that's a blind entry point. i would either remove or disu the tty until i found out the user. are you using named login? that might help.. a possible catch is at the command prompt >mon x on the tty number, you'll see key strokes on that port as they happen.. even with a des label, you would just know the intended usage.. seb local etc.. go to ld 117 and do a sel prt 500, a little better then a history file, but not everything your looking for
john poole
bellsouth business
columbia,sc