Anonymous users successfully logging into my pc

Z

zorro

Hello,

I have Windows XP Pro. Something in the security log makes me wonder if
people are logging into my computer. I logged in as Administrator and
opened
Computer Management->System Tools->Event Viewer->Security.

In the right pane, a lot of "Success Audit" items have an ANONYMOUS
user. When I open the details for such an item I get this sort of
thing:

Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x1B4149)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: TUDECZKI
Logon GUID: {00000000-0000-0000-0000-000000000000}


Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x1A2110)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: KRYSTYNA
Logon GUID: {00000000-0000-0000-0000-000000000000}


What caught my eye is the Workstation Name. These are real names and I
do not know any of them. Is it possible that my Internet Service
Provider somehow allows other clients to see my computer? I do have a
Firewall up and working.

My PC has an Administrator account but I use it for that purpose only.
I never use it to access the internet. My guest account and all other
accounts are turned off except for one which I use for all my other
needs. It is a power user account.

I'm not a security expert but I once went through the security options
in the administration consoles and restricted access as much as
possible. Any ideas what's going on?
 
G

Guest

I am having the same problem on my home computer. Someone is logging in
remotely and solwing down the system. Nothing malicious so far. I set up
passwords for all user accounts and restricted access as much as possible. I
still have to clear junk off the computer once a week to speed it up.

What else can be done to restrict access? I wanted to set the user accounts
to log off automatically after x minutes of inactivity. I am not sure how to
do that.

I would be very interested in any help here. Like I said, nothing malicious
so far but... I still don't want some one hijacking my computer.

Par
 
M

Malke

par said:
I am having the same problem on my home computer. Someone is logging
in
remotely and solwing down the system. Nothing malicious so far.

How do you know? I very much doubt that you would see a rootkit since
people who would recognize a rootkit wouldn't have had such an open
machine.
I
set up
passwords for all user accounts and restricted access as much as
possible. I still have to clear junk off the computer once a week to
speed it up.

What else can be done to restrict access? I wanted to set the user
accounts
to log off automatically after x minutes of inactivity. I am not sure
how to do that.

I would be very interested in any help here. Like I said, nothing
malicious so far but... I still don't want some one hijacking my
computer.

You've already been hijacked.

Best practice would be to back up your data and flatten the system since
you have no way of knowing what the intruders have installed. Then do
not go online until SP2 and its firewall is installed. Practice Safe
Hex so this doesn't happen again.

http://www.wilderssecurity.com/showthread.php?t=27971 - So How Did I Get
Infected Anyway?
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://www.claymania.com/safe-hex.html
http://www.aumha.org/a/parasite.htm - The Parasite Fight
http://msmvps.com/blogs/harrywaldron/archive/2006/02/05/82584.aspx - MVP
Harry Waldron - The Family PC - How to stay safe on the Internet
http://www.spywarewarrior.com/rogue_anti-spyware.htm - Eric Howes on
Rogue Antispyware Programs
http://www.microsoft.com/athome/security/default.mspx - Protect Your PC
http://www.cert.org/homeusers/HomeComputerSecurity/ - Home Computer
Security
http://tinyurl.com/n9trw - 10 Immutable Laws of Security - MS TechNet
article

Malke
 
M

mikeyhsd

under System Properties, Remote tab, disable remote access.
also in the firewall, exceptions, turn off File and Printer sharing.



(e-mail address removed)



I am having the same problem on my home computer. Someone is logging in
remotely and solwing down the system. Nothing malicious so far. I set up
passwords for all user accounts and restricted access as much as possible. I
still have to clear junk off the computer once a week to speed it up.

What else can be done to restrict access? I wanted to set the user accounts
to log off automatically after x minutes of inactivity. I am not sure how to
do that.

I would be very interested in any help here. Like I said, nothing malicious
so far but... I still don't want some one hijacking my computer.

Par
 
S

Steven L Umbach

While it is normal to see "anonymous" logon from computers on your network
due to null sessions used by your network computers you are right to be
concerned if you are seeing computer names that you do not recognize and
your computer never leaves your network. To prevent that from happening make
sure you are using a properly secured firewall and secure wireless network
if you are using wireless ideally using at least WPA encryption. If you are
using cable/DSL for internet access I consider it a must to have an internet
router or firewall device protecting your network and not rely on
software/host firewalls alone.

Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top