Anonymous user logons in security logs

From: Emdee (mikeDONTSPAM@webheat.co.uk)
Date: 01/31/03

• Next message: Nick Falcone: "Re: Power Management"
• Previous message: Karl Levinson [x y] mvp: "Re: Who's blocking these ports? Please help..."
• Next in thread: Karl Levinson [x y] mvp: "Re: Anonymous user logons in security logs"
• Reply: Karl Levinson [x y] mvp: "Re: Anonymous user logons in security logs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Emdee" <mikeDONTSPAM@webheat.co.uk>
Date: Fri, 31 Jan 2003 14:03:11 -0000

My company has a domain of 7 machines:
2 x DCs - Windows 2000 Server
3 x WWW Servers (load balancing done via another non-windows box) - Windows
2000 Server
2 x Clustered DB servers, active/passive -Windows 2000 Advanced Server

I check the logs daily and since their going live (possibly before) there
are daily entries in the secutiry log for:
NT AUTHORITY\ANONYMOUS LOGON

My question is this:
Are these entries from normal behaviour or is it likely to be something more
suspicious?

If it's something more suspicious then what/where should I go looking?

Entries usually like so (computer names etc have been changed):

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 31/01/2003
Time: 13:55:14
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC1
Description:
User Logoff:
  User Name: ANONYMOUS LOGON
  Domain: NT AUTHORITY
  Logon ID: (0x0,0x39B9BCE2)
  Logon Type: 3

----------------------------------------------------------

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 31/01/2003
Time: 13:54:50
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC1
Description:
User Logoff:
  User Name: ANONYMOUS LOGON
  Domain: NT AUTHORITY
  Logon ID: (0x0,0x39B9B7ED)
  Logon Type: 3

----------------------------------------------------------

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 31/01/2003
Time: 13:54:40
User: DOMAINNAME\WWWSRV3$
Computer: DC1
Description:
User Logoff:
  User Name: WWWSRV$
  Domain: DOMAINNAME
  Logon ID: (0x0,0x39B9B173)
  Logon Type: 3

----------------------------------------------------------

Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 31/01/2003
Time: 13:54:30
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC1
Description:
Special privileges assigned to new logon:
  User Name:
  Domain:
  Logon ID: (0x0,0x39B9BCE2)
  Assigned: SeChangeNotifyPrivilege

----------------------------------------------------------

Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 31/01/2003
Time: 13:53:45
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC1
Description:
Special privileges assigned to new logon:
  User Name:
  Domain:
  Logon ID: (0x0,0x39B9B7ED)
  Assigned: SeChangeNotifyPrivilege

----------------------------------------------------------

Many thanks
Emdee

• Next message: Nick Falcone: "Re: Power Management"
• Previous message: Karl Levinson [x y] mvp: "Re: Who's blocking these ports? Please help..."
• Next in thread: Karl Levinson [x y] mvp: "Re: Anonymous user logons in security logs"
• Reply: Karl Levinson [x y] mvp: "Re: Anonymous user logons in security logs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint