sudo journalctl --since "30 days ago" | grep -E 'PWN (COMPLETE|INCOMPLETE)|dockerpwn'Host
The pwn script's terminal stdout contains the distinctive `[+] PWN COMPLETE` / `[!] PWN INCOMPLETE` banners. If the host's Docker daemon used `--log-driver=journald` or `--log-driver=local` at the time of compromise, these strings may survive in `journalctl` or per-container log files even after the carrier container is auto-removed.