ANONYMOUS LOGIN every 3 seconds

Brian Henning brian at strutmasters.com
Thu Feb 3 09:33:00 EST 2005 

Hi Folks,
   A user complained about sluggish response this morning and that got 
me poking around in the logs of my 2k3 server machine, and I noticed 
something that looked very odd to me in my Security log: Thousands 
(seemingly...didn't actually count them) of Success Audit messages like 
the following two.

First:

Event Type:	Success Audit
Event Source:	Security
Event Category:	Logon/Logoff
Event ID:	540
Date:		2/3/2005
Time:		9:25:46 AM
User:		NT AUTHORITY\ANONYMOUS LOGON
Computer:	OBIWAN
Description:
Successful Network Logon:
  	User Name:	
  	Domain:		
  	Logon ID:		(0x0,0x6C622F7)
  	Logon Type:	3
  	Logon Process:	NtLmSsp
  	Authentication Package:	NTLM
  	Workstation Name:	BOBAFETT
  	Logon GUID:	-
  	Caller User Name:	-
  	Caller Domain:	-
  	Caller Logon ID:	-
  	Caller Process ID: -
  	Transited Services: -
  	Source Network Address:	10.1.8.17
  	Source Port:	0

and immediately following:

Event Type:	Success Audit
Event Source:	Security
Event Category:	Logon/Logoff
Event ID:	538
Date:		2/3/2005
Time:		9:25:46 AM
User:		NT AUTHORITY\ANONYMOUS LOGON
Computer:	OBIWAN
Description:
User Logoff:
  	User Name:	ANONYMOUS LOGON
  	Domain:		NT AUTHORITY
  	Logon ID:		(0x0,0x6C622F7)
  	Logon Type:	3


It's always from the same machine, which I have called BOBAFETT for the 
purposes of this message.  And, as mentioned, there are these two log 
entries recurring every 2-3 seconds as far back as the log goes (which 
isn't very far, since these messages are so frequent).

Is this something I should be worried about?  If nothing else, it seems 
like it would be a waste of bandwidth, and a horrible source of log 
clutter.  I find it noteworthy that no other machine is behaving in that 
manner..  Should I be quarantining BOBAFETT and scanning it for viruses? 
  It is protected with Norton and its primary user doesn't even have a 
company e-mail account, but I'm sure there's probably some vulnerability 
somewhere.  It's Windows XP Professional SP2.

Much thanks in advance for all advice!

Cheers,
~Brian

More information about the ncsa-discussion mailing list