Edd Barrett wrote:
Hi,
On Fri, Aug 21, 2009 at 6:54 AM, Uwe Dippel<[email protected]> wrote:
Yes. Like
Accepted password for isuser from XXX.XX.XX.XX port 61802 ssh2
To be clear, the user exists, and logged on the last time three days ago as
far as 'last' is concerned.
This sounds very fishy. I would start backing up if I were you.
Did this.
You said first that last says the user had not logged on, but now that
it has 3 days ago? Is the user covering up his/her traces or was that
a typo?
(See my other mail, my ambiguity: Last record in 'last' of 3 days ago.)
See what the user is doing and what is in his/her home directory.
Nothing except of ssh - Nothing much. The usual few files. Nothing in
hidden files.
Try
to find information about the machine which it is coming from.
It is an inside (LAN) machine, standard workstation/desktop
I would be interested to know.
Me too! ;)
Uwe
