Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 21 May 2000 17:50:26 -0400
From:      "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
To:        Khairuddin Abdul Ghani <abdulgha@usc.edu>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: mysterious shutdowns
Message-ID:  <20000521175026.I96573@cc942873-a.ewndsr1.nj.home.com>
In-Reply-To: <00b401bfc354$31b72aa0$6f1f7d80@phoenix>; from abdulgha@usc.edu on Sun, May 21, 2000 at 11:41:36AM -0700
References:  <00b401bfc354$31b72aa0$6f1f7d80@phoenix>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, May 21, 2000 at 11:41:36AM -0700, Khairuddin Abdul Ghani wrote:
> Hello.
> 
> First thanks to Crist for helping me with my talkd problem, but now there
> seems to be something more sinister happening on my machine.
> 
> At least once a day, the machine would 'shutdown' (as noted in the 'last'
> output) mysteriously for no apparent reason. What bothers me is that just
> before or during each shutdown, there would be a ton of traffic going into
> the machine (an outside attack it seems). Unfortunately, nothing seems to be
> logged, because syslogd dies during the shutdown. Sometimes certain
> libraries like mm and tcl which are heavily used would disappear.
> 
> At the moment I'm trying to log incoming connections with log_in_vain, and
> maybe just running tcpdump indefinitely. If there are any better ways,
> please tell. I have IPFIREWALL compiled with log amount of 50 and VERBOSE.
> 
> Best regards, Rudy.
> 
> eg. last | grep shutdown:
> shutdown         ~                         Fri May 19 15:09
> flash            ttypm    194.133.37.38    Fri May 19 15:04 - shutdown
> (00:05)
> misterio         ttyp5    62.11.132.164    Fri May 19 15:01 - shutdown
> (00:07)
> di0lam0r         ttypb    a-na12-61.tin.it Fri May 19 12:44 - shutdown
> (02:24)
> xgen             ttyp6    res-3617.usc.edu Fri May 19 10:59 - shutdown
> (04:09)
> 
> /var/log/messages:
> May 21 05:21:47 sage syslogd: exiting on signal 15

You wouldn't happen to have accounting running? Then you could see
what user executed the command (and see all the commands all users
have been doing too). Do you have the default permissions on
/sbin/shutdown?

  -r-sr-x---  1 root  operator  151728 Feb  7 03:00 /sbin/shutdown

Are any of your users in group operator?
-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000521175026.I96573>