Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i've just landed a new job and one of the things i have to do is to clear out all the old accounts on the linux box (running red hat 6). i'm not sure who's been using the system - how can i find out what activity has been going on? i have su privileges.
Look into the last, w, and who commands. If the system has process accounting enabled, you can use lastcomm to see what commands are being run. If not you'll have to root around the shell history files to see what people have been doing. RH6 is ancient. You should replace that machine with one running a modern OS. If that box hasn't been patched since install and it's unprotected by a firewall, it's probably been broken into many times by now.
thanks for your quick reply btmiller - this is a big concern for me. i have no idea how to detect whether people have broken into the machine and the IT guy is no help. I'll try those command tomorrow morning and let you know what i find.
If you suspect a break-in, reboot the machine from known-good media and run tools like chkrootkit or rkhunter on it. You can also sniff and analyze the network traffic coming in and out of the machine withsomething like tcpdump or ethereal. But definitely take a good look around the system before deciding what to do. As I said, though, your goal should be to get such an old, unsupported OS off of your company's network.
i used those commands and it looked like i was the only one logged in. only other person that had logged in was the hosting company's administrator ( i found out that the box is hosted remotely so i don't have physical access to it) and when i logged in and looked through files n stuff i saw the guy before me had left passwords like root's right in the open! geez ... anyway i called the hosting company and they told me that they filter by IP address so that made me feel better - hope that means only port 80 is open to public...
i now have to make the decision as to what OS to put on the sys and maybe what new hardware to order
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
