From owner-freebsd-questions  Tue Apr 28 16:23:58 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA06361
          for freebsd-questions-outgoing; Tue, 28 Apr 1998 16:23:58 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from frankenstein.bluetongue.com (frankenstein.bluetongue.com [203.31.198.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA06298
          for <questions@freebsd.org>; Tue, 28 Apr 1998 16:23:40 -0700 (PDT)
          (envelope-from drew@bluetongue.com.au)
Received: from bluetongue.com.au (jade.bluetongue.com [203.31.198.30])
	by frankenstein.bluetongue.com (8.8.5/8.8.5) with ESMTP id JAA00730
	for <questions@freebsd.org>; Wed, 29 Apr 1998 09:23:30 +1000 (EST)
Message-ID: <35466481.58609866@bluetongue.com.au>
Date: Wed, 29 Apr 1998 09:21:37 +1000
From: Andrew Heath <drew@bluetongue.com.au>
Organization: Blue Tongue Software
X-Mailer: Mozilla 4.04 [en] (Win95; I)
MIME-Version: 1.0
To: questions@FreeBSD.ORG
Subject: When is a crash not a crash?
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

I have just come up with some interesting log entries. It seems that my
system believes that it has just crashed and rebooted, however, it does
not appear that this happened, and the logs don't believe that it did
either. Moreover, I am still logged onto the machine!

#last -10
reboot   ~                         Wed Apr 29 08:50
drew     ttyp0    jade             Wed Apr 29 08:46 - crash  (00:03)
...

#uptime
9:17AM  up 15 hrs, 2 users, load averages: 0.01, 0.06, 0.05

#cat /var/log/messages
<snip>
Apr 29 08:46:44 skink login: login from jade.bluetongue.com on ttyp0 as
drew
Apr 29 08:46:51 skink su: drew to root on /dev/ttyp0
Apr 29 08:50:17 skink popper[10099]: (v2.3) Unable to get canonical name
of client, err = 0
Apr 29 08:51:05 skink popper[10115]: (v2.3) Unable to get canonical name
of client, err = 0
</snip>

As you can see, "last" believes there was a reboot, everything else says
no. Could this be a hacker or some such activity?

Comments please.

Drew


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message