Security Event entries

I have W2K Prof which connects to the internet via always-on DSL. I just looked at the security log and it shows a lot of entries about ANONYMOUS LOGON. I don't have IIS installed, and run a firewall - with no log msgs that might give me a hint as to nefarious activity going on.

It is always logging off, never logging on. Sample below - the 2nd "0x92708" on the Logon ID line varies each time.

User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x92708)
Logon Type: 3

I have 1,223 entries covering 30 March 13:57 thru to now 23 April 14:50.

I suspect the answer is simple (but not for me ). What's the cause of this? I wonder if it's caused by Scheduled Tasks?

 

Do you have a Web server or FTP server running?

What is the event ID number?

Mike

 

No FTP or Web Server running. TELNET service disabled too.

Event ID number 538, same as all other logoff events.

Sometimes there can be 2 events with the same timestamp - e.g. when I log on or off using my account.

 

Try this see if we can get more info!

http://www.eventlogscan.com/

Mike

 

Nothing reported by eventlogscan.com

Ran that report .. no unusual entries shown up .. & no comment about these "ANONYMOUS LOGON" entries.

 

I can't seem to find much info on this and I haven't seen it before.

So I suggest that you look at your services very closely. Of course disabling unneeded services will increase performance, but in this case you may need to turn something on. Just don't do too many at once so you can know what effect they are having.

Use these links:

XP & 2K Tweaks and services configuration
http://blackviper.com/WinXP/servicecfg.htm
http://members.internettrash.com/megapolon/xptweak2.html
http://www.theeldergeek.com/index.htm
http://www.kellys-korner-xp.com/xp_h.htm
http://www.dougknox.com/
http://tweakxp.com/tweakxp/
http://beemerworld.com/tips/servicesxp.htm
http://www.aumha.org/regfiles.htm

Additionally you may want to try XpAntiSpy, written for XP but works for 2k also:

http://www.webattack.com/get/xpantispy.shtml

The help is good, chose what you do and do not want. I recommend clearing the pagefile ever so often so do that.

After the first reboot after you run XPAntiSpy go back to XpAntiSpy and uncheck the clear Pagefile at shutdown, as we only want to clear it once.

Finally use the event logs to narrow down the culprit by clearing the logs and rebooting. Then immediately recheck the logs. This will show you only things that occured during boot. Note or handle these items if nessesary then clear the logs again. Now begin to check the logs several times a day. Especially after specific things have occured. Finally you may be able to catch what is activating this event. Then we may can fix it if nessesary!

Let us know!

Mike

 

NT AUTHORITY/ANONYMOUS LOGON is usually the OS doing some work on itself using the "system" account.

Your original guess about scheduled tasks is certainly a possiblilty. As in any running service/process that is started by "system ". Some processes monitor activity will generate one of those after their default "no activity" time period even though the process keep running fine.

I can't explain the fact that they are type 3 (network logon) but I have one file server that shows lots of those and lots of 576 priv. use entries for old annon. And I know it isn't being attacked.

I have over a dozen running IIS and don't see that particular entry at all.

Wish I could give you more specifics but this whole thing is just too techie for me to try to learn about unless it is a problem - which it doesn't seem to be.

 

Thanks for the ideas

As you comment Newt, I don't seem to be under attack. I'm not going to bother persuing it further.

Thanks for all the comments.