Posted October 18, 200717 yr A review of my security logs reports a number of users logging in to the network successfully from a valid network machine at 5:46 in the morning. We are a school with no remote access and the building is locked. Once the machine was identified I checked the logs on that machine and ran spybot but everything showed up clean. Question: Could a student have not logged off when they finished working on a machine and the repeated events have something to do with Kerberos checking and reissuing tickets? Observation: I ran a virus scan on one of the servers overnight and was logged in as a user with the machine locked. When I checked the logs on that machine this a.m. that same user was shown with ID540/538s during early morning hours. Machines that are not shut down appear in the logs have 540/538s happening at the same time. I've run Hijack this on the server and have collected a log file. Thanks, P
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.