Date: Fri, 26 May 2000 17:05:51 -0700 From: "Khairuddin Abdul Ghani" <abdulgha@usc.edu> To: "Dan Nelson" <dnelson@emsphone.com> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: mysterious shutdowns (cont.) Message-ID: <010f01bfc76f$51c5ad70$6f1f7d80@phoenix> References: <009f01bfc731$4beea840$6f1f7d80@phoenix> <20000526121737.A8451@dan.emsphone.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi. ----- Original Message ----- From: "Dan Nelson" <dnelson@emsphone.com> Sent: Friday, May 26, 2000 10:17 AM Subject: Re: mysterious shutdowns (cont.) > In the last episode (May 26), Khairuddin Abdul Ghani said: > > Hello. Here's the followup to the mysterious clean shutdowns > > that the machine was experiencing before. > > > > Looks like the last downtime was caused by those weird shutdowns again: > > reboot ~ Fri May 26 08:15 > > shutdown ~ Fri May 26 08:14 > > reboot ~ Fri May 26 05:39 > > shutdown ~ Fri May 26 05:33 > > Hmm. If a shutdown record got added, check /var/log/messages for a line > like > > May 20 12:37:42 machine1 shutdown: reboot by user1: > > At least you'll find out who shut it down. The reboots were done manually I think, but I don't think the shutdowns were. I already removed the shutdown binary off the system, and syslogd doesn't show anything because it gets killed before/during from a TERM signal. > > I checked each shutdown instance against process accounting, > > and I found that each would contain at least the following > > (in sequence): > > Did you find any "shutdown" or "reboot" commands in the accouting logs? Nope. None at all. The reboots were done by on-site staff, not sure how they did it though. Btw, I didn't mention that before a shutdown there would be a huge increase in incoming network traffic, probably an attack of some sort. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?010f01bfc76f$51c5ad70$6f1f7d80>