ANONYMOUS LOGIN every 3 seconds
Brian Henning
brian at strutmasters.com
Thu Feb 3 09:33:00 EST 2005
Hi Folks,
A user complained about sluggish response this morning and that got
me poking around in the logs of my 2k3 server machine, and I noticed
something that looked very odd to me in my Security log: Thousands
(seemingly...didn't actually count them) of Success Audit messages like
the following two.
First:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 2/3/2005
Time: 9:25:46 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: OBIWAN
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x6C622F7)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: BOBAFETT
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.8.17
Source Port: 0
and immediately following:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 2/3/2005
Time: 9:25:46 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: OBIWAN
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x6C622F7)
Logon Type: 3
It's always from the same machine, which I have called BOBAFETT for the
purposes of this message. And, as mentioned, there are these two log
entries recurring every 2-3 seconds as far back as the log goes (which
isn't very far, since these messages are so frequent).
Is this something I should be worried about? If nothing else, it seems
like it would be a waste of bandwidth, and a horrible source of log
clutter. I find it noteworthy that no other machine is behaving in that
manner.. Should I be quarantining BOBAFETT and scanning it for viruses?
It is protected with Norton and its primary user doesn't even have a
company e-mail account, but I'm sure there's probably some vulnerability
somewhere. It's Windows XP Professional SP2.
Much thanks in advance for all advice!
Cheers,
~Brian
More information about the ncsa-discussion
mailing list