Hello Everyone,

I have a couple of questions:

1) How do I find traces/signs of automated scripts? I think bash history contains info about the manually typed commands by keyboards, but automated scripts wont be found there in bash history.. Am I right??

2)Also where would i find the info that who logins using which shell?
i think one place is to etc/log/secure...

Please help!

Thanks in advance

No they won't be.


Login records are stored in /var/log/wtmp and /var/log/btmp and /var/log/secure is where among others PAM logs PAM login stack messages.


You should always provide distribution, user, service and other relevant details as apart from the above things depend on your setup (for instance both SELinux and Grsecurity can log say exec syscalls but you have to run and have configured one of those beforehand and both the 'at' and 'crond' services can use {at,cron}.deny files), who has access to the machine (IDS or Netfilter logging network scans and other traffic, the system recording any violations) and to some extent when you first got the hunch something could be wrong (sometimes you would be able to copy out deleted files on open file descriptors or "undelete" them). You see providing details first is vital.