Quick thought... I just noticed that my user account has also been used a number of times from the same IP but I have been off work for 2 weeks. If someone was hacking then they wouldnt log in via both a user and root account on the same day, from the same IP - seems daft. The box had to be rebooted yesterday (power cut). Could these reports in logwatch be ghost ssh sessions from when ssh sessions hadnt been closed correctly (usually my shitty windows box crashing). i.e. when the box rebooted, the stale sessions were cleared down and only now showing up in the logs? I hope someone can shed a bit of light on this one. Jeff On Fri, 2004-01-02 at 18:34, Jeff wrote: > Peeps > > Just had a look at yesterdays logwatch mail and noticed that someone has > logged in as root via ssh 6 times from the IP address of the place I > work. I don't think it's been done maliciously, more of a 'look what i > did <laugh, laugh>'. I have looked at /var/log/secure and there's no > evidence in there about it so it looks like theyve covered their tracks. > > Does anyone know how I can find out what they did and how to prevent > stuff like this happening again (yes - Ive already changed the > password). Ive already looked at the bash history file with no luck > > Thanks > > A slightly worried Jeff > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list