Guest Robban Posted October 18, 2008 Posted October 18, 2008 I get up to 50 logins a day on from all different IPs. Particularly one IP keeps reoccuring in the list and that computer is (according to the IP, we got our own network here) a neighbour to me. However, the neighbour IP is still only accounting for roughly 25% of all 'succesful' logins to the anonymous account. Sometimes the IP is shown as logged in for just a minute before logged out and other times its logged in for up to 30 minutes before the logout event appears. I bought Vista in June 2008 and going through my security log shows that this all started from 5th of October 2008. The following is Event ID 4624 and in swedish. ------------------------------------------- En inloggning har skett på ett konto. Subjekt: Säkerhets-ID: NULL SID Kontonamn: - Kontodomän: - Inloggnings-ID: 0x0 Inloggningstyp: 3 Ny inloggning: Säkerhets-ID: ANONYM INLOGGNING Kontonamn: ANONYM INLOGGNING Kontodomän: NT INSTANS Inloggnings-ID: 0x565d250 Inloggnings-GUID: {00000000-0000-0000-0000-000000000000} Processinformation: Process-ID: 0x0 Processnamn: - Nätverksinformation: Arbetsstationens namn: DITT-7HUK3O9FM5 Källnätverksadress: XXX.XXX.XXX.XXX .... ------------------------------------------------------- /Rob Quote
Guest Ollis Posted October 18, 2008 Posted October 18, 2008 "Robban" wrote: <span style="color:blue"> > I get up to 50 logins a day on from all different IPs. Particularly one IP > keeps reoccuring in the list and that computer is (according to the IP, we > got our own network here) a neighbour to me. However, the neighbour IP is > still only accounting for roughly 25% of all 'succesful' logins to the > anonymous account. > > Sometimes the IP is shown as logged in for just a minute before logged out > and other times its logged in for up to 30 minutes before the logout event > appears. > </span> I seems that your machine has been compormised and is acting as a host to some kind of remote control of the machine. You should flatten the HD if you determine that it has been compormised. <http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html> Quote
Guest Robban Posted October 20, 2008 Posted October 20, 2008 Just checking if this could happen without the computer being compromised. Since I couldn't find any info on Google or even here I decided to go with your advice and flatten the HD and now all is back to pre 5th october. No more Anon logins as far as my log shows. Cheers, Rob "Ollis" wrote: <span style="color:blue"> > > > "Robban" wrote: > <span style="color:green"> > > I get up to 50 logins a day on from all different IPs. Particularly one IP > > keeps reoccuring in the list and that computer is (according to the IP, we > > got our own network here) a neighbour to me. However, the neighbour IP is > > still only accounting for roughly 25% of all 'succesful' logins to the > > anonymous account. > > > > Sometimes the IP is shown as logged in for just a minute before logged out > > and other times its logged in for up to 30 minutes before the logout event > > appears. > > </span> > > I seems that your machine has been compormised and is acting as a host to > some kind of remote control of the machine. > > You should flatten the HD if you determine that it has been compormised. > > <http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html> > </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.