006001c3a8d5$040ce440$...
    > I got the same. I wonder what is going on? At the same
    > time, I got series of logon attempts by someone with all
    > combination of names.
    >
    > Gazebo
    > >-----Original Message-----
    > >At times I may have 30 or 40 successful Anonymous Logons

    > or Logoffs within
    > >virtually the same timeframe. The only thing that changes

    > is the LogonID.
    > >This occurs on a Win2K IIS 5.1 server. Web log files show

    > activity at that
    > >time from one authenticated user. What can be causing

    > this and is it
    > >suspicious activity?
    > >
    > >Event Type: Success Audit
    > >
    > >Event Source: Security
    > >
    > >Event Category: Logon/Logoff
    > >
    > >Event ID: 538
    > >
    > >Date: 11/6/2003
    > >
    > >Time: 8:50:16 AM
    > >
    > >User: NT AUTHORITY\ANONYMOUS LOGON
    > >
    > >Computer: SERVER
    > >
    > >Description:
    > >
    > >User Logoff:
    > >
    > >User Name: ANONYMOUS LOGON
    > >
    > >Domain: NT AUTHORITY
    > >
    > >Logon ID: (0x0,0x12F88DE5)
    > >
    > >Logon Type: 3
    > >
    > >
    > >.
    > >
     
    BG, Nov 25, 2003
    #3
  4. Those may be normal "null" sessions used by the operating system for various network
    activity including maintaining the browse list. Null sessions can be exploited which
    is why those ports for file and print sharing need to be blocked to prevent access
    from the internet or other untrusted networks. The link below describes the use of
    these null sessions and a setting that can be used to secure them assuming that
    network configuration would not suffer as explained in the KB. --- Steve

    http://support.microsoft.com/?kbid=246261
    http://www.sans.org/rr/papers/index.php?id=286

    "BG" <> wrote in message
    news:...
    > Did you ever get an answer? My LOGON entries continue to occur.
    >
    > "gazebo" <> wrote in message
    > news:006001c3a8d5$040ce440$...
    > > I got the same. I wonder what is going on? At the same
    > > time, I got series of logon attempts by someone with all
    > > combination of names.
    > >
    > > Gazebo
    > > >-----Original Message-----
    > > >At times I may have 30 or 40 successful Anonymous Logons

    > > or Logoffs within
    > > >virtually the same timeframe. The only thing that changes

    > > is the LogonID.
    > > >This occurs on a Win2K IIS 5.1 server. Web log files show

    > > activity at that
    > > >time from one authenticated user. What can be causing

    > > this and is it
    > > >suspicious activity?
    > > >
    > > >Event Type: Success Audit
    > > >
    > > >Event Source: Security
    > > >
    > > >Event Category: Logon/Logoff
    > > >
    > > >Event ID: 538
    > > >
    > > >Date: 11/6/2003
    > > >
    > > >Time: 8:50:16 AM
    > > >
    > > >User: NT AUTHORITY\ANONYMOUS LOGON
    > > >
    > > >Computer: SERVER
    > > >
    > > >Description:
    > > >
    > > >User Logoff:
    > > >
    > > >User Name: ANONYMOUS LOGON
    > > >
    > > >Domain: NT AUTHORITY
    > > >
    > > >Logon ID: (0x0,0x12F88DE5)
    > > >
    > > >Logon Type: 3
    > > >
    > > >
    > > >.
    > > >

    >
    >
     
    Steven L Umbach, Nov 25, 2003
    #4
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Shon

    Security log shows multiple ANONYMOUS LOGON

    Shon, Sep 10, 2003, in forum: Microsoft Windows 2000 Security
    Replies:
    2
    Views:
    756
    Steven L Umbach
    Sep 10, 2003
  2. DavidICQ

    nt authority\anonymous logon in security event log

    DavidICQ, Mar 8, 2004, in forum: Microsoft Windows 2000 Security
    Replies:
    1
    Views:
    1,321
    Steven L Umbach
    Mar 8, 2004
  3. HG

    Audit Logon Events vs. Audit Account Logon Events

    HG, Mar 23, 2004, in forum: Microsoft Windows 2000 Security
    Replies:
    1
    Views:
    8,394
    Steven Umbach
    Mar 24, 2004
  4. Guest

    Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON

    Guest, Mar 10, 2005, in forum: Microsoft Windows 2000 Security
    Replies:
    15
    Views:
    1,866
    Steven L Umbach
    Jul 1, 2006
  5. Guest

    Should I "Deny logon locally" to ANONYMOUS LOGON, Everyone and Gue

    Guest, May 14, 2005, in forum: Microsoft Windows 2000 Security
    Replies:
    4
    Views:
    467
    Guest
    May 15, 2005
Loading...

Share This Page