Anon Login on my PC

Discussion in 'Windows Desktop Systems' started by lancer, Aug 10, 2006.

  1. lancer

    lancer There is no answer! Political User Folding Team

    Messages:
    3,093
    Location:
    FL, USA
    Ok so this morning i come into work to find my computer crashed and at the closing down window, but and exception had hung the process.... (I had just locked my machine last night not turned it off).

    So i have to hard reset the comp, i go to my event viewer and under security i see this, does anyone know what this means?

    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 538
    Date: 8/10/2006
    Time: 9:00:39 AM
    User: NT AUTHORITY\ANONYMOUS LOGON
    Computer: COOLER
    Description:
    User Logoff:
    User Name: ANONYMOUS LOGON
    Domain: NT AUTHORITY
    Logon ID: (0x0,0x519416C)
    Logon Type: 3

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    well now i look a little deeper and from 8/8/06 this has been a pretty continuos thing, help please, plus there are loads of guest logins as well, i only login under the administrator, is this a trojan of some kind of a normal process?

    EDIT:

    well in delving a little deeper it seems at least three machine from within my company have tried to login to my computer, i have a drive shared on the network and a folder on another drive, does this occur when they try to access them? The strange thing is that the computers are login on to mine at like 12am in the morning and other strange times.
     

    Attached Files:

    Last edited: Aug 10, 2006
    Mainframeguy likes this.
  2. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    When another machine/user tries to login to your machine, it will show in your Event Log. It should give user credentials, unless they are using a type of application that blocks the logging of it.

    I know for instance I use SMS to push out Security Patches to machines on the network, but in those cases it shows user SYSTEM has logged in.
     
  3. lancer

    lancer There is no answer! Political User Folding Team

    Messages:
    3,093
    Location:
    FL, USA
    well most of the logins shore the user as "1%"

    and our company doesn't do any system-wide updates its all a bit mickey mouse here..

    i did a scan with ewido in safe mode and it picked up one virus called something like. "not-a-virus.hoax.swf.alerter.a", according to ewido it was a low level password retriver

    it says that "NT AUTHORITY\NETWORK SERVICE" is a user of a few of the logins
     
  4. mlakrid

    mlakrid OSNN BASSMASTER Political User Folding Team

    Hey Lancer where you working that it is a "mickey mouse" type company??

    :eek:
     
  5. lancer

    lancer There is no answer! Political User Folding Team

    Messages:
    3,093
    Location:
    FL, USA
    legally i actually cant say...

    ok now this has come up....


    DetailsProduct:Windows Operating SystemEvent ID:576Source:SecurityVersion:5.0Component:Security Event LogSymbolic Name:SE_AUDITID_ASSIGN_SPECIAL_PRIVMessage:Special privileges assigned to new logon:
    User Name: %1
    Domain: %2
    Logon ID: %3
    Assigned: %4 ExplanationThis event record indicates that a privilege that is not auditable on an individual-use basis has been assigned to a user's security context at logon. Certain privileges have security implications. Assigning such privileges to a user who is not trusted can be a security risk. Some privileges are used so frequently that auditing their every use would flood the audit log with useless noise. For example, SeChangeNotifyPrivilege is also used to bypass traverse access checking. This privilege is granted to all users in a normal system configuration and is used multiple times for each file opened. This audit event record is intended to warn an administrator that such a privilege has been assigned.
    User ActionThe person with administrative rights for the computer should make sure the user should have the special privileges assigned.

    i haven't done any such thing.. am i being ultra paranoid, or is this an issue?
     
  6. mlakrid

    mlakrid OSNN BASSMASTER Political User Folding Team

    If I were you I would ensure the last 2 days worth of ciritcal patches which just came out from microsoft are installed...

    Pasted from an email I sent to my friends and colleagues yesterday:
    ALL,

    COMPUTER SECURITY UPDATE – PLEASE READ!
    U.S. Homeland Security Urges Windows users to Apply Patch!

    If you haven’t heard about this windows fix, and leave your computer connected to the web please read this short article on Cnet News.

    http://news.com.com/Homeland+Security+Lock+up+your+Windows/2100-7348_3-6103805.html

    and here directly from Microsoft’s security:

    http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx

     
  7. lancer

    lancer There is no answer! Political User Folding Team

    Messages:
    3,093
    Location:
    FL, USA
    i have automatic updates, but i installed it again anyway.
     
  8. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    If it is a work PC, I would talk to your Network Admins. Someone or some process is successfully logging into your PC anonymously and that is a serious security risk.
     
  9. lancer

    lancer There is no answer! Political User Folding Team

    Messages:
    3,093
    Location:
    FL, USA
    well i told the it admin guy, he was barely interested saying "we have anti-virus, its all fine", i don't think he knows how to deal with it, i even told him which machines where doing it and at what times, like 3am. he just said "interesting"... i think whats interesting is his lack of interest.
     
  10. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    More than likely means the other machines are infected trying to hammer your own I would think.
     
  11. RickyC

    RickyC OSNN Addict

    Messages:
    199
    Location:
    Earth
    I don't think there is much to worry about.

    The above event is for a Logoff. The clue here is 'Logon Type: 3' which is generated for a logoff, net disconnection or an autodisconnect. This could be for a user or a system process. Any software that uses the system user account will use a null session which will be seen as an anonymous user.

    If for example a windows update automatically reboots your machine, it should generate the above event.

    If your machine has registered itself as the master browser on the network, it will generate this event regulary.

    For logons look for event 528.
     
    Mainframeguy likes this.
  12. Mainframeguy

    Mainframeguy Debiant by way of Ubuntu Folding Team

    Messages:
    3,763
    Location:
    London, UK
    I agree with Ricky.....

    But your network admins at Disneyland (or wherever you work!) should have taken the same interest and come to the same conclusion...

    No worries then - but do advise us if like Ricky says it is those factors, or even get back if it is something more serious. Be good to hear - threads like this are uber useful....

    Reps to you and to Ricky for your information.
     
  13. lancer

    lancer There is no answer! Political User Folding Team

    Messages:
    3,093
    Location:
    FL, USA
    sorry guys at home now, but something strange is certainly going on, as i had another machine in the company try to access mine, i asked the guy whether he had tried to access one of my shared drives and he had not... there is certainly a virus, not on mine now, i know that for sure, as i spent the day scanning the machine, and i just got one keylogging program.
     
  14. Mainframeguy

    Mainframeguy Debiant by way of Ubuntu Folding Team

    Messages:
    3,763
    Location:
    London, UK
    :suprised: one too many!

    :speechless: seems to me this could have been the cause of subsequent attacks if it logged anything that others are now attempting to use.... what do others think?
     
  15. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    I think it's being blown way out of proportion, accusations are flying at the wrong people and certain posters are believing they know more about network administration than certain posts are indicating.

    Windows machines communicate with each other on the same lan all the time. If left at default installation settings as most corporate workstations are (outside of group policy limitations that may be in place) windows xp machines will probe and scan all shared folders/disks on each other.

    Viruses and trojans do not generate that sort of behaviour nor do they leave such painfully obvious access trails in the event log.

    My advise is to ignore it, stop being paranoid, sit yourself behind a NAT router and keep your antivirus up to date.

    If your anti-virus is not called Kaspersky, F-Secure or NOD32 you will want to make it thus at your earliest opportunity. The current solution is not very good by nature of the fact a keylogger was installed around it and it never noticed.
     
  16. lancer

    lancer There is no answer! Political User Folding Team

    Messages:
    3,093
    Location:
    FL, USA
    i use avg is that not very good? also i wasn't using this pc as i am now, i think i installed all the antivirus antispyware stuff after.

    but lord your explanation sounds right, lets just hope thats what it is.
     
  17. Weasel

    Weasel Define 'Cynical'

    Messages:
    163
    Location:
    Sammamish, WA
    This is coming from the ad system on the site. It doesn't come up all the time; only sometimes. Anyway, I've started a thread about it here