Anonymous Logon attempts from unknown ip's.
Home machine is Windows 7 home premium. After putting my modem in bridged mode, I started getting these anonymous logon events in my home machine. I have Avast antivirus which has inbuilt firewall too, plus the default windows firewall is also always on. Searched the web, and it says not to be alarmed if the source ip is 127.0.0.1. There were two successful logon attempts and one was from Japan and another from Newzealand. ( I did a reverse ip lookup on those ip addresses.) It also shows it was using 128bit encryption to make the logon attempt. Both connections got logged off when I disconnected my net in the morning. I found these in event viewer when I was looking at possible cause why my scheduled net disconnection script was not working. Event Id: 4624 Quote: An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x51c55d Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: HOD Source Network Address: 118.236.xxx.xxx Source Port: 3086 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. Quote: Logon Type: 3 New Logon: Security ID: ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x5241f8 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: HOD Source Network Address: 212.115.xxx.xxx Source Port: 50222 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 128 So is someone hacking into my comp? And to get in my comp through two firewalls is confusing. Are the software firewalls so bad as to allow these intrusions in my comp?
March 7th, 2010 11:30am

Are you behind a router?Login attempts by themselves are not hacking attempts, theres no way for your firewall to know the difference. You should set your Windows 7 firewall to Public Network.My idea of a party is a virtualization server and a room of TechNet DVDs
Free Windows Admin Tool Kit Click here and download it now
March 9th, 2010 3:18am

Hi Tabibitho,i dont think that the anonymous logon should be a normal thing coz the only logons i see in my event logs is my administrator account and im not sure if i even have my standard account user records there...i used to have the annonymous logons as well a long time ago when i didnt know much bout security but after i used Group policies to block such access i had no problems anymore..if u need further help on how to configure the specific group polcies and u have the enterprise or ultimate version plz let me know then i look into my setting then i post it here!Kind regards,Newbie
March 9th, 2010 5:34am

I'm using an adsl modem in bridged mode. I have direct access to internet on this machine and have already set the firewall to Public. I had also disabled file and folder sharing on the network adapter as well as in the wan PPoe dialer settings. Now I have disabled the bridged mode in modem and since my machine is behind the modem's nat, I do not get these logons of unknown machine. @DÐØŠ_€vader , I'm on the home premium version. No gpedit in it.
Free Windows Admin Tool Kit Click here and download it now
March 9th, 2010 11:41am

Hi tabibitho, First, I would like to explain that the Event ID 4624 is just an error in event log. Please understand that Event Log records almost every detail internal operation. It just means certain internal operation fails once, but it does not mean that the operation is not completed finally. It does not mean that the system is not secure or someone attack the system. To protect the system, you only need turn on firewall and keep the virus definition updating. For more information about the Event ID, please refer to the following article: Audit Logon Thanks, Novak
March 11th, 2010 10:53am

Hi all Read your messages with some concern because I have had some problems with internet on this computer. Firewall is fully operationa but there is a Anonymous Logon. Anyone know if this is definately a hacker or if it is normal. Never seen it before. Any help would be appreciated. We are particularly concerned because we are dealing with sensitive information on rare species, etc. Thanks Sussex Ecology
Free Windows Admin Tool Kit Click here and download it now
August 8th, 2010 12:19am

Hi Sussex ecology, I see this is an old post and wondered if you have solved it ? if not I could recommend the following because I had the same issue .. So when I factory defaulted my windows 7 laptop I found that there is a Generic Anonymous Logon and needs to be deleted. Start button in the search bar at the bottom type Component services click once on the result then you should see 1 folder double click this folder Then you will see a computer Icon Right click this select properties then pick the tab COM security click on edit limits for Access permissions select Anonymous Logon then click remove. then click ok then click Apply ( check edit limits for Launch and activation permissions as well and follow same steps to remove ) Another tip is to never share files on the network in public but before you do that I would check with the company that maintains your network. Hope this helps.
December 23rd, 2010 6:08am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics