Mashine crashes daily at about 19.00 how to find the logs and reason on Sun

turalo · 01-21-2007, 03:47 PM

Hi,
I got this problem with my server, latest 2 weeks it sporadicaly crashes, mostly at 19.00 or about 19.00 it crashes or shuts down, I cant find the reason yet, dont know maybe it is hacked, cause I cant find any normal info in logs, in lastlog see only 2 lines and in everyline difernt IP, one is my own, other is from some internet provider, no other info, even if I logged in after crash maybe 10 times, If I'm not mistaking it has to log everythin??? and in other logs, cant finde anythin.

1 question, Where are the logs? I ware looking in var/log, var/adm/ ,

is it all, or is ther another better log somewhere??

this is SunOs 5.8
I dont use any graphical stuff, this mashine is a telecom switch. so there is no additional software, or whatever, its just sun and an telecom aplication that hase a db, nothing alse.

Please can sombody tell me where pricisly to search for logs, to find if I'm hacked, or to find the reason of the crash.

Thanks.

jlliagre · 01-21-2007, 05:23 PM

Have a look at /var/crash/<hostname> for kernel panic dumps.

If you suspect your machine to being compromised, you can use the Solaris Fingerprint Database to check it:
http://sunsolve.sun.com/pub-cgi/show...ntent/content7

You may also want to use a rootkit checker like http://www.chkrootkit.org/ or similar to verify your system.

turalo · 01-21-2007, 07:26 PM

Very thankfull for this info, going to try now...

turalo · 01-21-2007, 08:01 PM

Tryd the rootkit chekker, didnot find anything,
also chekkedc the var/crash directory, there are some files but not from today, from 2 days before, and in that files is all trash, like this :

ÿ
øTÿñˆ›¬Èÿñ—0ÿñ¦@Œ\ÿñÓA¢^LÀÿñZA$lÿñoUÿñ^Lê@n¨ÿñ
^LÿñßºÀÿñìM<ÿñúÝ\TÿñX@ÿñOÿñ(A-$ÿñHŒ¼PÿñY·¼^Lÿñi@—Nÿñ¿Ä˜ÿñ›~P(ÿñ©Š,tÿñ¸Û\<ÿñÄïPÌÿñÕÿñêgØÿñóSˆÿñûßü^Lÿñsÿñ.@–¼ÿñBAPÿñMÅ€ô
ÿñg@œ„ÿñs×”@ÿñUÿñA4^Lÿñ¬ßÐÿñÂ@—8ÿñÚòÌ(ÿñè@·ÿñ8€^LÿñjÐÿñ²Ô˜ÿñ,zTLÿñ9ö¬TÿñYÕÔ@ÿñdèØ4ÿñv9À^Lÿñæ¨LXÿñ® dÿñ'@—4ÿñ0Tt¼ÿñ]åx@ÿ
ñg@nPÿñuA-ÿñ–º„0ÿñœ{d<ÿñ»9^LÿñÈBð^LÿñÔHpÿñÜ‚¬0ÿñ ÿñó^L@ÿ:ÿ@ÿñ!ðPŒÿñ=AÿñK@nœÿñ`ÿñj\ÿñ}±Tÿñ€ÿñ’@nDÿñ*<œÿñÍ@oDÿñ*ÿñé@—”
Øÿñð@ÿñAÿñ@pÐÿñ"ê4@ÿñÀÿñh«hÿñàÿñÀ\˜ÿñžèÿñ®¯ ÿñÏ-|LÿñÛ ÿñUüÿñmÄpÿñ ÿñFÈÈÿñSOÿñx8À^Lÿñ…âÈ@ÿñ—˜@ÿñŸÿñ¸AHÿñÊÒ ÿñØ¢à¬
ÿñâ†°ÿñãXDÿñ%A ÿñ+J|ÿñ3›œÿñ>ÆThÿñCAx8ÿñXÃ`ÿñmˆ¬ˆÿñyÞXTÿñžAˆÿñ¦Bÿñ³SdÿñÖ–\4ÿñç¦ÿñöJH$ÿñýÚ0<ÿñ@yÿñ8ïÄ`ÿñRAÿñbª èÿñ”‚ü¤ÿñ¤
A¿$ÿñ»ßŒDÿñÎÐ@ÿñßSh0ÿñï@°ÿñÿ@™ôÿñ@™ÜÿñAðpTÿñJÄŒôÿñoA$Hÿñyí0ÿñŽ^LÀÿñ°\üÿñ¼àô@ÿñçAœ<ÿñé@ÿñîÚ¨<ÿñöBÔ^Lÿ ñßLdÿñ- „ÿñ9Tðÿ
ñq@ÿñ„7€^Lÿñ‘@™üÿñ¯wD<ÿñÀQ©ÿñÍR0Hÿñßã´ÿñë@—DÿñôA$hÿñü@m4ÿñ%Ž¬,ÿñ1öÿñQAÿñ]`ÿñh

Cant understand this stuff.....

jlliagre · 01-21-2007, 08:20 PM

Not trash, but snapshots of what was going on when the system last crashed.

Not sure it is relevant with Solaris 8, but you can try running that script, passing the id of the crash.

Code:

#!/bin/ksh
if [ -f unix.$1 ]
then
        if [ -f msgbuf.$1 ]
        then
                echo msgbuf.$1 exists
        else
                echo "$<msgbuf" | mdb -k unix.$1 vmcore.$1 > msgbuf.$1
                more msgbuf.$1
                sleep 1
                echo msgbuf.$1 created
        fi
else
        echo "Usage: msgbuf <id>"
fi

If it doesn't works because your Solaris version predates mdb, then try that one:

Code:

echo '$c' | adb -k vmunix.xx vmcore.xx

Where xx is the last crash ID.