Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Security Log

Posted on 2004-10-11
15
Medium Priority
?
188 Views
Last Modified: 2013-12-04
I noticed in the security logs, I will sometimes see an error code 681 with the (Logon to account: anonymous)
What does the anonymous mean in this case and why does it show up instead of a user account name.

Thanks
0
Comment
Question by:vivo123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 2
  • +1
15 Comments
 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 12280680
Is this an IIS server or FTP..
This is why u are getting them Anonymous user logs into to FTP etc..
They are being Audited so that why ther are there..
0
 

Author Comment

by:vivo123
ID: 12280823
No on either..  These are showing up on individual workstations.  But I can not figure out why the anonymous user ID.

Event ID 681
The logon to account: anonymous
by: Microsoft_Authentication_Package_V1_0
from workstation: test1
failed
The error code was 3221225572
0
 
LVL 1

Expert Comment

by:Alexdelen
ID: 12285361
http://support.microsoft.com/kb/q305822/

there you go

Greets

Alex
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:vivo123
ID: 12286515
I still don't see an explanation for the anonymous logon.  These are workstations that are user assigned nobody else logs in.  They are running XP Pro SP1 completely patched.

0
 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 12286663
Are you sure they are not running the FTP service??
0
 
LVL 1

Expert Comment

by:Alexdelen
ID: 12287125
yeah the only thing I see is that you have an FTP running too.

Check your services for any ftp like service.
0
 

Author Comment

by:vivo123
ID: 12290090
Thanks I will take a look
0
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 500 total points
ID: 12294594
I would guess that this is someone trying to access a file share on the target machine that they don't have access to.  They will be prompted for credentials - in this case it looks like they are typing in 'anonymous' in hopes of gaining access.

The specific error code you see resolves to the following: 3221225572 - User logon with misspelled or bad user account

If test1 is a machine on your domain you may want to speak to the assigned user to see what they are up to. If the machine is *not* on your domain you either have a rogue/non-domain machine attached to your network or you may have NetBIOS ports open somewhere that someone is poking through on a fishing expedition.

This is different than 'NT AUTHORITY/ANONYMOUS' which is a machine trying to make a connection to another machine with *no* credentials.  It also almost certainly has nothing to do with IIS since the 'Anonymous' account is actually IUSR_<machinename> by default.

Dave Dietz

0
 

Author Comment

by:vivo123
ID: 12298450
Thanks Dave for the explanantion..  I am going to check further.  Is there any other type auditing that could be set to help break this down farther.
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 12299891
Without specific knowledge of where the requests are coming from, short of a network trace I can't think of any additional logging that would really help.

It appears that the culprit is not able to access the machines so auditing file access would be pointless, and if you don't know what machine is launching the requests you're going to have a *lot* of data to dig through if you enable any kind of domain wide auditing of user activity.

Dave Dietz
0
 

Author Comment

by:vivo123
ID: 12300221
FrontPage is installed on the suspected machines.  Do you think this could be a possiblility??  I am reaching..

Thanks again..

0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 12300519
Not likely but not impossible.

How many 'suspected' machine are there?

If there are just a few it may be feasible to perform some network tracing to see what they are doing.....

Dave Dietz
0
 

Author Comment

by:vivo123
ID: 12301158
3 suspected machines...

Can you explain further on the network tracing?  
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 12301683
You could set up a network sniffer and configure it to only listen for traffic to and from the suspected machines.

Once you see the suspect bahavior on a target machine you can go through the netmon trace and see what exactly the machine has been doing on the network.

You could also set up File and Object Auditing and/or Logon/Logoff Auditing on the suspect machines to see who is on the boxes and what they are accessing while they are on it.  A slightly more readicla approach would be to install a keylogger/screen capture type utility and see exactly what the machines are doing.

Dave Dietz
0
 

Author Comment

by:vivo123
ID: 12302232
Thanks for the info
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question