RE: successful anonymous login

["Brewis, Mark" <mark.brewis () eds com>]

Jose,

What did you use to check your patch status with?  You say 'update check' by which I assume you mean Windows Update.  
This isn't infallible - have a look at www.shavlik.com for HFNetCHKPro4, which is the best Windows patch management 
utility available, if you haven't already done so.

It might also be worth cross posting this to the forensics list - forensics () securityfocus com - as a summary for a 
different viewpoint.

Mark

Mark Brewis

Security Consultant
EDS
UK Information Assurance Group
Wavendon Tower
Milton Keynes
Buckinghamshire
MK17 8LX.

Tel:    +44 (0)1908 28 4013
Mbl:  +44 (0)7989 291 648
Fax:    +44 (0)1908 28 4393
E@:     mark.brewis () eds com

This email is confidential and intended solely for the use of the individual(s) to whom it is addressed. Any views or 
opinions presented are solely those of the author.  If you are not the intended recipient, be advised that you have 
received this email in error and that any use, dissemination, forwarding, printing, or copying of this mail is strictly 
prohibited.

Precautions have been taken to minimise the risk of transmitting software viruses, but you must carry out your own 
virus checks on any attachment to this message. No liability can be accepted for any loss or damage caused by software 
viruses.
  


> > -----Original Message-----
> > From: Jose Rivera [mailto:jose () papugai com]
> > Sent: 28 July 2004 01:57
> > To: 'Adam Tuliper'; webappsec () securityfocus com
> > Subject: RE: successful anonymous login
> >
> >
> > Yes, as far as I know all patches are in.
> >
> > Even an update check says no updates are needed. 
> >
> > Is it a given that latest service packs does not contain all NEEDED
> > patches?
> >
> > If so, does anyone have a list of what patches are needed outside of
> > released service packs?
> >
> >
> > -----Original Message-----
> > From: Adam Tuliper [mailto:amt () gecko-software com] 
> > Sent: Tuesday, July 27, 2004 12:18 PM
> > To: Jose Rivera; 'Adam Tuliper'; webappsec () securityfocus com
> > Subject: Re: successful anonymous login
> >
> > considering this was via dcom...was this machine completely
> > patched and up to date before this event was logged?
> >
> >
> > On Tue, 27 Jul 2004 12:12:53 -0700
> > "Jose Rivera" <jose () papugai com> wrote:
> > > Good question. It's not like a name of a machine on my
> > > network. From
> > > research, I think it stands for host on demand. Why this
> > > comes up in
> > > this error tho, Im not sure. The ip is definitely from
> > > outside.
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Adam Tuliper [mailto:amt () gecko-software com] 
> > > Sent: Tuesday, July 27, 2004 12:02 PM
> > > To: Jose Rivera; webappsec () securityfocus com
> > > Subject: Re: successful anonymous login
> > >
> > > NtLmSsp usually deals with DCOM logins.
> > > What workstation is HOD?
> > >
> > > On Tue, 27 Jul 2004 10:59:11 -0700
> > >  "Jose Rivera" <jose () papugai com> wrote:
> > > > We recently migrated our web server into windows 2003.
> > > >
> > > > Not sure where this is coming from...but successful
> > > login
> > > > from an
> > > > anonymous user doesn't sound good?
> > > >
> > > > Please help or point in the right direction.
> > > >
> > > > Thanks
> > > > Jose
> > > >
> > > >
> > > > Event Type:       Success Audit
> > > > Event Source:     Security
> > > > Event Category:   Logon/Logoff 
> > > > Event ID: 540
> > > > Date:             7/27/2004
> > > > Time:             10:44:20 AM
> > > > User:             NT AUTHORITY\ANONYMOUS LOGON
> > > > Computer: xxxxxx
> > > > Description:
> > > > Successful Network Logon:
> > > >   User Name:      
> > > >   Domain:         
> > > >   Logon ID:               (0x0,0x9BA1BD3)
> > > >   Logon Type:     3
> > > >   Logon Process:  NtLmSsp 
> > > >   Authentication Package: NTLM
> > > >   Workstation Name:       HOD
> > > >   Logon GUID:     -
> > > >   Caller User Name:       -
> > > >   Caller Domain:  -
> > > >   Caller Logon ID:        -
> > > >   Caller Process ID: -
> > > >   Transited Services: -
> > > >   Source Network Address: 81.60.187.145
> > > >   Source Port:    0
> > > >
> > > >
> > > > For more information, see Help and Support Center at
> > > > http://go.microsoft.com/fwlink/events.asp.
> > ---------------------------------------------------------------------
> > > Web mail provided by NuNet, Inc. The Premier National
> > > provider.
> > > http://www.nni.com/
> >
> > ---------------------------------------------------------------------
> > Web mail provided by NuNet, Inc. The Premier National provider.
> > http://www.nni.com/