ANONYMOUS LOGON Vista Premium, should I be worried?

R

Robban

I get up to 50 logins a day on from all different IPs. Particularly one IP
keeps reoccuring in the list and that computer is (according to the IP, we
got our own network here) a neighbour to me. However, the neighbour IP is
still only accounting for roughly 25% of all 'succesful' logins to the
anonymous account.

Sometimes the IP is shown as logged in for just a minute before logged out
and other times its logged in for up to 30 minutes before the logout event
appears.

I bought Vista in June 2008 and going through my security log shows that
this all started from 5th of October 2008.

The following is Event ID 4624 and in swedish.
-------------------------------------------
En inloggning har skett på ett konto.

Subjekt:
Säkerhets-ID: NULL SID
Kontonamn: -
Kontodomän: -
Inloggnings-ID: 0x0

Inloggningstyp: 3

Ny inloggning:
Säkerhets-ID: ANONYM INLOGGNING
Kontonamn: ANONYM INLOGGNING
Kontodomän: NT INSTANS
Inloggnings-ID: 0x565d250
Inloggnings-GUID: {00000000-0000-0000-0000-000000000000}

Processinformation:
Process-ID: 0x0
Processnamn: -

Nätverksinformation:
Arbetsstationens namn: DITT-7HUK3O9FM5
Källnätverksadress: XXX.XXX.XXX.XXX
....
 
O

Ollis

Robban said:
I get up to 50 logins a day on from all different IPs. Particularly one IP
keeps reoccuring in the list and that computer is (according to the IP, we
got our own network here) a neighbour to me. However, the neighbour IP is
still only accounting for roughly 25% of all 'succesful' logins to the
anonymous account.

Sometimes the IP is shown as logged in for just a minute before logged out
and other times its logged in for up to 30 minutes before the logout event
appears.
Click to expand...

I seems that your machine has been compormised and is acting as a host to
some kind of remote control of the machine.

You should flatten the HD if you determine that it has been compormised.

<http://www.windowsecurity.com/artic...d_Rootkit_Tools_in_a_Windows_Environment.html>
 
R

Robban

Just checking if this could happen without the computer being compromised.
Since I couldn't find any info on Google or even here I decided to go with
your advice and flatten the HD and now all is back to pre 5th october. No
more Anon logins as far as my log shows.


Cheers,
Rob
 
Top