|
Posted by =?Utf-8?B?UC4gQ3VsbHk=?= on October 18, 2007, 9:21 am
If you were Registered and logged in, you could reply and use other advanced thread options
A review of my security logs reports a number of users logging in to the
network successfully from a valid network machine at 5:46 in the morning. We
are a school with no remote access and the building is locked. Once the
machine was identified I checked the logs on that machine and ran spybot but
everything showed up clean.
Question: Could a student have not logged off when they finished working on
a machine and the repeated events have something to do with Kerberos checking
and reissuing tickets?
Observation: I ran a virus scan on one of the servers overnight and was
logged in as a user with the machine locked. When I checked the logs on that
machine this a.m. that same user was shown with ID540/538s during early
morning hours.
Machines that are not shut down appear in the logs have 540/538s happening
at the same time.
I've run Hijack this on the server and have collected a log file.
Thanks,
P
| 
XML site map