1

I was browsing through my security audit logs today and I noticed a few users that have a 540 logon success and then a rapid 538 logoff (and by rapid I mean the user logs off anywhere between 1 - 30 seconds after login).

There is one in particular that I'm curious about, mainly because i know that user is on vacation and wouldn't be logging onto their computer.

Some important notes
- User is on vacation and the authentication is coming from their workstation in the office
- Their workstation is left on
- User can connect directly to their workstation through RDP
- This user has an assistant that has access to lots of this users stuff (Outlook, network password, etc)
- This users computer has had a virus in the past which I believe we've cleaned (Malwarebytes showed up clean, HiJackThis log looked clean and they have an antivirus running on their computer). We got the user to change their password after we cleaned the virus

My question is, what could possibly be causing rapid login / logoff's on my network? Any insight would be appreciated!

DKNUCKLES
  • 4,028
  • 9
  • 45
  • 60
  • Have you checked scheduled tasks or any other currently-running processes? Maybe he wrote a script that hits the server a lot with his creds explicitly instead of using the logged-in environment. – mfinni Feb 12 '11 at 17:37
  • Have you had a chance to look into those things? – mfinni Feb 16 '11 at 13:56
  • Sorry for the late response. The user has no scripts or anything that would cause this logon running on their computer. – DKNUCKLES Feb 16 '11 at 17:11
  • Then I've got no idea. Have you inspected the logs on the workstation itself? – mfinni Feb 16 '11 at 17:28

0 Answers0