Help me catch a computer thief!!

Posted on 2007-08-07
Last Modified: 2013-12-16
I provide some remote backup services for a few clients.  Nightly, their computers rsync data to my server.

Ok, one of my clients got broken into a few days ago and their computers were stolen.  No problem, we have backups.  Here's the interesting thing... they are TOO current!!  The thieves were stupid enough to plug the thing in and connect it to the Internet without clearing anything, so the backups are continuing.

I'm not savvy enough with general Linux to know for certain... but could I find somewhere on my server a log showing the IP that they are connecting from?  With that... and a cop that gives a crap... maybe its possible to locate them?

We'll leave the legal aspect to the appropriate folks, but can someone tell me what commands and/or locations to look at to see the IP address?  

The server is a RedHat 9 machine stripped down to just the basics.  No x-windows or anything like that.  The incoming connections are done through rsync via OpenSSH.

Question by:s_mack
    LVL 48

    Accepted Solution

    The IP address of the ssh connection should be in /var/log/secure.

    Author Comment

    Thanks!  Found it.  Sure enough, one IP for several months and then a different IP from last night.  I'll be in the hands of the police tomorrow... hopefully they can do something with it.  When I tracert the IP it appears to be still in the local area and on the same ISP as I'm on!

    Thanks again.
    LVL 14

    Expert Comment

    by:Hedley Phillips
    Good luck mate.

    As you say, lets hope you find police who a) care and b) understand.


    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension ( This reminded me of questions tha…
    Workplace bullying has increased with the use of email and social media. Retain evidence of this with email archiving to protect your employees.
    This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
    This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now