An easy way to check for unauthorised shell access is to login and look at the last ip address which logged in as that user, you should be able to see which ip block it was from, which would tell you if it was from your normal ISP, if it's not from the same range, it would look like someone else had accessed your shell. If you want to know the IP currently assigned by your ISP and therefore the normal range, do winipcfg from a DOS prompt in Win 95,98,ME, or ipconfig/all in NT,2K or XP...
