Anon Login on my PC

lancer

There is no answer!
Political Access
Joined
7 Oct 2004
Messages
3,093
Ok so this morning i come into work to find my computer crashed and at the closing down window, but and exception had hung the process.... (I had just locked my machine last night not turned it off).

So i have to hard reset the comp, i go to my event viewer and under security i see this, does anyone know what this means?

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 8/10/2006
Time: 9:00:39 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: COOLER
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x519416C)
Logon Type: 3

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


well now i look a little deeper and from 8/8/06 this has been a pretty continuos thing, help please, plus there are loads of guest logins as well, i only login under the administrator, is this a trojan of some kind of a normal process?

EDIT:

well in delving a little deeper it seems at least three machine from within my company have tried to login to my computer, i have a drive shared on the network and a folder on another drive, does this occur when they try to access them? The strange thing is that the computers are login on to mine at like 12am in the morning and other strange times.
 

Attachments

  • security log.txt
    602.1 KB · Views: 150
Last edited:
When another machine/user tries to login to your machine, it will show in your Event Log. It should give user credentials, unless they are using a type of application that blocks the logging of it.

I know for instance I use SMS to push out Security Patches to machines on the network, but in those cases it shows user SYSTEM has logged in.
 
well most of the logins shore the user as "1%"

and our company doesn't do any system-wide updates its all a bit mickey mouse here..

i did a scan with ewido in safe mode and it picked up one virus called something like. "not-a-virus.hoax.swf.alerter.a", according to ewido it was a low level password retriver

it says that "NT AUTHORITY\NETWORK SERVICE" is a user of a few of the logins
 
well most of the logins shore the user as "1%"

and our company doesn't do any system-wide updates its all a bit mickey mouse here..

Hey Lancer where you working that it is a "mickey mouse" type company??

:eek:
 
legally i actually cant say...

ok now this has come up....


DetailsProduct:Windows Operating SystemEvent ID:576Source:SecurityVersion:5.0Component:Security Event LogSymbolic Name:SE_AUDITID_ASSIGN_SPECIAL_PRIVMessage:Special privileges assigned to new logon:
User Name: %1
Domain: %2
Logon ID: %3
Assigned: %4 ExplanationThis event record indicates that a privilege that is not auditable on an individual-use basis has been assigned to a user's security context at logon. Certain privileges have security implications. Assigning such privileges to a user who is not trusted can be a security risk. Some privileges are used so frequently that auditing their every use would flood the audit log with useless noise. For example, SeChangeNotifyPrivilege is also used to bypass traverse access checking. This privilege is granted to all users in a normal system configuration and is used multiple times for each file opened. This audit event record is intended to warn an administrator that such a privilege has been assigned.
User ActionThe person with administrative rights for the computer should make sure the user should have the special privileges assigned.

i haven't done any such thing.. am i being ultra paranoid, or is this an issue?
 
If I were you I would ensure the last 2 days worth of ciritcal patches which just came out from microsoft are installed...

Pasted from an email I sent to my friends and colleagues yesterday:
ALL,

COMPUTER SECURITY UPDATE – PLEASE READ!
U.S. Homeland Security Urges Windows users to Apply Patch!

If you haven’t heard about this windows fix, and leave your computer connected to the web please read this short article on Cnet News.

http://news.com.com/Homeland+Security+Lock+up+your+Windows/2100-7348_3-6103805.html

and here directly from Microsoft’s security:

http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx

 
i have automatic updates, but i installed it again anyway.
 
If it is a work PC, I would talk to your Network Admins. Someone or some process is successfully logging into your PC anonymously and that is a serious security risk.
 
well i told the it admin guy, he was barely interested saying "we have anti-virus, its all fine", i don't think he knows how to deal with it, i even told him which machines where doing it and at what times, like 3am. he just said "interesting"... i think whats interesting is his lack of interest.
 
More than likely means the other machines are infected trying to hammer your own I would think.
 
I don't think there is much to worry about.

The above event is for a Logoff. The clue here is 'Logon Type: 3' which is generated for a logoff, net disconnection or an autodisconnect. This could be for a user or a system process. Any software that uses the system user account will use a null session which will be seen as an anonymous user.

If for example a windows update automatically reboots your machine, it should generate the above event.

If your machine has registered itself as the master browser on the network, it will generate this event regulary.

For logons look for event 528.
 
I agree with Ricky.....

But your network admins at Disneyland (or wherever you work!) should have taken the same interest and come to the same conclusion...

No worries then - but do advise us if like Ricky says it is those factors, or even get back if it is something more serious. Be good to hear - threads like this are uber useful....

Reps to you and to Ricky for your information.
 
sorry guys at home now, but something strange is certainly going on, as i had another machine in the company try to access mine, i asked the guy whether he had tried to access one of my shared drives and he had not... there is certainly a virus, not on mine now, i know that for sure, as i spent the day scanning the machine, and i just got one keylogging program.
 
....and i just got one keylogging program.
:suprised: one too many!

:speechless: seems to me this could have been the cause of subsequent attacks if it logged anything that others are now attempting to use.... what do others think?
 
I think it's being blown way out of proportion, accusations are flying at the wrong people and certain posters are believing they know more about network administration than certain posts are indicating.

Windows machines communicate with each other on the same lan all the time. If left at default installation settings as most corporate workstations are (outside of group policy limitations that may be in place) windows xp machines will probe and scan all shared folders/disks on each other.

Viruses and trojans do not generate that sort of behaviour nor do they leave such painfully obvious access trails in the event log.

My advise is to ignore it, stop being paranoid, sit yourself behind a NAT router and keep your antivirus up to date.

If your anti-virus is not called Kaspersky, F-Secure or NOD32 you will want to make it thus at your earliest opportunity. The current solution is not very good by nature of the fact a keylogger was installed around it and it never noticed.
 
i use avg is that not very good? also i wasn't using this pc as i am now, i think i installed all the antivirus antispyware stuff after.

but lord your explanation sounds right, lets just hope thats what it is.
 
well most of the logins shore the user as "1%"

and our company doesn't do any system-wide updates its all a bit mickey mouse here..

i did a scan with ewido in safe mode and it picked up one virus called something like. "not-a-virus.hoax.swf.alerter.a", according to ewido it was a low level password retriver

it says that "NT AUTHORITY\NETWORK SERVICE" is a user of a few of the logins

This is coming from the ad system on the site. It doesn't come up all the time; only sometimes. Anyway, I've started a thread about it here
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back