Supra_Chick Posted October 4, 2008 Share Posted October 4, 2008 Hey all In my security event ive got Category: logon/logoff Event ID: 540 User : NT AUTHORITY\ANONYMOUS LOGON Logon type:3 logon process: NtLmSsp Help and Support.... Details Product: Windows Operating System ID: 540 Source: Security Version: 5.2 Symbolic Name: SE_AUDITID_NETWORK_LOGON Message: Successful Network Logon: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GUID: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Explanation A logon session was created for the user. The message contains the Logon ID, a number that is generated when a user logs on to a computer. The Logon ID that is assigned to a logon session is unique to that logon session until the computer is restarted, at which point the Logon ID may be reused. The Logon ID can be used to correlate a logon message with other messages, such as object access messages. This message includes the user name and the domain information of the user account that was logged on, the name of the logon process that logged the user on, the type of authentication credentials that were presented, and a logon GUID (globally unique identifier). For logons that use Kerberos, the logon GUID can be used to associate a logon event on this computer with an account logon event on an authenticating computer, such as a domain controller. This message also includes a logon type code. The logon type code indicates the manner in which the user logged on. The following table explains the logon type value: Logon type Logon title Description 2 Interactive A user logged on to this computer at the console. 3 Network A user or computer logged on to this computer from the network. 4 Batch Batch logon type is used by batch servers, where processes might run on behalf of a user without the user's direct intervention. 5 Service A service was started by the Service Control Manager. 7 Unlock This workstation was unlocked. 8 NetworkCleartext A user logged on to a network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). 9 NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but it uses different credentials for other network connections. 10 RemoteInteractive A user logged on to this computer remotely using Terminal Services or a Remote Desktop connection. 11 CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. So logon type 3 means A user or computer logged on to this computer from the network... Is this something to worry about???????? Jen Quote Link to comment Share on other sites More sharing options...
Supra_Chick Posted October 4, 2008 Author Share Posted October 4, 2008 Ive also found in my services a service name called : ianmanserver A quick google of it does not sound good...... :-( Quote Link to comment Share on other sites More sharing options...
MrRalphMan Posted October 4, 2008 Share Posted October 4, 2008 Is it Lan or Ian manserver? Two different things. If you double click on the service, it should tell you what the .exe file is. This does sounds like it sucks... http://www.avira.com/de/threats/section/fulldetails/id_vir/169/w32_nimda_w32_nimda.eml_.html Quote Link to comment Share on other sites More sharing options...
Supra_Chick Posted October 4, 2008 Author Share Posted October 4, 2008 No i havnt yet- i want to be 100% before i do anything.... :-( Quote Link to comment Share on other sites More sharing options...
Supra_Chick Posted October 4, 2008 Author Share Posted October 4, 2008 Its ianmanserver all one word Quote Link to comment Share on other sites More sharing options...
MrRalphMan Posted October 4, 2008 Share Posted October 4, 2008 Yeah, I've edited my answer... didn't want you to do anything that I might get blamed for... Do you have any Antivirus running? Quote Link to comment Share on other sites More sharing options...
MrRalphMan Posted October 4, 2008 Share Posted October 4, 2008 With a I(eye)? Do you also have a L(Ell) one? Quote Link to comment Share on other sites More sharing options...
Supra_Chick Posted October 4, 2008 Author Share Posted October 4, 2008 With a I(eye)? Do you also have a L(Ell) one? I ianmanserver Quote Link to comment Share on other sites More sharing options...
Supra_Chick Posted October 4, 2008 Author Share Posted October 4, 2008 Yes ive got panda Quote Link to comment Share on other sites More sharing options...
MrRalphMan Posted October 4, 2008 Share Posted October 4, 2008 Sorry for all the questions, I assume Panda is up to date? Run a full scan on the C Drive and see if it picks anything up.. Quote Link to comment Share on other sites More sharing options...
Supra_Chick Posted October 4, 2008 Author Share Posted October 4, 2008 yep done that-nothing shows up..... Quote Link to comment Share on other sites More sharing options...
MrRalphMan Posted October 4, 2008 Share Posted October 4, 2008 hmmmmm... Not sure where to go with this. Few things to check if this is the Nimda Virus, but I wouldn't have thought so as it's over 7 years old that one. Can you check the following. 1) - Check if the Guest account is still disabled? Right click on 'My Computer' on desktop Choose manage Choose Local Users and Groups >> Users 2) - See if any of the mentioned .EML or .NWS file exist accross your hard drive. 3) - The ianmanserver, can you double click on it and let us know the 'path to executable' 4) - What OS are you running and SP version? 5) - Are you getting lots of these? 6) - Are you running a web server on this machine? There are some more, but relate to the above. Quote Link to comment Share on other sites More sharing options...
Supra_Chick Posted October 4, 2008 Author Share Posted October 4, 2008 First things first Right click on 'My Computer' on desktop Choose manage Choose Local Users and Groups >> Users Local users and groups is not there?? Quote Link to comment Share on other sites More sharing options...
MrRalphMan Posted October 4, 2008 Share Posted October 4, 2008 What OS are you running? What are the options available to you? Quote Link to comment Share on other sites More sharing options...
Supra_Chick Posted October 4, 2008 Author Share Posted October 4, 2008 windows px sp3 Quote Link to comment Share on other sites More sharing options...
carl0s Posted October 4, 2008 Share Posted October 4, 2008 I don't think anything is wrong. I think you have enabled auditing for account logon events. This would normally not be enabled on a workstation. Control panel -> admins tools -> local security policy -> audit policy. These are anonymous logons, probably computers in your house looking for or accessing network shares. Try unticking file/printer sharing on your network connection's properties if you don't actually need/want to share any printers or folders within the house. I have a feeling the ianmanserver is actually Lanmanserver. I think the references to ianmanserver you are seeing on Google are all typos. Maybe SP3 enables auditing by default.. I haven't noticed but I do have sp3 on my laptop so might have a look. You do have a router, right? Not just an ASDL modem? Else it could be coming from t'interweb. Quote Link to comment Share on other sites More sharing options...
MrRalphMan Posted October 4, 2008 Share Posted October 4, 2008 Should be there... Try Start Button >> Control Panel >> User Accounts Quote Link to comment Share on other sites More sharing options...
carl0s Posted October 4, 2008 Share Posted October 4, 2008 I just checked, my XP SP3 laptop also doesn't have auditing enabled for logon events. If you're on Home edition you might not have Local Security Policy. That would also be why you can't find Local Users and Groups. Home edition doesn't have it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.