Brute force attacks and anonymous logon

• Wednesday, January 16, 2013 9:40 AM

   

   
  

  0

  Hello

  I have noticed that before the brute force attacks there is always a successful anonymous logon event from the same IP of the brute force attack, for example the successful anonymous logon
  

  An account was successfully logged on.
  
  Subject:
  	Security ID:		NULL SID
  	Account Name:		-
  	Account Domain:		-
  	Logon ID:		0x0
  
  Logon Type:			3
  
  New Logon:
  	Security ID:		ANONYMOUS LOGON
  	Account Name:		ANONYMOUS LOGON
  	Account Domain:		NT AUTHORITY
  	Logon ID:		0x2c9dfa67
  	Logon GUID:		{00000000-0000-0000-0000-000000000000}
  
  Process Information:
  	Process ID:		0x0
  	Process Name:		-
  
  Network Information:
  	Workstation Name:	SUMMIT01
  	Source Network Address:	66.147.235.240
  	Source Port:		16935
  
  Detailed Authentication Information:
  	Logon Process:		NtLmSsp 
  	Authentication Package:	NTLM
  	Transited Services:	-
  	Package Name (NTLM only):	NTLM V1
  

  and after it the brute force attack
  

  An account failed to log on.
  
  Subject:
  	Security ID:		NULL SID
  	Account Name:		-
  	Account Domain:		-
  	Logon ID:		0x0
  
  Logon Type:			3
  
  Account For Which Logon Failed:
  	Security ID:		NULL SID
  	Account Name:		Administrator
  	Account Domain:		FXNB
  
  Failure Information:
  	Failure Reason:		Unknown user name or bad password.
  	Status:			0xc000006d
  	Sub Status:		0xc000006a
  
  Process Information:
  	Caller Process ID:	0x0
  	Caller Process Name:	-
  
  Network Information:
  	Workstation Name:	FXNB
  	Source Network Address:	66.147.235.240
  	Source Port:		16964
  
  Detailed Authentication Information:
  	Logon Process:		NtLmSsp 
  	Authentication Package:	NTLM
  	Transited Services:	-
  	Package Name (NTLM only):	-
  	Key Length:		0

  My questions are:

  • What is this anonymous logon?
  • Which information obtains the attacker from it?
  • Can this anonymous login blocked or disabled?

  Thanks

  • Reply
  • Quote