Date: Thu, 16 Sep 2010 09:49:30 -0700 From: Jeremy Chadwick <freebsd@jdc.parodius.com> To: Michael BlackHeart <amdmiek@gmail.com> Cc: freebsd-stable@freebsd.org Subject: Re: FreeBSD 8.1 Stable Unreasanoble Rebooting Message-ID: <20100916164930.GA31869@icarus.home.lan> In-Reply-To: <AANLkTimGZOwf5USXD4ANLBq0EBR1LvBakKAH88pmTLo%2B@mail.gmail.com> References: <AANLkTimGZOwf5USXD4ANLBq0EBR1LvBakKAH88pmTLo%2B@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 16, 2010 at 08:37:29PM +0400, Michael BlackHeart wrote:
> Today I've got a pretty strange event. It looks like a reboot but
> unreasonable as far as I see. Before server's uptime was over month,
> it's sometimes have to reboot for kernel updates or somethings like
> that. I've digen all logs and didn't find a reason, so here they all.
>
> auth.log
> Sep 16 13:59:58 diablo sshd[2284]: Received signal 15; terminating.
> Sep 16 14:04:26 diablo sshd[2290]: Server listening on 0.0.0.0 port 22442.
>
> cron - nothing
> debug.log - nothing
> dmesg - nothing
>
> messages
> Sep 16 13:44:55 diablo transmission-daemon[7965]: Couldn't create
> socket: Protocol not supported (fdlimit.c:651)
> Sep 16 13:45:31 diablo last message repeated 5 times
> Sep 16 13:47:23 diablo last message repeated 13 times
> Sep 16 13:57:40 diablo last message repeated 51 times
> Sep 16 13:59:48 diablo last message repeated 12 times
> Sep 16 14:00:18 diablo named[1575]: stopping command channel on 127.0.0.1#953
> Sep 16 14:00:18 diablo named[1575]: exiting
> Sep 16 14:00:18 diablo syslogd: exiting on signal 15
> Sep 16 14:02:31 diablo syslogd: kernel boot file is /boot/kernel/kernel
> Sep 16 14:02:31 diablo kernel: Copyright (c) 1992-2010 The FreeBSD Project.
> {...}
This sure looks like a legitimate reboot to me (e.g. shutdown -r now);
note how your system daemons (named, syslogd) are being shut down with
SIGTERM. You can check with "last" (shutdown/reboot vs. crash).
<paranoid>
I would highly recommend taking this machine offline and reinstalling
the OS, in addition to newfs'ing all existing filesystems (restore from
last known good backup). buildworld/installworld and
buildkernel/installkernel may not be enough depending on what the
individual did. It's likely the machine could be compromised in some
way, especially if there's any service on it which is public-facing,
regardless of authentication mechanisms you've deployed in front of it.
</paranoid>
--
| Jeremy Chadwick jdc@parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100916164930.GA31869>