RE: [cobalt-users] Server Reboot Over and Over

["Andy Brown" <andy.brown@xxxxxxxxxxxxx>]

Hmm,
There is nothing here that I'd be alarmed about really, 


> [root@ns admin]# tail -f /var/log/messages
> Oct 25 14:12:36 ns named-xfer[19917]: [65.201.142.52] no SOA 
> found for ns1.citystoked.com Oct 25 14:15:00 ns 
> proftpd[20006]: ns.citystoked.com
> (localhost[127.0.0.1]) - F
> Oct 25 14:15:00 ns proftpd[20006]: ns.citystoked.com
> (localhost[127.0.0.1]) - n
> Oct 25 14:15:00 ns proftpd[20006]: ns.citystoked.com
> (localhost[127.0.0.1]) - n
> Oct 25 14:15:00 ns proftpd[20006]: ns.citystoked.com
> (localhost[127.0.0.1]) - F
> Oct 25 14:15:07 ns telnetd[20030]: ttloop: read: Broken pipe 
> Oct 25 14:22:36 ns named[430]: Err/TO getting serial# for 
> "ns1.citystoked.com" Oct 25 14:22:36 ns named-xfer[20338]: 
> [65.201.142.52] no SOA found for ns1.city1 Oct 25 14:23:34 ns 
> PAM_pwdb[20359]: (login) session opened for user admin by (u) 
> Oct 25 14:23:39 ns PAM_pwdb[20398]: (su) session opened for 
> user root by
> admin()


The ttloop read is the activemonitor for your Raq testing telnet to make
sure it works (The ttloop error is simply when a telnet connection is
established then broken before authentication takes place)
The FTP attempts look also like the active monitor although they are
very close together, which is unusual. I presume your machine's hostname
is ns.citystoked.com (i.e. the name on the LCD?)

No SOA is an error in the dns records, but not major also, as 'gsh'
mentioned though you should ditch telnet.
Try running the chkrootkit next time you get access to the box, as it is
sounding more like the box has been breached.
Also, have you checked with the server facility?? They might have a
reason/suggestion on it also.

One extra thing to check, is do a:
last -10