From owner-freebsd-questions  Thu Nov 14 07:47:41 1996
Return-Path: owner-questions
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id HAA20760
          for questions-outgoing; Thu, 14 Nov 1996 07:47:41 -0800 (PST)
Received: from Campino.Informatik.RWTH-Aachen.DE (campino.Informatik.RWTH-Aachen.DE [137.226.225.2])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id HAA20065
          for <questions@FreeBSD.org>; Thu, 14 Nov 1996 07:46:48 -0800 (PST)
Received: from gilberto.physik.rwth-aachen.de (gilberto.physik.rwth-aachen.de [137.226.31.2]) by Campino.Informatik.RWTH-Aachen.DE (RBI-Z-5/8.6.12)
	with ESMTP id QAA22773; Thu, 14 Nov 1996 16:47:00 +0100
Received: (from kuku@localhost) by gilberto.physik.rwth-aachen.de (8.6.11/8.6.9) id QAA08936; Thu, 14 Nov 1996 16:57:36 +0100
From: Christoph Kukulies <kuku@gilberto.physik.rwth-aachen.de>
Message-Id: <199611141557.QAA08936@gilberto.physik.rwth-aachen.de>
Subject: Re: Hackers?
In-Reply-To: <199611141447.PAA02691@login.bigblue.no> from Frode Nordahl at "Nov 14, 96 03:47:56 pm"
To: froden@bigblue.no
Date: Thu, 14 Nov 1996 16:57:35 +0100 (MET)
Cc: questions@FreeBSD.org
Reply-To: Christoph Kukulies <kuku@gilberto.physik.rwth-aachen.de>
X-Mailer: ELM [version 2.4ME+ PL25 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-questions@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

> Last night, one of our FreeBSD 2.1.5 machines rebooted.  There is no entry of it in the messages file, but the lastlog says this
> 
> xxx       ttyp0    xxxx            Thu Nov 14 02:11 - 02:13  (00:01)
> reboot    ~                         Thu Nov 14 02:01
> xxxx     ttyp7    xxxxxxxxx Thu Nov 14 00:36 - 00:44  (00:07)
> 
> (Usernames and hostnames of the entry above/under are scratched out...)

I assume that *you* scratched out the usernames in your posting rather than 
the presumed hacker in the wtmp file :-)

/etc/daily starts (normally) at 2 o'clock a.m. so I assume it has
been some system flakyness (hardware) that caused your system to reboot.
I've seen reboots as well sometimes which were not initiated by a user
and were not flagged as crash.


> 
> As you can see, no one was logged on at the time.  The messages file has noe entries of the activity other than the kernel 
> startupmessages.
> 
> Can a FreeBSD box do this of itself if it gets into trouble?  Memory fault, disk fault or something like that?  Or do we have reason 
> to believe this is hacker activity?
> 
> In any case, what should we do??
> 
> 

--Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de