HPE Community
Operating System - HP-UX
1753485 Members
4695 Online
108794 Solutions
New Discussion юеВ

Re: who connected to my account

 
SOLVED
Go to solution
pratibha_kajbale
Advisor

тАО04-14-2010 06:07 AM

тАО04-14-2010 06:07 AM

who connected to my account

Hi Team,

Is any Unix account to know , who connected my unix environment (user) , from which ip address, and when he/she was connected ,and what he did , with my unix evironment.

Thanks in advance
Pratibha
0 Kudos
Reply
9 REPLIES 9
James R. Ferguson
Acclaimed Contributor

тАО04-14-2010 06:16 AM

тАО04-14-2010 06:16 AM

Solution

Re: who connected to my account

Hi:

Probably your first set of data will be from:

# last -R pratibbha

...or whatever your account name is.

As for "what" (s)he did, you might look at your '.sh_history' [assuming that it wasn't erased and assuming that you use the standard Poxix or Korn shell].

Regards!

...JRF...
Reply
Pete Randall
Outstanding Contributor

тАО04-14-2010 06:17 AM

тАО04-14-2010 06:17 AM

Re: who connected to my account

Possibly /var/adm/wtmp, searched with the last command could help.


Pete

Pete
Reply
pratibha_kajbale
Advisor

тАО04-14-2010 06:34 AM

тАО04-14-2010 06:34 AM

Re: who connected to my account

Thanks Guys,

But someone deleted my data , so can't find details in .sh_history also
# last -R command it ok , .. but i don't know what is username ..

is therer any way , or any script.

Many Thanks.
Pratibha
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО04-14-2010 06:43 AM

тАО04-14-2010 06:43 AM

Re: who connected to my account

Hi (again):

> But someone deleted my data , so can't find details in .sh_history also

Then that may mark malicious intent.

> last -R command it ok , .. but i don't know what is username ..

The is the account (login) name that you want to query. It sounds as if you want to see all recent connection activity. If so, do:

# last -R

Unless you have auditing turned on, finding "who" did "what" is very, very difficult. Current releases provide better tools.

Regards!

...JRF...
0 Kudos
Reply
madhuchakkaravarthy
Trusted Contributor

тАО04-14-2010 07:20 AM

тАО04-14-2010 07:20 AM

Re: who connected to my account

hi

just do last -R -5 username

username --- name that u used for login

last -R -5 root
root pts/0 117.193.160.54 Wed Apr 14 11:18 still logged in
root pts/1 117.193.160.54 Wed Apr 14 10:46 - 10:53 (00:06)
root pts/0 117.193.160.54 Wed Apr 14 09:43 - 10:50 (01:06)
root pts/0 117.193.160.54 Wed Apr 14 09:36 - 09:40 (00:03)
root pts/1 122.164.238.216 Wed Apr 14 01:22 - 03:25 (02:03)

regards
MC
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-14-2010 08:13 AM

тАО04-14-2010 08:13 AM

Re: who connected to my account

Shalom,

As root, disable the account immediately and start looking at the history files.

if .sh_history has been modified then the intent of the person using the account would appear to be malicious.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
rmueller58
Valued Contributor

тАО04-14-2010 08:26 AM

тАО04-14-2010 08:26 AM

Re: who connected to my account

after the fact is pretty difficult.

you could setup of a typeset mechanism to log items when the user logs in.

does someone have access to su or sudo your account? you could check the sudo/su logs.

0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО04-14-2010 12:26 PM

тАО04-14-2010 12:26 PM

Re: who connected to my account

And it may not have been someone who logged into your account -- root can delete anything, anywhere, anytime. If someone has the root password, they can do anything. Look at root's .sh_history file. Also use last -R root to see when root was logged in, and use su.log to see if someone used su to become root.


Bill Hassell, sysadmin
0 Kudos
Reply
Mike Miller_8
Regular Advisor

тАО04-15-2010 07:25 AM

тАО04-15-2010 07:25 AM

Re: who connected to my account

If nothing shows up in the sulog, you may want to restrict root access to only the console.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.