From owner-freebsd-stable@FreeBSD.ORG Thu Sep 16 16:49:32 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC9A310656A4 for ; Thu, 16 Sep 2010 16:49:32 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from qmta02.emeryville.ca.mail.comcast.net (qmta02.emeryville.ca.mail.comcast.net [76.96.30.24]) by mx1.freebsd.org (Postfix) with ESMTP id 930628FC12 for ; Thu, 16 Sep 2010 16:49:31 +0000 (UTC) Received: from omta09.emeryville.ca.mail.comcast.net ([76.96.30.20]) by qmta02.emeryville.ca.mail.comcast.net with comcast id 7Rhb1f0050S2fkCA2UpXaw; Thu, 16 Sep 2010 16:49:31 +0000 Received: from koitsu.dyndns.org ([98.248.41.155]) by omta09.emeryville.ca.mail.comcast.net with comcast id 7UpW1f0023LrwQ28VUpWln; Thu, 16 Sep 2010 16:49:30 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id 219EE9B427; Thu, 16 Sep 2010 09:49:30 -0700 (PDT) Date: Thu, 16 Sep 2010 09:49:30 -0700 From: Jeremy Chadwick To: Michael BlackHeart Message-ID: <20100916164930.GA31869@icarus.home.lan> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-stable@freebsd.org Subject: Re: FreeBSD 8.1 Stable Unreasanoble Rebooting X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Sep 2010 16:49:32 -0000 On Thu, Sep 16, 2010 at 08:37:29PM +0400, Michael BlackHeart wrote: > Today I've got a pretty strange event. It looks like a reboot but > unreasonable as far as I see. Before server's uptime was over month, > it's sometimes have to reboot for kernel updates or somethings like > that. I've digen all logs and didn't find a reason, so here they all. > > auth.log > Sep 16 13:59:58 diablo sshd[2284]: Received signal 15; terminating. > Sep 16 14:04:26 diablo sshd[2290]: Server listening on 0.0.0.0 port 22442. > > cron - nothing > debug.log - nothing > dmesg - nothing > > messages > Sep 16 13:44:55 diablo transmission-daemon[7965]: Couldn't create > socket: Protocol not supported (fdlimit.c:651) > Sep 16 13:45:31 diablo last message repeated 5 times > Sep 16 13:47:23 diablo last message repeated 13 times > Sep 16 13:57:40 diablo last message repeated 51 times > Sep 16 13:59:48 diablo last message repeated 12 times > Sep 16 14:00:18 diablo named[1575]: stopping command channel on 127.0.0.1#953 > Sep 16 14:00:18 diablo named[1575]: exiting > Sep 16 14:00:18 diablo syslogd: exiting on signal 15 > Sep 16 14:02:31 diablo syslogd: kernel boot file is /boot/kernel/kernel > Sep 16 14:02:31 diablo kernel: Copyright (c) 1992-2010 The FreeBSD Project. > {...} This sure looks like a legitimate reboot to me (e.g. shutdown -r now); note how your system daemons (named, syslogd) are being shut down with SIGTERM. You can check with "last" (shutdown/reboot vs. crash). I would highly recommend taking this machine offline and reinstalling the OS, in addition to newfs'ing all existing filesystems (restore from last known good backup). buildworld/installworld and buildkernel/installkernel may not be enough depending on what the individual did. It's likely the machine could be compromised in some way, especially if there's any service on it which is public-facing, regardless of authentication mechanisms you've deployed in front of it. -- | Jeremy Chadwick jdc@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |