From owner-freebsd-questions  Mon Nov 12 19: 2:21 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from visar.norris-net.com (adsl-156-81-152.asm.bellsouth.net [66.156.81.152])
	by hub.freebsd.org (Postfix) with ESMTP id 8345137B416
	for <freebsd-questions@freebsd.org>; Mon, 12 Nov 2001 19:02:19 -0800 (PST)
Received: (from derrick@localhost)
	by visar.norris-net.com (8.11.6/8.11.6) id fAD32Ib12571
	for freebsd-questions@freebsd.org; Mon, 12 Nov 2001 22:02:18 -0500 (EST)
	(envelope-from derrick)
Message-Id: <200111130302.fAD32Ib12571@visar.norris-net.com>
Content-Type: text/plain;
  charset="iso-8859-1"
From: Derrick Norris <denorris@bellsouth.net>
Reply-To: denorris@bellsouth.net
To: freebsd-questions@freebsd.org
Subject: Where can I look for causes of a random reboot?
Date: Mon, 12 Nov 2001 22:02:18 -0500
X-Mailer: KMail [version 1.3]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Today my machine spontaneously rebooted while I was at work.  I am pretty 
anal and log everything I can think of; my /var/log/all.log shows my machine 
checking mail at 14:50, then boot messages start appearing at 14:56, with 
nothing in between.  Output of "last" just shows a reboot at 14:56, not a 
"crash" or anything like that.  I was remotely connected to the machine 
during the day, but I had logged off before the reboot happened.

The machine is connected to a UPS and nut is running, but there were no 
messages about anything funky with the UPS and my wife said the power didn't 
go off today anyway.

As far as remote access, I have only sshd running on 4.4-RELEASE which should 
be protected against the recent sshd exploit.  There are also ports open for 
nut, syslog, thttpd, healthd, smtp, and identd.  I believe I configured most 
of those services (those that could be) to listen only for local connections, 
but some are listening to the world.  I can find no evidence of an attack but 
an attacker may have covered their tracks.

Are there any other places I can look to see what might have caused this 
reboot?

Thanks,
Derrick

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message