captaincranky
Posts: 19,667 +8,801
Just a quick question. Over the past couple of weeks I've been getting this message:
+ System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 4624
Version 0
Level 0
Task 12544
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2015-08-30T07:21:27.615899800Z
EventRecordID 75041
Correlation
- Execution
[ ProcessID] 568
[ ThreadID] 716
Channel Security
Computer xxxxxxxx-PC
Security
- EventData
SubjectUserSid S-1-0-0
SubjectUserName -
SubjectDomainName -
SubjectLogonId 0x0
TargetUserSid S-1-5-7
TargetUserName ANONYMOUS LOGON
TargetDomainName NT AUTHORITY
TargetLogonId 0x3c66b89
LogonType 3
LogonProcessName NtLmSsp
AuthenticationPackageName NTLM
WorkstationName YOUR-25EFDBD77B
LogonGuid {00000000-0000-0000-0000-000000000000}
TransmittedServices -
LmPackageName NTLM V1
KeyLength 128
ProcessId 0x0
ProcessName -
IpAddress 192.168.1.65
IpPort 1920
So, I'm getting an "anonymous" logon Type 3 (internet), and obviously the IP address corresponds to my router. Since the process name, " NtLmSsp " attaches to a "brute force attack" (or does it?), am I correct in assuming this turd has been hacked?
This has apparently been going on for quite some time. The odd part is, a logoff event is created simultaneously. (At least simultaneous with respect to the lowest measurement on the log, which is seconds).
+ System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 4624
Version 0
Level 0
Task 12544
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2015-08-30T07:21:27.615899800Z
EventRecordID 75041
Correlation
- Execution
[ ProcessID] 568
[ ThreadID] 716
Channel Security
Computer xxxxxxxx-PC
Security
- EventData
SubjectUserSid S-1-0-0
SubjectUserName -
SubjectDomainName -
SubjectLogonId 0x0
TargetUserSid S-1-5-7
TargetUserName ANONYMOUS LOGON
TargetDomainName NT AUTHORITY
TargetLogonId 0x3c66b89
LogonType 3
LogonProcessName NtLmSsp
AuthenticationPackageName NTLM
WorkstationName YOUR-25EFDBD77B
LogonGuid {00000000-0000-0000-0000-000000000000}
TransmittedServices -
LmPackageName NTLM V1
KeyLength 128
ProcessId 0x0
ProcessName -
IpAddress 192.168.1.65
IpPort 1920
So, I'm getting an "anonymous" logon Type 3 (internet), and obviously the IP address corresponds to my router. Since the process name, " NtLmSsp " attaches to a "brute force attack" (or does it?), am I correct in assuming this turd has been hacked?
This has apparently been going on for quite some time. The odd part is, a logoff event is created simultaneously. (At least simultaneous with respect to the lowest measurement on the log, which is seconds).
Last edited: