Re: strange reboot on woody

To: debian-security@lists.debian.org
Subject: Re: strange reboot on woody
From: Haim Ashkenazi <haim@babysnakes.org>
Date: Sat, 29 Nov 2003 13:57:40 +0200
Message-id: <[🔎] bqa1jl$gdb$1@sea.gmane.org>
References: <[🔎] bq4sfg$9f9$1@sea.gmane.org> <[🔎] 1070094283.2640.28.camel@bohr.local>

Anthony DeRobertis wrote:

> On Thu, 2003-11-27 at 07:59, Haim Ashkenazi wrote:
> 
>> ...
>> ov 26 22:26:16 ns-ilweb1 init: Switching to runlevel: 6
>> Nov 26 22:26:19 ns-ilweb1 qmail: 1069878379.427182 status: exiting
>> Nov 26 22:26:20 ns-ilweb1 ntpd[32551]: ntpd exiting on signal 15
>> Nov 26 22:26:22 ns-ilweb1 exiting on signal 15
>> Nov 26 22:28:09 ns-ilweb1 syslogd 1.4.1#10: restart.
> 
> FYI, that looks like it may be a keyboard Ctrl-Alt-Del. Here is what one
> looks like in syslog:
> 
> Nov 27 08:05:52 galileo init: Switching to runlevel: 6
> Nov 27 08:05:54 galileo kernel: NVRM: AGPGART: freed 16 pages
> Nov 27 08:05:55 galileo last message repeated 2 times
> Nov 27 08:05:55 galileo kernel: NVRM: AGPGART: backend released
> Nov 27 08:05:55 galileo xfs[551]: terminating
> Nov 27 08:05:56 galileo ntpd[554]: ntpd exiting on signal 15
> Nov 27 08:05:57 galileo kernel: usb.c: USB disconnect on device 1
> ...
> Nov 27 08:05:57 galileo kernel: Kernel logging (proc) stopped.
> Nov 27 08:05:57 galileo kernel: Kernel log daemon terminating.
> Nov 27 08:05:57 galileo exiting on signal 15
> 
> Naturally, you won't see AGPGART or xfs (X font server) messages on a
> web server.
> 
>> ...
>> 
>> I've run chkrootkit (last version from unstable) and it didn't find
>> anything. I've gone to the logs and didn't see nothing suspicious.
>> (messages, wtmp, faillog, authlog, kern.log).
>> 
>> also, nothing suspicious in '/root/bash_history'.
> 
> but, was there a shutdown -r now or the like?
If there were, then it would be suspicious... ;-)
I also saw the commands I've run a few hours before ( although if someone
broke in, he could have deleted just his commands...).

> 
> /me expected Sherlock Holmes to pop up commenting about the LACK of
> something happening being quite suspicious\
it's true, but I guess that it was the night tech doing ALT+CTRL+DEL and
affraid to come forward. 
> 
>> 
>> Is there anything else I can do to check why it rebooted suddenly?
> 
> Possibly, take the on-duty tech at the colo out to a pub. Also, running
> something like 'debsums' would be warranted.[0]
> 
> [0] Debsums, of course, can only prove that something is wrong, not
>     that something isn't.
I'll try that, I'll also compare the checksum of some important binaries
between this host and some other woody servers I've got.

thanx
--
Haim

Reply to:

References:
- strange reboot on woody
  - From: Haim Ashkenazi <haim@babysnakes.org>
- Re: strange reboot on woody
  - From: Anthony DeRobertis <asd@suespammers.org>

Prev by Date: Re: Improved Debian Project Emergency Communications
Next by Date: Re: Improved Debian Project Emergency Communications (was Re: communication structures crumbled)
Previous by thread: Re: strange reboot on woody
Next by thread: Re: strange reboot on woody
Index(es):
- Date
- Thread