Here is some piece of information to track the culprit.

Check for a particular file that was generated at $ORACLE_HOME/rdbms/audit when the database was shutdown (i.e. check the date/time stamp).

In the file, you may see something like this...

...
Tue Mar 6 11:50:30 2001
ACTION : 'connect internal' OSPRIV : DBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/33

Tue Mar 6 11:51:50 2001
ACTION : 'shutdown'
...

If every user has a unique unix userid, then from there you can identify by the 'CLIENT USER' as shown above. But if you have a common userid to logon to your server, just like 'oracle' in our case, then refer to what's in the 'CLIENT TERMINAL', w/c is 'pts/33' in our case.

Using the 'client terminal' info, use the 'last' unix command to display from what host the user TELNETed from, as well as, the server logon time, as follows.


>last | grep pts/33
rsupport pts/33 dhcp-233113.ca.o Wed Mar 7 10:18 still logged
in
rsupport pts/33 dhcp-233131.ca.o Tue Mar 6 12:29 - 14:26
(01:57)
rsupport pts/33 dhcp-233131.ca.o Tue Mar 6 11:45 - 12:13
(00:28)

Then 'ping' the hostname from your Microsoft Windows command line to determine the IP address of the origin host machine. Once you have the IP address, issue the command, 'nbtstat -A <ip_address>' to determine the username and hostname the IP address is assigned to.


Hope this would help you to nail the person :D

Sam