[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] Pressing the reset button during an SSH session .. weird Chkrookit output afterwards.

Hello List...

Today my Server (RaQ4) port seized with traffic and made the server not
reachable even from within the data center.  The backup was in progress
transfering files to another server over a TCP connection.  For some reasons
the Backup Server dropped the connection, and the backup software "Tivoli
Backups" running on my RaQ4 kept retrying to re-establish the connection ..
as a result of that the server eth0 was flooded to the point that the server
became shielded to the outside world... Well this happens sometimes when
something goes wrong with the backup server .. I asked the techno guys at
the data center to re-boot raq 4 to interrupt that backup process.

Then I and the backup administaror logged on SSH to the server (Two SSH
connection) to read logs and see what is going on with backup BUT during
that session I saw a reboot broadcast message .. Well the techno guy after
rebooting the server forgot to close or update the support ticket system ..
so another technical guy rebooted the server thinking that reboot ticket is
still open ... Oh NO!!..

anyway, when the RaQ4 rebooted ok, I logged in SSH to see the history of the
previous SSH session by the Backup Admin but I have found nothing ... I ran
chkrootkit and got this suspious result:

---
Checking `wted'... 1 deletion(s) between Mon Aug 25 15:19:41 2003 and Mon
Aug 25 15:20:43 2003
nothing deleted
--

I did some googling but some say it is because of the second reboot that was
done by pressing the reset button.
I do not know if the /var/log/wted has a corrupted line somewhere .. Last
command shows all last and previous logins OK.

Any Ideas ....

Thanks

Al-Juhani
aljuhani@xxxxxxxxx