Find out which bad guy has fiddled on your workstation

Lastly i sat in a meeting and suddenly my vnc session to my workstation was killed. First, i thought we had some network problems, but i encountered my workstation was rebooted!

But how to figure out, who this was?

Luckily there’s a nice command called: last.

# Show last logged in users
last

This command basically uses the file /var/log/wtmp as it’s source. After a reboot this file seems to be rewritten, unfortunately.

# This file only goes back to the last reboot, so we need 
# to look around to find pevious version
ls /var/log/wtmp*

# => Output (filenames depend on your machine configuration, 
# i have a RHEL 7 box)
wtmp-20160114

# the file itself is not human readable but could be used 
# as input for last
last -f /var/log/wtmp-20160114

Now could clearly see, who was the bad guy …

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s