我们公司的 3 台机器(大约 1000 台机器中的 3 台)偶尔会发生一些随机的“匿名登录”会话。
我有 Windows 7 企业版 64 位。我已安装所有更新。我是一名软件开发人员,以管理员身份运行。
我们公司的每台计算机(包括我的计算机)都安装了 McAfee 防病毒软件。
我想知道这些匿名登录的原因是什么(病毒或其他原因)?如果是病毒,为什么 McAfee 没有发现它?我该如何识别它?
===================================================================
附加信息:
更新:一位朋友找到了一个有用的链接,但它没有回答原因:StackExchange-ServerFault Windows 安全日志中出现意外匿名登录
我从 NagMatrix 安装了 NetShareMonitor 1.0。这是会话日志:
***************************************************************
Nov 14 13:23:07 2014 : Session logging started
Nov 14 13:23:39 2014 : Session logging is stopped
***************************************************************
Nov 14 13:23:42 2014 : Session logging started
Nov 14 15:53:05 2014 : Session logging is stopped
***************************************************************
Nov 14 15:54:48 2014 : Session logging started
***************************************************************
Nov 17 09:52:42 2014 : Session logging started
Nov 17 10:03:12 2014 : Session logging is stopped
***************************************************************
Nov 17 10:03:38 2014 : Session logging started
**************************************************************
Nov 17 11:47:10 2014 : Session logging started
***************************************************************
Nov 17 12:08:44 2014 : Session logging started
Nov 17 12:08:47 2014 : Session logging is stopped
***************************************************************
Nov 17 12:56:52 2014 : Session logging started
Nov 17 17:02:08 2014 : User ANONYMOUS LOGON is connected from host PW141850
Nov 17 17:02:32 2014 : User ANONYMOUS LOGON is disconnected from host PW141850
Nov 17 17:04:53 2014 : Session logging is stopped
***************************************************************
Nov 17 17:34:11 2014 : Session logging started
Nov 18 09:28:52 2014 : User ANONYMOUS LOGON is connected from host PD140084
Nov 18 09:29:03 2014 : User ANONYMOUS LOGON is disconnected from host PD140084
Nov 18 09:29:14 2014 : User ANONYMOUS LOGON is connected from host PD140084
Nov 18 09:29:27 2014 : User ANONYMOUS LOGON is disconnected from host PD140084
Nov 18 09:44:35 2014 : User ANONYMOUS LOGON is connected from host PD140084
Nov 18 09:44:51 2014 : User ANONYMOUS LOGON is disconnected from host PD140084
Nov 18 09:45:07 2014 : User ANONYMOUS LOGON is connected from host PD140084
Nov 18 09:45:21 2014 : User ANONYMOUS LOGON is disconnected from host PD140084
Nov 18 09:58:14 2014 : User ANONYMOUS LOGON is connected from host PD140084
Nov 18 09:58:39 2014 : User ANONYMOUS LOGON is disconnected from host PD140084
Nov 18 13:13:57 2014 : User ANONYMOUS LOGON is connected from host PWS00126
Nov 18 13:14:11 2014 : User ANONYMOUS LOGON is disconnected from host PWS00126
Nov 18 15:00:14 2014 : User ANONYMOUS LOGON is connected from host PWS00126
Nov 18 15:00:28 2014 : User ANONYMOUS LOGON is disconnected from host PWS00126
Nov 19 07:18:20 2014 : User ANONYMOUS LOGON is connected from host PWS00126
Nov 19 07:18:30 2014 : User ANONYMOUS LOGON is disconnected from host PWS00126
Nov 19 08:35:29 2014 : User ANONYMOUS LOGON is connected from host PWS00126
Nov 19 08:35:42 2014 : User ANONYMOUS LOGON is disconnected from host PWS00126
这是来自事件查看器的一个示例(每个匿名登录看起来都相同,但最后的端口从~50000 变为~65000):
+ System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 4624
Version 0
Level 0
Task 12544
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2014-11-18T20:00:14.982414900Z
EventRecordID 784005
Correlation
- Execution
[ ProcessID] 760
[ ThreadID] 884
Channel Security
Computer PD130812.ireq.ca
Security
- EventData
SubjectUserSid S-1-0-0
SubjectUserName -
SubjectDomainName -
SubjectLogonId 0x0
TargetUserSid S-1-5-7
TargetUserName ANONYMOUS LOGON
TargetDomainName AUTORITE NT
TargetLogonId 0x3caeef0
LogonType 3
LogonProcessName NtLmSsp
AuthenticationPackageName NTLM
WorkstationName PWS00126
LogonGuid {00000000-0000-0000-0000-000000000000}
TransmittedServices -
LmPackageName NTLM V1
KeyLength 128
ProcessId 0x0
ProcessName -
IpAddress **IP of offending machine**
IpPort 59017
答案1
我还没有找到我的计算机被“匿名登录”访问的确切原因。但我看到来自同一 VLAN(同一子网络)的许多计算机的随机登录。这听起来确实不危险,而且是操作系统发现其邻居共享资源的一部分。
我们还可以通过启用某些策略或激活防火墙来防止这种情况。当我激活防火墙(3 天)时,我没有收到任何“匿名登录”。
您可以查看相关链接以获取更多信息。
希望能帮助到你...