Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Event Viewer - Anonymous Logon


  • Please log in to reply

#1
dreamofthephoenix

dreamofthephoenix

    New Member

  • Member
  • Pip
  • 8 posts
This is probably a stupid question (and I have a lot more where this came from :tazz: ):
I was looking at entries under Security in Event Viewer and noticed several entries with 'Anonoymous Logon' listed under User. Is this anything to be worried about or am I just being paranoid?
Don't know if this is important information or not but I'm the only one who uses this computer, guest account is turned off. I use the Firefox browser and am running Norton Anti-Virus, ZoneAlarm, Spyware Blaster, SpyBot, and AdAware (all of which I regularly update).
  • 0

Advertisements


#2
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
depends...are you on a network?

Could you cut and paste an anonymous logon message (click the little copy button after double clicking the event)
  • 0

#3
dreamofthephoenix

dreamofthephoenix

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
No, I'm not on a network.

This is one of the messages:

Event
Date: 2/11/2006 Source: Security
Time: 8:16:25 AM Category: Logon/Logoff
Type: Success Event ID: 540
User: NT AUTHORITY/ANONYMOUS LOGON
Computer:

Description:
Sucessful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0xD 252)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}

Edited by dreamofthephoenix, 11 February 2006 - 11:23 AM.

  • 0

#4
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
Unless you have a reason for concern, I would not be. You said you are not on a network, but you are using broadband cable--which is essentially a network (in fact, you're right around the corner from me, well from an Internet perspective since it looks like you're in Oakland County, MI--what a small world

Some network applications use the ANONYMOUS LOGON process to create a communication
channel with your computer. Anonymous logon means that it is a null session. NT Auth/Anonymous is just
a pseudonym for a Null Session. The NTAuth/Anonymous isn't really an account; it just means that no credentials were supplied. There are many conditions known to cause a null session connection which makes it difficult to tell the exact cause of these particular events.

Your log on was caused by the service NTLMSSP, which is NT Lan Manager Secure Service Provider.

Have you noticed specific times when this occurs? Perhaps when you start your computer? They do not occur all the time thoughout the day, do they.

Who installed your system? You? or Comcast? Did you install their computer helpdesk software? That is one thing that will do it.....
  • 0

#5
dreamofthephoenix

dreamofthephoenix

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
:tazz: :) I'm totally freaked now.....from that little bit of information I posted you knew that I have cable internet and what part of the country I'm in. You have GOT to teach me how you did that!!!!!
Anyway, I checked the Event Viewer and the Anonymous Logon doesn't happen often. I checked the times they do occur and it appears they occur around the times I logon to the computer.
Comcast installed my internet service for me and as far as I know I don't have the Comcast Helpdesk software installed (but I never looked for it so who knows?).
  • 0

#6
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
I have you at a disadvantage because I can see your IP address (which is logged bny the forum software.

Reading an IP address is fairly simple once you get in the habit. We share the same network (the first part of the IP address), so I know you're a comcast customer. You're on a different subnet than I though, so you are not in the same town as I am. This network ID for comcast is still a pretty big number and wouldn't matter much in terms of knowing where you are, but a simple tracert will reveal more info.

start > run
cmd
<enter>

for example

type
tracert 64.233.167.104
<enter>

this will reveal the path from your computer to www.google.com. When you request a webpage or attach to another computer, the information needs to travel across multiple routers. Some of this will be obvious...you will see things like Flint, Pontiac, Chicago...some of the information takes a little more work.

In your case, a trace from me to you was three or four hops, so you were close, plus it was all on the comcast network, which uses obviously named routers so I could see you were in the same general area....even a pretty good guess of what city you live in, but Oakland County was enough info for a public board

Some of the information is obvious
  • 0

#7
dreamofthephoenix

dreamofthephoenix

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Ahhhhhhh, the IP address...I didn't think about that. Thanks for the info (and for not posting the city I'm in :tazz: )
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP