These commands are used to track what users have been doing in the system; they can be helpfull to find a cause of a security problem:

1) Last searches back through the file /var/log/wtmp (or the file designated by the -f flag) and displays a list of all users logged in (and out) since that file was created. Names of users and tty’s can be given, in which case last will show only those entries matching the arguments. Names of ttys can be abbreviated, thus last 0 is the same as last tty0.

2) lastcomm prints out information about previously executed commands. If no arguments are specified, lastcomm will print info about all of the commands in acct (the record file). If called with one or more of command-name, user-name, or terminal-name, only records containing those items will be displayed. For example, to find out which users used command ‘a.out’ and which users were logged into ‘tty0′, type: lastcomm a.out tty0