Anthony DeRobertis wrote: > On Thu, 2003-11-27 at 07:59, Haim Ashkenazi wrote: > >> ... >> ov 26 22:26:16 ns-ilweb1 init: Switching to runlevel: 6 >> Nov 26 22:26:19 ns-ilweb1 qmail: 1069878379.427182 status: exiting >> Nov 26 22:26:20 ns-ilweb1 ntpd[32551]: ntpd exiting on signal 15 >> Nov 26 22:26:22 ns-ilweb1 exiting on signal 15 >> Nov 26 22:28:09 ns-ilweb1 syslogd 1.4.1#10: restart. > > FYI, that looks like it may be a keyboard Ctrl-Alt-Del. Here is what one > looks like in syslog: > > Nov 27 08:05:52 galileo init: Switching to runlevel: 6 > Nov 27 08:05:54 galileo kernel: NVRM: AGPGART: freed 16 pages > Nov 27 08:05:55 galileo last message repeated 2 times > Nov 27 08:05:55 galileo kernel: NVRM: AGPGART: backend released > Nov 27 08:05:55 galileo xfs[551]: terminating > Nov 27 08:05:56 galileo ntpd[554]: ntpd exiting on signal 15 > Nov 27 08:05:57 galileo kernel: usb.c: USB disconnect on device 1 > ... > Nov 27 08:05:57 galileo kernel: Kernel logging (proc) stopped. > Nov 27 08:05:57 galileo kernel: Kernel log daemon terminating. > Nov 27 08:05:57 galileo exiting on signal 15 > > Naturally, you won't see AGPGART or xfs (X font server) messages on a > web server. > >> ... >> >> I've run chkrootkit (last version from unstable) and it didn't find >> anything. I've gone to the logs and didn't see nothing suspicious. >> (messages, wtmp, faillog, authlog, kern.log). >> >> also, nothing suspicious in '/root/bash_history'. > > but, was there a shutdown -r now or the like? If there were, then it would be suspicious... ;-) I also saw the commands I've run a few hours before ( although if someone broke in, he could have deleted just his commands...).
> > /me expected Sherlock Holmes to pop up commenting about the LACK of > something happening being quite suspicious\ it's true, but I guess that it was the night tech doing ALT+CTRL+DEL and affraid to come forward. > >> >> Is there anything else I can do to check why it rebooted suddenly? > > Possibly, take the on-duty tech at the colo out to a pub. Also, running > something like 'debsums' would be warranted.[0] > > [0] Debsums, of course, can only prove that something is wrong, not > that something isn't. I'll try that, I'll also compare the checksum of some important binaries between this host and some other woody servers I've got. thanx -- Haim
