> The user could also be running the command inline somehow or deleting the > file when they log off.
"wiretapping" your SSHd is one way to find out what people are up to http://forums.devshed.com/bsd-help-31/logging-ssh-shell-sessions-30398.html Also .. if you have the resources, a passive tap and another box that has enough disk and I/O to keep up is useful to see who was doing what right before the packetstorm happens. If you can take the box offline and grab a disk image, tools like "fls" from TSK can generate a filesystem timeline, again .. who touched what right before it started... Cheers, Michael Holstein Cleveland State University