Hello

sockstat -4 didn't show anything unusual: sshd, cvsupd, java,
portmap and ntpd.

It seems as if the reboots are happening during the daily
periodic and when cvsup runs around 7 a.m. in the morning. I
just monitored before the 3 a.m. reboot, and there was no reboot
message printed when I lost connection. I could see that "find"
as part of the security check had started.
After looking again in the boot-up messages - "/" was not
properly dismounted, but no message(s) for the other partitions.

find and cvsup both do disk access. Could it be that one of the
disks are bad causing the system to crash, or am I way off
there?

Thanks
Magnus


 --- Luke Kearney <[EMAIL PROTECTED]> skrev: > hello,
> I am sorry if this seems a bit obvious and silly but try
> sockstat -4 to see
> if there are any *new* services running or ports listening
> that you would
> not normally have running. If you have been cracked then that
> is a good
> place to look.  the regular reboots are a concern. My boxes
> usually only get
> rebooted once a year so you should be able to expect well in
> excess of 2 to
> 3 mths without issue
> 
> HTH
> 
> ----- Original Message -----
> From: "Magnus J" <[EMAIL PROTECTED]>
> To: "Steve Hovey" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Friday, August 15, 2003 9:22 AM
> Subject: Re: Server rebooted at 3 a.m. and 7 a.m. for the past
> few days
> 
> 
> > Hello
> >
> >
> > Thanks for replying. /etc/crontab looks OK.
> >
> > This is how 'last' looks like (user1 is myself)
> >
> > user1           ttyp0    zzz.12.28.40      Thu Aug 14 12:43
> -
> > 13:30  (00:46)
> > user1           ttyp1    zzz.12.28.40      Thu Aug 14 12:20
> -
> > 13:30  (01:09)
> > user1           ttyp0    zzz.12.28.40      Thu Aug 14 12:08
> -
> > 12:21  (00:12)
> > user1           ttyp0    zzz.12.27.12      Thu Aug 14 10:06
> -
> > 11:22  (01:15)
> > user1           ttyp1    zzz.12.28.52      Thu Aug 14 08:06
> -
> > 08:07  (00:00)
> > user1           ttyp0    zzz.12.28.52      Thu Aug 14 07:10
> -
> > 08:07  (00:56)
> > reboot           ~                         Thu Aug 14 07:10
> > reboot           ~                         Thu Aug 14 03:09
> > reboot           ~                         Wed Aug 13 07:13
> > reboot           ~                         Wed Aug 13 03:09
> > reboot           ~                         Tue Aug 12 07:12
> > reboot           ~                         Tue Aug 12 03:09
> > reboot           ~                         Mon Aug 11 07:11
> > reboot           ~                         Mon Aug 11 03:09
> > reboot           ~                         Sun Aug 10 07:10
> > reboot           ~                         Sun Aug 10 03:08
> > reboot           ~                         Sat Aug  9 07:10
> > reboot           ~                         Sat Aug  9 04:22
> > reboot           ~                         Sat Aug  9 03:08
> > reboot           ~                         Fri Aug  8 07:10
> > reboot           ~                         Thu Aug  7 22:21
> > user1           ttyp4    zzz.12.28.14      Mon Aug  4 22:39
> -
> > 22:40  (00:00)
> >
> > wtmp begins Mon Aug  4 22:39:55 CEST 2003
> > bash-2.05b# date
> > Fri Aug 15 02:06:22 CEST 2003
> > bash-2.05b#
> >
> > Should I worry about these messages?
> >
> > Jul 16 14:06:47 magnus1 sshd[22292]: scanned from
> zzz.7.104.10
> > with SSH-1.0-SSH_
> > Version_Mapper.  Don't panic.
> > Jul 16 14:06:47 magnus1 sshd[22291]: Did not receive
> > identification string from zzz.7.104.10
> > Jul 27 19:58:36 magnus1 sshd[1811]: scanned from
> zzz.18.53.102
> > with SSH-1.0-SSH_Ve
> > Jul 27 19:58:36 magnus1 sshd[1811]: scanned from
> zzz.18.53.102
> > with SSH-1.0-SSH_Ve
> > rsion_Mapper.  Don't panic.
> > Jul 27 19:58:36 magnus1 sshd[1810]: Did not receive
> > identification string from zzz.18.53.102
> > Jul 28 07:00:07 magnus1 sshd[2568]: Did not receive
> > identification string from zzz.155.91.132
> > Jul 29 05:59:55 magnus1 sshd[3798]: Did not receive
> > identification string from zzz.235.37.77
> > Jul 30 10:53:55 magnus1 sshd[5285]: Did not receive
> > identification string from zzz.111.110.6
> > Jul 30 10:56:51 magnus1 sshd[5289]: Did not receive
> > identification string from zzz.111.110.6
> > Jul 30 12:51:46 magnus1 sshd[5365]: Did not receive
> > identification string from zzz.212.236.18
> > Jul 31 02:57:59 magnus1 sshd[5935]: Did not receive
> > identification string from zzz.30.187.2
> > Aug  4 08:15:11 magnus1 sshd[14242]: Did not receive
> > identification string from zzz.246.43.167
> >
> >
> > Previously, I have had easily two months of uptime on this
> > server.
> >
> > Regards
> > Magnus
> >
> >
> >
> >  --- Steve Hovey <[EMAIL PROTECTED]> skrev: >
> > > I would start with your cron jobs
> > >
> > >
> > > On Thu, 14 Aug 2003, [iso-8859-1] Magnus J wrote:
> > >
> > > > Hello everyone
> > > >
> > > >
> > > > I'm not sure if I should have posted this to
> > > freebsd-security,
> > > > but I start here.
> > > >
> > > > I'm out traveling, and finally got a chance to login to
> my
> > > > server back home through SSH, which is running 4.8 and
> is
> > > > protected by an IPFILTER firewall.
> > > >
> > > > Looking at /var/log/messages , the server has been
> > > mysteriously
> > > > rebooted around 3 a.m. and 7 a.m. CET every day for the
> past
> > > few
> > > > days. I have never seen this before.
> > > > It doesn't look like hardware problem because it's not
> > > random
> > > > and there are no messages about filesystems not being
> > > unmounted
> > > > cleanly.
> > > >
> > > > Any ideas where I should start looking to see what's
> going
> > > on?
> > > > Obviously I will try to monitor what's happening next
> time
> > > > around 3 a.m. and 7 a.m., which processes are running,
> etc.,
> > > but
> > > > is there something special I should look out for?
> > > >
> > > > Unfortunately, I have not installed Tripwire.
> > > >
> > > > Best regards
> > > > Magnus          (not a member of this list)
> > > >
> > > >
> > > > Yahoo! Mail - Gratis: 6 MB lagringsutrymme, spamfilter
> och
> > > virusscan. Se mer phttp://se.mail.yahoo.com
> > > > _______________________________________________
> > > > [EMAIL PROTECTED] mailing list
> > > >
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > > > To unsubscribe, send any mail to
> > > "[EMAIL PROTECTED]"
> > > >
> > >
> >
> > Yahoo! Mail - Gratis: 6 MB lagringsutrymme, spamfilter och
> virusscan. Se
> mer phttp://se.mail.yahoo.com
> > _______________________________________________
> > [EMAIL PROTECTED] mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"
> >
> 
>  

Yahoo! Mail - Gratis: 6 MB lagringsutrymme, spamfilter och virusscan. Se mer p 
http://se.mail.yahoo.com
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to