From owner-freebsd-questions  Thu Nov 14 12:53:19 1996
Return-Path: owner-questions
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id MAA04714
          for questions-outgoing; Thu, 14 Nov 1996 12:53:19 -0800 (PST)
Received: from jack.colorado.edu (jack.Colorado.EDU [128.138.149.29])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA04702
          for <questions@freebsd.org>; Thu, 14 Nov 1996 12:53:07 -0800 (PST)
Received: from jack (localhost [127.0.0.1]) by jack.colorado.edu (8.7.6/8.7.3/CNS-4.0p) with SMTP id NAA03227; Thu, 14 Nov 1996 13:53:01 -0700 (MST)
Message-ID: <328B86AD.700D@Colorado.EDU>
Date: Thu, 14 Nov 1996 13:53:01 -0700
From: "Mark O'Lear" <Mark.Olear@Colorado.EDU>
Organization: University of Colorado
X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.4 sun4m)
MIME-Version: 1.0
To: Frode Nordahl <froden@bigblue.no>
CC: "questions@freebsd.org" <questions@freebsd.org>
Subject: Re: Hackers?
References: <199611141447.PAA02691@login.bigblue.no>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Frode Nordahl wrote:
> 
> Last night, one of our FreeBSD 2.1.5 machines rebooted.  There is no entry of it in the messages file, but the lastlog says this
> 
> xxx       ttyp0    xxxx            Thu Nov 14 02:11 - 02:13  (00:01)
> reboot    ~                         Thu Nov 14 02:01
> xxxx     ttyp7    xxxxxxxxx Thu Nov 14 00:36 - 00:44  (00:07)
> 
> (Usernames and hostnames of the entry above/under are scratched out...)
> 
> As you can see, no one was logged on at the time.  The messages file has noe entries of the activity other than the kernel
> startupmessages.
> 
> Can a FreeBSD box do this of itself if it gets into trouble?  Memory fault, disk fault or something like that?  Or do we have reason
> to believe this is hacker activity?
> 
> In any case, what should we do??

I had a 2.2-960501-SNAP do this to me the other night as well
(after being up over 80 days).  I can find no indication that
anyone did anything as well.

xxxxxxxx  cuaa0                     Sat Nov  9 11:04 - 12:42  (01:37)
reboot    ~                         Sat Nov  9 03:45 
xxxxxxxx  cuaa0                     Fri Nov  8 19:18 - 19:23  (00:04)

-- 
Mark O'Lear             \    e-mail: Mark.Olear@Colorado.EDU
University of Colorado   \   phone:  (303) 492-3798
Telecomm. Svcs. (CB 313)  \  fax:    (303) 492-5105
Boulder, CO  80309         \