I think its gonna be pretty hard to track who it was, short of getting everyone's IP. FTP only picks up the IP, login name and at most, hostmask. If the person that put it there has a dynamic IP, then that idea is screwed. maybe its time for a new password?