From owner-freebsd-questions Fri May 26 17: 6:57 2000 Delivered-To: freebsd-questions@freebsd.org Received: from usc.edu (usc.edu [128.125.253.136]) by hub.freebsd.org (Postfix) with ESMTP id 4F1D137BE96 for ; Fri, 26 May 2000 17:06:35 -0700 (PDT) (envelope-from abdulgha@usc.edu) Received: from scf-fs.usc.edu (root@scf-fs.usc.edu [128.125.253.183]) by usc.edu (8.9.3.1/8.9.3/usc) with ESMTP id RAA24889; Fri, 26 May 2000 17:05:28 -0700 (PDT) Received: from phoenix (res-3617.usc.edu [128.125.31.111]) by scf-fs.usc.edu (8.9.3.1/8.9.3/usc) with SMTP id RAA00653; Fri, 26 May 2000 17:05:27 -0700 (PDT) Message-ID: <010f01bfc76f$51c5ad70$6f1f7d80@phoenix> Reply-To: "Khairuddin Abdul Ghani" From: "Khairuddin Abdul Ghani" To: "Dan Nelson" Cc: References: <009f01bfc731$4beea840$6f1f7d80@phoenix> <20000526121737.A8451@dan.emsphone.com> Subject: Re: mysterious shutdowns (cont.) Date: Fri, 26 May 2000 17:05:51 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi. ----- Original Message ----- From: "Dan Nelson" Sent: Friday, May 26, 2000 10:17 AM Subject: Re: mysterious shutdowns (cont.) > In the last episode (May 26), Khairuddin Abdul Ghani said: > > Hello. Here's the followup to the mysterious clean shutdowns > > that the machine was experiencing before. > > > > Looks like the last downtime was caused by those weird shutdowns again: > > reboot ~ Fri May 26 08:15 > > shutdown ~ Fri May 26 08:14 > > reboot ~ Fri May 26 05:39 > > shutdown ~ Fri May 26 05:33 > > Hmm. If a shutdown record got added, check /var/log/messages for a line > like > > May 20 12:37:42 machine1 shutdown: reboot by user1: > > At least you'll find out who shut it down. The reboots were done manually I think, but I don't think the shutdowns were. I already removed the shutdown binary off the system, and syslogd doesn't show anything because it gets killed before/during from a TERM signal. > > I checked each shutdown instance against process accounting, > > and I found that each would contain at least the following > > (in sequence): > > Did you find any "shutdown" or "reboot" commands in the accouting logs? Nope. None at all. The reboots were done by on-site staff, not sure how they did it though. Btw, I didn't mention that before a shutdown there would be a huge increase in incoming network traffic, probably an attack of some sort. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message