SSH Connections - Unknown

[immobilus]

6/5/15 12:20:25.115 AM login[1069]: DEAD_PROCESS: 1069 ttys001
6/5/15 12:20:35.503 AM login[1556]: USER_PROCESS: 1556 ttys000
6/5/15 1:03:24.958 AM login[1556]: DEAD_PROCESS: 1556 ttys000
6/5/15 1:03:26.596 AM login[1674]: USER_PROCESS: 1674 ttys000
6/5/15 1:04:48.656 AM login[1674]: DEAD_PROCESS: 1674 ttys000
6/5/15 1:04:50.617 AM login[1687]: USER_PROCESS: 1687 ttys000

What do these mean, how do I find out who they are (IP addresses), and how do I see exactly what they're doing while logged on? Also, is there a specific log file which will provide improved information?

 

[immobilus]

[bump]

I changed my password and the logins stopped. Is there a way to find out what they were doing or what they did while logged into the system?

 

[chrfr]

[bump]

I changed my password and the logins stopped. Is there a way to find out what they were doing or what they did while logged into the system?

Assuming you have an administrator account they could have done anything. I would reformat/reinstall, and restore only your documents from backup.

 

[kolax]

Nothing there suggests these were SSH. Did you have any terminals open in the background you forgot about? If you don't have port forwarding enabled on your router (or port 22 for that matter) then it won't have been anyone SSH'ing in.

 

[chrfr]

Nothing there suggests these were SSH. Did you have any terminals open in the background you forgot about? If you don't have port forwarding enabled on your router (or port 22 for that matter) then it won't have been anyone SSH'ing in.

This is a good point. There would be log entries for ssh as well, indicating logins that way.