linux下的last命令可以用来查看最近登录过的用户记录,包括详细的时间和时长,例如:
[leconte@web ~]$ last leconte pts/0 114.251.86.0 Wed May 19 19:42 still logged in leconte pts/0 114.251.86.0 Wed May 19 17:22 - 17:22 (00:00) leconte pts/0 114.252.182.234 Tue May 18 21:47 - 22:15 (00:28) leconte pts/0 114.251.86.0 Fri May 7 18:26 - 18:56 (00:30) leconte pts/0 114.251.86.0 Fri Apr 23 11:49 - 11:51 (00:02) leconte pts/0 114.251.86.0 Mon Apr 19 17:03 - 17:30 (00:27) leconte pts/0 114.251.86.0 Mon Apr 19 10:56 - 11:03 (00:06) leconte pts/0 121.0.29.237 Tue Apr 13 15:25 - 16:13 (00:47) leconte pts/0 121.0.29.237 Tue Apr 13 15:16 - 15:24 (00:08) ...
通过这个清单起码可以部分排除服务器被别人非法登录的情况,当然,手法严谨的高手是不会留下蛛丝马迹的。他们往往清空这个记录让你无迹可查。
通过strace跟踪会发现last实际读取的是/var/log/wtmp这个文件
open("/var/log/wtmp", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0664, st_size=264576, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fea000 read(3, "\10\0\0\0\255\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 4096) = 4096 fstat64(3, {st_mode=S_IFREG|0664, st_size=264576, ...}) = 0
如果我手工删除这个文件,再执行last则会是这样的结果:
[leconte@web log]$ sudo mv wtmp wtmp.bk Password: [leconte@web log]$ last last: /var/log/wtmp: No such file or directory Perhaps this file was removed by the operator to prevent logging last info.
所以last的输出不可全信,毕竟服务器被入侵的话别人如果想删除wtmp文件是轻而易举的事情。
© 2010, Linux爱好者. 版权所有. 转载请注明来自http://www.linuxers.cn
