From man last ...
Last searches back through the file /var/log/wtmp (or the file designated by the -f flag) and displays
a list of all users logged in (and out) since that file was created. Names of users and tty's can be
given, in which case last will show only those entries matching the arguments. Names of ttys can be
abbreviated, thus last 0 is the same as last tty0.
...
Lastb is the same as last, except that by default it shows a log of the file /var/log/btmp, which contains
all the bad login attempts.
So also do lastb and see if there are any bad attempts to login, which would indicate someone tried and finally succeeded in finding a password for that user..
|