Dotan Cohen wrote: > On a machine that I have root access to, how can I see who is logged > into the machine? Specifically, I suspect that a malicious entity is > logging on in a compromised account over SSH, even while the account's > user is sitting at the machine and logged in, so if I can catch two > simultaneous login sessions (one on the physical hardware, one over > ssh) then I can be sure. Thanks. >
Since it has not been mentioned in the other replies, I would certainly think that scrutiny of /var/log/auth.log is due. The logs should show you when the user has logged in, and from what remote IP addresses. it should be quite simple to correlate those times and locations with your user. 'whois 11.22.33.44' on those IP addresses will get you an idea of the physical location (not precise in all cases, but an idea) the logins came from. In any case - do not delay changing that user's password to a new strong one! -- Kind Regards, Michael Shuler -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
