LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   Weird restart? (http://www.linuxquestions.org/questions/linux-general-1/weird-restart-168480/)

herc 04-10-2004 02:11 PM

Weird restart?
 
Hmm, my computer had restarted itself last night and I have no idea why.
This is what is logged:

...
Apr 10 01:45:55 warmachine -- MARK --
Apr 10 02:04:29 warmachine sshd[22900]: Accepted password for * from ::ffff:* port 18308 ssh2
Apr 10 02:04:29 warmachine sshd[22902]: subsystem request for sftp
Apr 10 02:16:21 warmachine sshd[22908]: Accepted password for * from ::ffff:* port 18161 ssh2
Apr 10 02:16:22 warmachine sshd[22910]: subsystem request for sftp
Apr 10 01:36:45 warmachine syslogd 1.4.1: restart.
Apr 10 01:36:46warmachine kernel: klogd 1.4.1, log source = /proc/kmsg started.
Apr 10 01:36:46 warmachine kernel: BIOS-provided physical RAM map:
Apr 10 01:36:46 warmachine kernel: 511MB LOWMEM available.
...

What might have caused the restart? And whats up with the timestamps, 02:xx before 01:xx ?

Crashed_Again 04-10-2004 03:34 PM

hmmm...that doesn't look good at all. Run chkrootkit to see if you have been rooted. Often times the machine is rebooted to get the rootkit working.

herc 04-10-2004 05:00 PM

Ok, im not too familiar with chkrootkit so what am i looking for in the output?

Btw. the user who logged in was me.

herc 04-10-2004 05:06 PM

chkrootkit:

Checking `ldsopreload'... can't exec ./strings-static, not tested

Searching for suspicious files and dirs, it may take a while...
/usr/lib/php/.filemap /usr/lib/php/.lock /usr/lib/php/.registry /usr/lib/perl5/5.8.0/i486-linux/auto/Irssi/UI/.packlist /usr/lib/perl5/5.8.0/i486-linux/auto/Irssi/Irc/.packlist /usr/lib/perl5/5.8.0/i486-linux/auto/Irssi/TextUI/.packlist /usr/lib/perl5/5.8.0/i486-linux/auto/Irssi/.packlist /usr/lib/perl5/5.8.0/i486-linux/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/Irssi/UI/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/Irssi/Irc/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/Irssi/TextUI/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/Irssi/.packlist /usr/lib/j2sdk1.4.2_01/.systemPrefs /usr/lib/j2sdk1.4.2_01/.systemPrefs/.systemRootModFile /usr/lib/j2sdk1.4.2_01/.systemPrefs/.system.lock /usr/lib/python2.3/site-packages/freeze/.cvsignore
/usr/lib/php/.registry /usr/lib/j2sdk1.4.2_01/.systemPrefs

Searching for anomalies in shell history files... Warning: `//root/.mysql_history' file size is zero

Checking `sniffer'... not tested: can't exec ./ifpromisc

Checking `wted'... not tested: can't exec ./chkwtmp

Checking `z2'... not tested: can't exec ./chklastlog

help! :rolleyes:

herc 04-11-2004 05:04 AM

any ideas?

Crashed_Again 04-11-2004 04:59 PM

Run:

chkrootkit | grep INFECTED

See if you get any output from that.

Capt_Caveman 04-11-2004 05:40 PM

Did you compile the c programs that are part of chkrootkit (ifpromisc.c, chkwtmp.c, and chklastlog.c)? If not, chekout the README file in the chkrootkit-x.x directory for instructions.

herc 04-11-2004 11:26 PM

I get nothing infected / deleted.

btw. sorry for the double post, I will read the rules better :study:


All times are GMT -5. The time now is 04:06 PM.