User never login on the server just browse to port 80 and no https..... strange only a few legit cases for this to happen and that is the user shares an IP address with a distributed/brute force attacker i.e. sshd brute force attacks on your server...