In a case of a suspected security breach it might be useful to display the last logon’s of a possibly compromised server.
When logging on succesfully to a unix/linux machine through ssh, the system might give you information about the last logon. In that case the username, last logon time and used host is displayed:
Linux some-host 2.6.26-1-xxx # Fri Mar 13 18:08:45 UTC 2009 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Mar 25 09:36:47 2010 from hostname
The “last” command should be run as root. Executing last will display a list of the last logon’s:
This information comes from /var/log/wtmp. This databasefiles can be queried by the “last” command. Instead information about last bad logon’s come from /var/log/btmp using the command: “lastb”
burdy pts/1 some-host.net Fri Mar 26 13:06 still logged in
burdy pts/1 colo-xxx-195-073 Thu Mar 25 09:36 – 18:08 (08:31)
burdy pts/1 some-host.net Wed Mar 24 18:22 – 22:16 (03:54)
burdy pts/1 colo-xxx-195-073 Wed Mar 24 14:59 – 18:22 (03:22)
burdy pts/1 some-host.net Tue Mar 23 21:55 – 21:57 (00:01)
Check the manual for options: man last. Excuting last -i will return IP adresses instead of hostnames.