23 Feb
2010
23 Feb
'10
3:38 p.m.
The user could also be running the command inline somehow or deleting the file when they log off.
"wiretapping" your SSHd is one way to find out what people are up to http://forums.devshed.com/bsd-help-31/logging-ssh-shell-sessions-30398.html Also .. if you have the resources, a passive tap and another box that has enough disk and I/O to keep up is useful to see who was doing what right before the packetstorm happens. If you can take the box offline and grab a disk image, tools like "fls" from TSK can generate a filesystem timeline, again .. who touched what right before it started... Cheers, Michael Holstein Cleveland State University