• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Anon Login on my PC

lancer

There is no answer!
Political User
#1
Ok so this morning i come into work to find my computer crashed and at the closing down window, but and exception had hung the process.... (I had just locked my machine last night not turned it off).

So i have to hard reset the comp, i go to my event viewer and under security i see this, does anyone know what this means?

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 8/10/2006
Time: 9:00:39 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: COOLER
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x519416C)
Logon Type: 3

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


well now i look a little deeper and from 8/8/06 this has been a pretty continuos thing, help please, plus there are loads of guest logins as well, i only login under the administrator, is this a trojan of some kind of a normal process?

EDIT:

well in delving a little deeper it seems at least three machine from within my company have tried to login to my computer, i have a drive shared on the network and a folder on another drive, does this occur when they try to access them? The strange thing is that the computers are login on to mine at like 12am in the morning and other strange times.
 

Attachments

Last edited:

kcnychief

█▄█ ▀█▄ █
Political User
#2
When another machine/user tries to login to your machine, it will show in your Event Log. It should give user credentials, unless they are using a type of application that blocks the logging of it.

I know for instance I use SMS to push out Security Patches to machines on the network, but in those cases it shows user SYSTEM has logged in.
 

lancer

There is no answer!
Political User
#3
well most of the logins shore the user as "1%"

and our company doesn't do any system-wide updates its all a bit mickey mouse here..

i did a scan with ewido in safe mode and it picked up one virus called something like. "not-a-virus.hoax.swf.alerter.a", according to ewido it was a low level password retriver

it says that "NT AUTHORITY\NETWORK SERVICE" is a user of a few of the logins
 

lancer

There is no answer!
Political User
#5
legally i actually cant say...

ok now this has come up....


DetailsProduct:Windows Operating SystemEvent ID:576Source:SecurityVersion:5.0Component:Security Event LogSymbolic Name:SE_AUDITID_ASSIGN_SPECIAL_PRIVMessage:Special privileges assigned to new logon:
User Name: %1
Domain: %2
Logon ID: %3
Assigned: %4 ExplanationThis event record indicates that a privilege that is not auditable on an individual-use basis has been assigned to a user's security context at logon. Certain privileges have security implications. Assigning such privileges to a user who is not trusted can be a security risk. Some privileges are used so frequently that auditing their every use would flood the audit log with useless noise. For example, SeChangeNotifyPrivilege is also used to bypass traverse access checking. This privilege is granted to all users in a normal system configuration and is used multiple times for each file opened. This audit event record is intended to warn an administrator that such a privilege has been assigned.
User ActionThe person with administrative rights for the computer should make sure the user should have the special privileges assigned.

i haven't done any such thing.. am i being ultra paranoid, or is this an issue?
 

mlakrid

OSNN BASSMASTER
Political User
#6
If I were you I would ensure the last 2 days worth of ciritcal patches which just came out from microsoft are installed...

Pasted from an email I sent to my friends and colleagues yesterday:
ALL,

COMPUTER SECURITY UPDATE – PLEASE READ!
U.S. Homeland Security Urges Windows users to Apply Patch!

If you haven’t heard about this windows fix, and leave your computer connected to the web please read this short article on Cnet News.

http://news.com.com/Homeland+Security+Lock+up+your+Windows/2100-7348_3-6103805.html

and here directly from Microsoft’s security:

http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx

 

kcnychief

█▄█ ▀█▄ █
Political User
#8
If it is a work PC, I would talk to your Network Admins. Someone or some process is successfully logging into your PC anonymously and that is a serious security risk.
 

lancer

There is no answer!
Political User
#9
well i told the it admin guy, he was barely interested saying "we have anti-virus, its all fine", i don't think he knows how to deal with it, i even told him which machines where doing it and at what times, like 3am. he just said "interesting"... i think whats interesting is his lack of interest.
 
#11
I don't think there is much to worry about.

The above event is for a Logoff. The clue here is 'Logon Type: 3' which is generated for a logoff, net disconnection or an autodisconnect. This could be for a user or a system process. Any software that uses the system user account will use a null session which will be seen as an anonymous user.

If for example a windows update automatically reboots your machine, it should generate the above event.

If your machine has registered itself as the master browser on the network, it will generate this event regulary.

For logons look for event 528.
 

Mainframeguy

Debiant by way of Ubuntu
#12
I agree with Ricky.....

But your network admins at Disneyland (or wherever you work!) should have taken the same interest and come to the same conclusion...

No worries then - but do advise us if like Ricky says it is those factors, or even get back if it is something more serious. Be good to hear - threads like this are uber useful....

Reps to you and to Ricky for your information.
 

lancer

There is no answer!
Political User
#13
sorry guys at home now, but something strange is certainly going on, as i had another machine in the company try to access mine, i asked the guy whether he had tried to access one of my shared drives and he had not... there is certainly a virus, not on mine now, i know that for sure, as i spent the day scanning the machine, and i just got one keylogging program.
 
#15
I think it's being blown way out of proportion, accusations are flying at the wrong people and certain posters are believing they know more about network administration than certain posts are indicating.

Windows machines communicate with each other on the same lan all the time. If left at default installation settings as most corporate workstations are (outside of group policy limitations that may be in place) windows xp machines will probe and scan all shared folders/disks on each other.

Viruses and trojans do not generate that sort of behaviour nor do they leave such painfully obvious access trails in the event log.

My advise is to ignore it, stop being paranoid, sit yourself behind a NAT router and keep your antivirus up to date.

If your anti-virus is not called Kaspersky, F-Secure or NOD32 you will want to make it thus at your earliest opportunity. The current solution is not very good by nature of the fact a keylogger was installed around it and it never noticed.
 

lancer

There is no answer!
Political User
#16
i use avg is that not very good? also i wasn't using this pc as i am now, i think i installed all the antivirus antispyware stuff after.

but lord your explanation sounds right, lets just hope thats what it is.
 

Weasel

Define 'Cynical'
#17
well most of the logins shore the user as "1%"

and our company doesn't do any system-wide updates its all a bit mickey mouse here..

i did a scan with ewido in safe mode and it picked up one virus called something like. "not-a-virus.hoax.swf.alerter.a", according to ewido it was a low level password retriver

it says that "NT AUTHORITY\NETWORK SERVICE" is a user of a few of the logins
This is coming from the ad system on the site. It doesn't come up all the time; only sometimes. Anyway, I've started a thread about it here
 

Members online

No members online now.

Latest posts

Latest profile posts

Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,961
Messages
673,239
Members
89,017
Latest member
loxioalix