Successive Anonymous Logon events in security log

B

BG

At times I may have 30 or 40 successful Anonymous Logons or Logoffs within
virtually the same timeframe. The only thing that changes is the LogonID.
This occurs on a Win2K IIS 5.1 server. Web log files show activity at that
time from one authenticated user. What can be causing this and is it
suspicious activity?

Event Type: Success Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 538

Date: 11/6/2003

Time: 8:50:16 AM

User: NT AUTHORITY\ANONYMOUS LOGON

Computer: SERVER

Description:

User Logoff:

User Name: ANONYMOUS LOGON

Domain: NT AUTHORITY

Logon ID: (0x0,0x12F88DE5)

Logon Type: 3
 
G

gazebo

I got the same. I wonder what is going on? At the same
time, I got series of logon attempts by someone with all
combination of names.

Gazebo
 
S

Steven L Umbach

Those may be normal "null" sessions used by the operating system for various network
activity including maintaining the browse list. Null sessions can be exploited which
is why those ports for file and print sharing need to be blocked to prevent access
from the internet or other untrusted networks. The link below describes the use of
these null sessions and a setting that can be used to secure them assuming that
network configuration would not suffer as explained in the KB. --- Steve

http://support.microsoft.com/?kbid=246261
http://www.sans.org/rr/papers/index.php?id=286
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top