Yes! Many times this is one of the most important sources of information about a compromise or potential compromise. Consider the following forensic work submitted by David Rust.
On November 12-13th, a machine running SuSE 5.1 Linux 2.0.33 under our control was compromised, inundating our local network with traffic.
Once the machine was restored to our control, we discovered the system log files were erased, but several files were left behind, one of which was a .bash_history in the root directory.
/usr/sbin/useradd -d /home/skrilla -m -s /bin/bash skrillaThe `grep "sdn" *` command appears to search for evidence of the attacker's address. Fortunately, he left it behind with the ftp command.
In addition to that, several programs were replaced with altered versions:
Of course, passwd and shadow were attacked, effectively locking administrators out of the machine.
In addition to the above modified binaries, we found two additional files:
synk and synk4. synk contained 36 lines: ./synk4 0 $1 0 65535 >/dev/null &