Hello, We've been getting strange reboots which were formerly attributed to a a possible bad UPS. This is a brand new install (I know anything is possible, but..) Does this look strange? Oct 23 15:22:14 callisto in.ftpd[722]: connect from 212.56.149.116 (212.56.149.116) Oct 23 15:28:40 callisto init: Switching to runlevel: 6 Oct 23 15:28:44 callisto sshd[234]: Received signal 15; terminating. Oct 23 15:28:44 callisto kernel: Kernel logging (proc) stopped. Oct 23 15:28:44 callisto kernel: Kernel log daemon terminating. Oct 23 15:28:45 callisto exiting on signal 15 Oct 23 15:29:55 callisto syslogd 1.3-3: restart. ..... Oct 30 00:15:18 callisto su: (to nobody) root on none Oct 30 00:15:18 callisto PAM-unix2[6375]: session started for user nobody, service su Oct 30 00:15:24 callisto PAM-unix2[6375]: session finished for user nobody, service su Oct 30 00:36:11 callisto init: Switching to runlevel: 6 Oct 30 00:36:12 callisto PAM-unix2[4230]: session finished for user root, service su Oct 30 00:36:15 callisto sshd[233]: Received signal 15; terminating. Oct 30 00:36:15 callisto kernel: Kernel logging (proc) stopped. Oct 30 00:36:15 callisto kernel: Kernel log daemon terminating. Oct 30 00:36:16 callisto exiting on signal 15 Oct 30 00:37:30 callisto syslogd 1.3-3: restart. ..... -Brian
Hi, On Tuesday 30 October 2001 16:42, you wrote:
Hello,
We've been getting strange reboots which were formerly attributed to a a possible bad UPS. This is a brand new install (I know anything is possible, but..) Does this look strange?
Oct 23 15:28:40 callisto init: Switching to runlevel: 6 ... Oct 30 00:36:11 callisto init: Switching to runlevel: 6
Well, init runlevel 6 is (intentional) reboot. Nothing strange here other than you not knowing who reboots your machine. Which raises the question whether (a) other people know your root password, (b) anyone can use ctrl-alt-del if it's not disabled, or (c) kdm lets anyone shut down the machine. (a), (b) and (c) all considered insecure ... ;-) Check the login entries ("last") who was logged in at the reboot times and beat him/her up (unless it was a cracker).
-Brian
Regards, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany Tel.: +49-251-83-33557 Fax: +49-251-83-39083 E-Mail (work): lewelin@uni-muenster.de
Hi Martin, @ 12:06:00 PM on 10/30/2001, Martin Leweling wrote: ML> Well, init runlevel 6 is (intentional) reboot. Yep, knew that. :-) (I realize I sound like (and probably am) an idiot when it comes to this stuff though.) ML> Nothing strange here other than you not knowing who reboots your ML> machine. Which raises the question whether (a) other people know ML> your root password, (b) anyone can use ctrl-alt-del if it's not ML> disabled, or (c) kdm lets anyone shut down the machine. (a), (b) ML> and (c) all considered insecure ... ;-) Well there's only two possibilities: me or the other admin. The other admin suggested I ask the list. (he's a very good fried, no worries there.) The first I listed is really only what I'm worried about. The second looks like updatedb? ML> Check the login entries ("last") who was logged in at the reboot ML> times and beat him/her up (unless it was a cracker). ftp ftp pD9E1D669.dip.t- Tue Oct 30 04:52 - 04:52 (00:00) reboot system boot 2.4.12-4GB Tue Oct 30 00:37 (12:33) mk pts/0 user531.io-mar Mon Oct 29 16:40 - down (07:55) .... mk was me last night.. reboot system boot 2.4.12-4GB Sun Oct 28 23:18 (1+01:17) ftp ftp pD9E42DCC.dip.t- Sun Oct 28 15:27 - 15:27 (00:00) ftp ftp p3EE20C83.dip.t- Sun Oct 28 12:42 - 12:42 (00:00) .... No idea who pD9E42DCC.dip.t- is. But I've seen various connection attempts from various hosts and realize sometimes it's just normal probing. Could the one right before the reboot just be a coincidence? Earlier I realized that SuSE has an ftp user set up by default(!), but enabling ftpd was my own doing. Needless to say, I don't want anonymous ftp so I removed the `ftp' user. The system was updated/patched before the 23rd (right after 7.2 was installed) and nmap only gives me 21, 22, 37, 80, 443, and 3306 (which was/are expected..). I'm hoping I'm just being paranoid and the system is rebooting because of something else.. -Brian
participants (2)
-
Brian Clark
-
Martin Leweling