WebApp Sec mailing list archives
RE: successful anonymous login
From: kquest () toplayer com
Date: Tue, 27 Jul 2004 16:38:31 -0400
HOD is a signature a group called "houseofdabus" uses in their exploits/PoC. A while ago they released a PoC for lsasrv.dll that had the same thing in the "Host/Workstation Name" field. That PoC was later used by sasser worms, so they have the same value in that field too. Regardless of who it is, the fact that you have this event is definitely not good. Microsoft reference for the LSASRV.DLL vulnerability: MS04-011 Kyle -----Original Message----- From: Adam Tuliper [mailto:amt () gecko-software com] Sent: Tuesday, July 27, 2004 3:02 PM To: Jose Rivera; webappsec () securityfocus com Subject: Re: successful anonymous login NtLmSsp usually deals with DCOM logins. What workstation is HOD? On Tue, 27 Jul 2004 10:59:11 -0700 "Jose Rivera" <jose () papugai com> wrote:
We recently migrated our web server into windows 2003. Not sure where this is coming from...but successful login from an anonymous user doesn't sound good? Please help or point in the right direction. Thanks Jose Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 540 Date: 7/27/2004 Time: 10:44:20 AM User: NT AUTHORITY\ANONYMOUS LOGON Computer: xxxxxx Description: Successful Network Logon: User Name: Domain: Logon ID: (0x0,0x9BA1BD3) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: HOD Logon GUID: - Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 81.60.187.145 Source Port: 0 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------------------------------------------------------- Web mail provided by NuNet, Inc. The Premier National provider. http://www.nni.com/
Current thread:
- RE: successful anonymous login kquest (Jul 27)
- <Possible follow-ups>
- RE: successful anonymous login Yvan Boily (Jul 27)
- RE: successful anonymous login Yvan Boily (Jul 27)
- RE: successful anonymous login Jose Rivera (Jul 27)
- RE: successful anonymous login Brewis, Mark (Jul 28)
- RE: successful anonymous login Adam Tuliper (Jul 28)