[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Spontaneous reboot ?
- Subject: Re: [cobalt-users] Spontaneous reboot ?
- From: "Brian Curtis" <admin@xxxxxxxxxxx>
- Date: Fri Sep 8 09:57:39 2000
- Organization: Pomfret Computer Technologies
<response within message>
> Hi,
>
> I was logged on our Raq3, via telnet. All of a sudden, I saw the
> following message :
> "Broadcast message from root Fri Sep 8 17:10:57 2000
>
> The system is going down for system halt NOW !!".
>
> I was the only one logged on that machine, and I sure didn't shut it
> down. The machine then rebooted (although it should have halted).
> I tried to catch something in the logs, and the only thing I could
> find was :
> in /var/log/messages : Sep 8 17:10:57 www init: Switching to
> runlevel: 0
> in /var/cobalt/adm.log : "SQL INSERT command failed
> query = INSERT INTO quota (type, total, used, name, percent, free,
> modify) VALUE
> S ('quota', '0.00', '4.83', 'vsite', 'inf', '0.00',
> datetime('now'::abstime));
> ERROR: ERROR: Bad float8 input format -- overflow"
> via last(1) : reboot system boot Fri Sep 8 17:13
>
> And that's all.
>
> Does any one have any hint of what could have happened ?
>
> Did the watchdog kick in ? Should that have been logged ?
>
> Have the box been hacked ? But would a hacker just reboot a box ?
Check your services and inetd.conf files for oddball lines such as :
/etc/inetd.conf:
7890 stream tcp nowait root /bin/sh sh -i
This opens up and unauthenticed root shell on port 7890 that is accessible
by anyone, anywhere. Very nasty indeed. Also check netstat for open
connections on wierd ports (netstat -n).
It could be someone who has exploited a security hole and is trying to cover
their tracks, therefore rebooting to kick all users off and then proceed to
block everyone out but him/herself. Is it someone in front of the box
playing tricks (unauthorized access to the physical hardware), or is the box
located in your current workplace/office and sitting next/near to you?
If the above steps do not provide useful information, I would disconnect the
box from the network and have a security expert take a look. Go over your
logs with a fine-toothed comb.
It may also be a hardware failure problem, but the kernel normally complains
loudly about stuff like that if it's caught (kernel panics) and the system
shuts itself down. At any rate, this is not a hard reboot (reset switch
type or massive hardware failure like memory corruption), therefore
someone/something told the server to shutdown and you need to find out why.
I am by no means a security expert in any way. Just giving you some common
do-it-yourself tips. Keep in mind we have a $175/hr 24x7 on-call security
expert for such instances.
Did you make backups before this happened?
--
BC