ps: looking at your log, I will eat my hat if is not the case of a SOLMAN sandbox system which is still "alive" and using DDIC for the RFC calls. DDIC user does not support trusted RFC, so the user is "hardcoded" into the connection with fixed logon data, hence correctly showing up as a successfull RFC call.
In this case critical (even if SAP display interpret it as "all" with "red".. perhaps they made an exception for DDIC to discover such things, as urban legends and convenience to use DDIC for some connections are not uncommon... so it might even be intentional in SM20N...).
From a "hacker" aspect, my first thought is to find the RFC client, because then I can logon as DDIC to the server by simply calling the destination and stopping the program in the call or provoking a dump with connection to user context.
Cheers,
Julius