[NTLUG:Discuss] Challenge....
asenec@senechalle.net
asenec at senechalle.net
Sat Sep 11 08:28:59 CDT 2004
Write a script which will write the process table to
a /tmp file and run it once a minute out of the rootcron.
Look at the content of the last file written before the reboot,
or shutdown, and you might get a clue. I'd give each file a
unique name so you won't overwrite the file. Something
like /tmp/dbug-$hour-$minute would work. Also, if you're running
Apache, add the pid to the debug log, like:
LogFormat "%h %l %u %t \"%r\" %>s %b %P" common
Annette
>
> Douglas King wrote:
>
> > OK, I've got a problem. This past week.....I've had a RedHat 7.3
> > webserver shut down every night somewhere between the hours of 1:30 AM
> > and 3:00 AM. We have checked ALL the scheduled crons, etc. and find
> > nothing that would be shutting it down "naturally". The power light
> > on the case remains on, but you cannot SSH into it, nor is the machine
> > functional. Log files don't indicate a lot to me...although, I did
> > catch a potential hacker 2 nights ago...but he's since been dealt with.
> >
> > Where do I look now?
> >
> > _______________________________________________
> > https://ntlug.org/mailman/listinfo/discuss
> >
> Douglas,
>
> Could be nearly anything, tough to tell from the outside looking in.
> Here are a couple suggestions, for what they're worth, followed by some
> questions to ask (ranging from obvious to simply logical, may be of no
> use to you at all or they might trigger an epiphany, hope for the later).
>
> 1. check the logs to see who's logged in when the machine shuts down
> every night and look for a pattern.
> 2. check the logs to see what processes are logging just prior to the
> shut down every night and look for a pattern.
>
> Here are some things to consider:
> If you have a monitor attached to the machine - is the led green, yellow
> or what (ie is the monitor on with signal, on standby, or off)?
> Is the screen blank or does the machine only appear to be 'hung' not off?
> Where is the machine located? Is it at home or in a lab? Is it
> physically secure?
> Is it possible that their was an external power event that caused the
> machine to shutdown?
> Is the machine equipped with any external controller such as wake on
> lan, remote shutdown, etc?
> Is it possible that their was an internal hardware event that caused the
> machine to shutdown (power supply issue, CPU overheat, etc)?
> What kind of machine is it and does it have hardware monitoring
> capabilities - cpu sensors, power sensors, etc?
> Is the machine overclocked or insufficiently ventilated (could cause any
> number of chaotic problems)?
> Is APM turned off (no standbye or hibernate features enabled for the
> system or monitor)?
> Is this a new box or has this box had recent software/hardware/use
> pattern changes?
> Is tripwire installed and have you looked into it?
>
> Some possible causes:
> Security breach.
> Someone shutting the machine down through software (something along the
> lines of 'shutdown -h now' or 'halt').
> External power event (brownout - power spike).
> Internal power event (powersupply, motherboard, harddrive).
> Internal motherboard failure.
> Hard disk failure.
> Power management failure
>
> Later, hope this helps - surely some guru'll tell you how to turn on
> 'uberlog' and it'll just spit out the answer. I eagerly await the
> findings...
>
> Will
>
>
> _______________________________________________
> https://ntlug.org/mailman/listinfo/discuss
>
More information about the Discuss
mailing list