2009/1/11 Michael Shuler <mich...@pbandjelly.org>: > Since it has not been mentioned in the other replies, I would certainly > think that scrutiny of /var/log/auth.log is due. The logs should show > you when the user has logged in, and from what remote IP addresses. it > should be quite simple to correlate those times and locations with your > user. >
Thank you, that did give me the information that I needed. > 'whois 11.22.33.44' on those IP addresses will get you an idea of the > physical location (not precise in all cases, but an idea) the logins > came from. > I did not realize that whois worked with IP addresses. Thanks. > In any case - do not delay changing that user's password to a new strong > one! > Done! Even though it was already strong (over 12 characters, AlphaNumeric of varying case) -- Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת ا-ب-ت-ث-ج-ح-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه-و-ي А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-Р-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-Э-Ю-Я а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я ä-ö-ü-ß-Ä-Ö-Ü
