do you have psacct enabled? if so you can check the command lastcomm. 2009/3/26 Georgi Stoynev <[email protected]>
> I forgot: > > [r...@srv1 ~]# cat /var/log/secure > Mar 23 10:01:04 srv1 login: pam_unix(login:session): session opened for > user root by LOGIN(uid=0) > Mar 23 10:01:04 srv1 login: ROOT LOGIN ON tty1 > Mar 23 10:28:32 srv1 login: pam_unix(login:session): session opened for > user root by LOGIN(uid=0) > Mar 23 10:28:32 srv1 login: ROOT LOGIN ON tty2 > Mar 23 10:28:57 srv1 login: pam_unix(login:session): session closed for > user root > Mar 23 10:30:17 srv1 login: pam_unix(login:session): session opened for > user root by LOGIN(uid=0) > Mar 23 10:30:17 srv1 login: ROOT LOGIN ON tty1 > Mar 23 16:13:40 srv1 sshd[29002]: Connection closed by 192.168.2.152 > Mar 23 16:53:56 srv1 sshd[29183]: Accepted password for non_root_user from > 192.168.3.2 port 52901 ssh2 > Mar 23 16:53:56 srv1 sshd[29183]: pam_unix(sshd:session): session opened > for user non_root_user by (uid=0) > Mar 23 16:54:02 srv1 su: pam_unix(su-l:session): session opened for user > root by non_root_user(uid=500) > Mar 23 16:53:30 srv1 su: pam_unix(su-l:session): session closed for user > root > Mar 23 16:53:32 srv1 sshd[29183]: pam_unix(sshd:session): session closed > for user non_root_user > *Mar 26 12:03:58 srv1 login: pam_unix(login:session): session closed for > user root > Mar 26 12:03:58 srv1 login: pam_unix(login:session): session closed for > user root* > Mar 26 12:05:35 srv1 sshd[2887]: Received signal 15; terminating. > Mar 26 12:09:05 srv1 sshd[2896]: Server listening on :: port 2222. > Mar 26 12:09:05 srv1 sshd[2896]: error: Bind to port 2222 on 0.0.0.0 > failed: Address already in use. > Mar 26 13:08:10 srv1 login: pam_unix(login:session): session opened for > user root by LOGIN(uid=0) > Mar 26 13:08:10 srv1 login: ROOT LOGIN ON tty1 > Mar 26 13:14:19 srv1 login: pam_unix(login:session): session opened for > user root by LOGIN(uid=0) > Mar 26 13:14:19 srv1 login: ROOT LOGIN ON tty2 > Mar 26 13:15:43 srv1 login: pam_unix(login:session): session opened for > user root by LOGIN(uid=0) > Mar 26 13:15:43 srv1 login: ROOT LOGIN ON tty3 > Mar 26 13:22:35 srv1 login: pam_unix(login:session): session opened for > user root by LOGIN(uid=0) > Mar 26 13:22:35 srv1 login: ROOT LOGIN ON tty4 > Mar 26 13:35:37 srv1 login: pam_unix(login:session): session closed for > user root > Mar 26 13:36:43 srv1 login: pam_unix(login:session): session closed for > user root > Mar 26 13:39:41 srv1 login: pam_unix(login:session): session closed for > user root > Mar 26 13:48:48 srv1 login: pam_unix(login:session): session closed for > user root > Mar 26 13:50:58 srv1 login: pam_unix(login:session): session opened for > user root by LOGIN(uid=0) > Mar 26 13:50:58 srv1 login: ROOT LOGIN ON tty1 > Mar 26 13:51:11 srv1 login: pam_unix(login:session): session closed for > user root > Mar 26 13:53:13 srv1 login: pam_unix(login:session): session opened for > user root by LOGIN(uid=0) > Mar 26 13:53:13 srv1 login: ROOT LOGIN ON tty1 > Mar 26 13:53:35 srv1 login: pam_unix(login:session): session opened for > user root by LOGIN(uid=0) > Mar 26 13:53:35 srv1 login: ROOT LOGIN ON tty2 > Mar 26 14:16:27 srv1 login: pam_unix(login:session): session closed for > user root > Mar 26 14:16:32 srv1 login: pam_unix(login:session): session closed for > user root > Mar 26 17:41:29 srv1 sshd[8395]: Accepted password for non_root_user from > 192.168.2.153 port 1123 ssh2 > Mar 26 17:41:29 srv1 sshd[8395]: pam_unix(sshd:session): session opened for > user non_root_user by (uid=0) > Mar 26 17:41:35 srv1 su: pam_unix(su-l:session): session opened for user > root by non_root_user(uid=500) > [r...@srv1 ~]# > > I didn't log into the server at that time. > Any thoughts? > > _______________________________________________ > mlug mailing list > [email protected] > https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca > >
_______________________________________________ mlug mailing list [email protected] https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
