last

In a case of a suspected security breach it might be useful to display the last logon’s of a possibly compromised server.

When logging on succesfully to a unix/linux machine through ssh, the system might give you information about the last logon. In that case the username, last logon time and used host is displayed:

Linux some-host 2.6.26-1-xxx # Fri Mar 13 18:08:45 UTC 2009 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Thu Mar 25 09:36:47 2010 from hostname
burdy@some-host:~$

The “last” command should be run as root. Executing last will display a list of the last logon’s:

This information comes from /var/log/wtmp. This databasefiles can be queried by the “last” command. Instead information about last bad logon’s come from /var/log/btmp using the command:  “lastb”

$sudo last

burdy     pts/1        some-host.net Fri Mar 26 13:06   still logged in
burdy     pts/1        colo-xxx-195-073 Thu Mar 25 09:36 – 18:08  (08:31)
burdy     pts/1        some-host.net Wed Mar 24 18:22 – 22:16  (03:54)
burdy     pts/1        colo-xxx-195-073 Wed Mar 24 14:59 – 18:22  (03:22)
burdy     pts/1        some-host.net Tue Mar 23 21:55 – 21:57  (00:01)

Check the manual for options: man last. Excuting last -i will return IP adresses instead of hostnames.