Dotan Cohen wrote:
> On a machine that I have root access to, how can I see who is logged
> into the machine? Specifically, I suspect that  a malicious entity is
> logging on in a compromised account over SSH, even while the account's
> user is sitting at the machine and logged in, so if I can catch two
> simultaneous login sessions (one on the physical hardware, one over
> ssh) then I can be sure. Thanks.
> 

Since it has not been mentioned in the other replies, I would certainly
think that scrutiny of /var/log/auth.log is due.  The logs should show
you when the user has logged in, and from what remote IP addresses.  it
should be quite simple to correlate those times and locations with your
user.

'whois 11.22.33.44' on those IP addresses will get you an idea of the
physical location (not precise in all cases, but an idea) the logins
came from.

In any case - do not delay changing that user's password to a new strong
one!

-- 
Kind Regards,
Michael Shuler


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to