Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.misc > #1022 > unrolled thread

who issued the shutdown command?

Back to article view | Back to comp.os.linux.misc

Contents

  who issued the shutdown command? Todd <Todd@invalid.com> - 2011-05-04 13:32 -0700
    Re: who issued the shutdown command? Lew Pitcher <lpitcher@teksavvy.com> - 2011-05-04 16:41 -0400
      Re: who issued the shutdown command? Chris Davies <chris-usenet@roaima.co.uk> - 2011-05-04 23:40 +0100
        Re: who issued the shutdown command? Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> - 2011-05-04 17:03 -0700
    Re: who issued the shutdown command? unruh <unruh@wormhole.physics.ubc.ca> - 2011-05-04 22:36 +0000
    Re: who issued the shutdown command? DenverD <spam.trap@SOMEwhere.dk> - 2011-05-06 14:21 +0200
      Re: who issued the shutdown command? Balwinder S Dheeman <bsd.SANSPAM@anu.homelinux.net> - 2011-05-06 20:01 +0530
        Re: who issued the shutdown command? Michael Black <et472@ncf.ca> - 2011-05-06 10:48 -0400
          Re: who issued the shutdown command? The Natural Philosopher <tnp@invalid.invalid> - 2011-05-06 16:28 +0100
          Re: who issued the shutdown command? unruh <unruh@wormhole.physics.ubc.ca> - 2011-05-06 16:54 +0000
            Re: who issued the shutdown command? Todd <Todd@invalid.com> - 2011-05-06 13:53 -0700
            Re: who issued the shutdown command? Robert Riches <spamtrap42@jacob21819.net> - 2011-05-07 03:24 +0000
            Re: who issued the shutdown command? GangGreene <GangGreene@invalid.com> - 2011-05-07 15:43 -0400

#1022 — who issued the shutdown command?

Hi All,

In /var/log/messages, I have:

May  4 08:01:11 server shutdown[10435]: shutting down for system reboot

"last" shows everyone logged out at the time.

Question: who done it?

Many thanks,
-T

[toc] | [next] | [standalone]

#1023

On May 4, 2011 16:32, in comp.os.linux.misc, Todd@invalid.com wrote:

> Hi All,
> 
> In /var/log/messages, I have:
> 
> May  4 08:01:11 server shutdown[10435]: shutting down for system reboot
> 
> "last" shows everyone logged out at the time.
> 
> Question: who done it?

shutdown could have been run by a cron job or an at job, or in response to
the power button or a keyboard control sequence (<ctrl><alt><del>
invokes "shutdown -r now" on my system).

There may be ways to determine who ran shutdown in those cases, but I don't
know them offhand. Some experimentation might be in order.

-- 
Lew Pitcher
Master Codewright & JOAT-in-training   | Registered Linux User #112576
Me: http://pitcher.digitalfreehold.ca/ | Just Linux: http://justlinux.ca/
----------      Slackware - Because I know what I'm doing.         ------

[toc] | [prev] | [next] | [standalone]

#1025

Lew Pitcher <lpitcher@teksavvy.com> wrote:
> shutdown could have been run by a cron job or an at job, or in response
> to the power button or a keyboard control sequence (<ctrl><alt><del>

> There may be ways to determine who ran shutdown in those cases, but
> I don't know them offhand.

1. Use of cron and at is logged. On my Debian system, the commands
executed by cron are logged in /var/log/syslog, and the fact that cron
and/or atd has run a job is captured in /var/log/auth.log.

2. For physical access to the server, I'd go with asking around, or
possibly checking the security logs for the server room door lock.

Chris

[toc] | [prev] | [next] | [standalone]

#1026

On 2011-05-04, Chris Davies <chris-usenet@roaima.co.uk> wrote:
> Lew Pitcher <lpitcher@teksavvy.com> wrote:
>> shutdown could have been run by a cron job or an at job, or in response
>> to the power button or a keyboard control sequence (<ctrl><alt><del>
>
>> There may be ways to determine who ran shutdown in those cases, but
>> I don't know them offhand.
>
> 1. Use of cron and at is logged. On my Debian system, the commands
> executed by cron are logged in /var/log/syslog, and the fact that cron
> and/or atd has run a job is captured in /var/log/auth.log.

Depending on your distro, cron jobs may also be logged in /var/log/cron.

--keith



-- 
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information

[toc] | [prev] | [next] | [standalone]

#1024

On 2011-05-04, Todd <Todd@invalid.com> wrote:
> Hi All,
>
> In /var/log/messages, I have:
>
> May  4 08:01:11 server shutdown[10435]: shutting down for system reboot
>
> "last" shows everyone logged out at the time.
>
> Question: who done it?

a) cron jobs and at jobs will not "log in" and will not show up in
"last"
b) remote ssh jobs (ssh remotemachine command) I think do not show up in
last. 

>
> Many thanks,
> -T

[toc] | [prev] | [next] | [standalone]

#1033

On 05/04/2011 10:32 PM, Todd wrote:
> Hi All,
>
> In /var/log/messages, I have:
>
> May 4 08:01:11 server shutdown[10435]: shutting down for system reboot
>
> "last" shows everyone logged out at the time.
>
> Question: who done it?

the one with the root password!

-- 
DenverD
CAVEAT: http://is.gd/bpoMD
[NNTP posted w/openSUSE 11.3, KDE4.5.5, Thunderbird3.1.8, nVidia 
173.14.28 3D, Athlon 64 3000+]
"It is far easier to read, understand and follow the instructions than 
to undo the problems caused by not." DD 23 Jan 11

[toc] | [prev] | [next] | [standalone]

#1034

On 05/06/2011 05:51 PM, DenverD wrote:
> On 05/04/2011 10:32 PM, Todd wrote:
>> Hi All,
>>
>> In /var/log/messages, I have:
>>
>> May 4 08:01:11 server shutdown[10435]: shutting down for system reboot
>>
>> "last" shows everyone logged out at the time.
>>
>> Question: who done it?
>
> the one with the root password!

On many/most systems an ACPI daemon can also run script (which might 
invoke shutdown command) on press of power of/off button :P

-- 
Balwinder S "bdheeman" Dheeman
(http://werc.homelinux.net/contact/)

[toc] | [prev] | [next] | [standalone]

#1035

On Fri, 6 May 2011, Balwinder S Dheeman wrote:

> On 05/06/2011 05:51 PM, DenverD wrote:
>> On 05/04/2011 10:32 PM, Todd wrote:
>>> Hi All,
>>> 
>>> In /var/log/messages, I have:
>>> 
>>> May 4 08:01:11 server shutdown[10435]: shutting down for system reboot
>>> 
>>> "last" shows everyone logged out at the time.
>>> 
>>> Question: who done it?
>> 
>> the one with the root password!
>
> On many/most systems an ACPI daemon can also run script (which might invoke 
> shutdown command) on press of power of/off button :P
>
The problem with that is, there's no way of knowing who did it then.

Since the original question seemed reasonable, "the one with the root 
password" is the obvious answer. No other user can do it unless something 
odd has been set up.

ONce talk begins of physical access, then there's no trace unless someone 
has security cameras or does fingerprints on the button.

   Michael

[toc] | [prev] | [next] | [standalone]

#1036

Michael Black wrote:
> On Fri, 6 May 2011, Balwinder S Dheeman wrote:
> 
>> On 05/06/2011 05:51 PM, DenverD wrote:
>>> On 05/04/2011 10:32 PM, Todd wrote:
>>>> Hi All,
>>>>
>>>> In /var/log/messages, I have:
>>>>
>>>> May 4 08:01:11 server shutdown[10435]: shutting down for system reboot
>>>>
>>>> "last" shows everyone logged out at the time.
>>>>
>>>> Question: who done it?
>>>
>>> the one with the root password!
>>
>> On many/most systems an ACPI daemon can also run script (which might 
>> invoke shutdown command) on press of power of/off button :P
>>
> The problem with that is, there's no way of knowing who did it then.
> 
> Since the original question seemed reasonable, "the one with the root 
> password" is the obvious answer. No other user can do it unless 
> something odd has been set up.
> 
> ONce talk begins of physical access, then there's no trace unless 
> someone has security cameras or does fingerprints on the button.
> 
Sometimes hardware faults can do it too.

>   Michael

[toc] | [prev] | [next] | [standalone]

#1037

On 2011-05-06, Michael Black <et472@ncf.ca> wrote:
> On Fri, 6 May 2011, Balwinder S Dheeman wrote:
>
>> On 05/06/2011 05:51 PM, DenverD wrote:
>>> On 05/04/2011 10:32 PM, Todd wrote:
>>>> Hi All,
>>>> 
>>>> In /var/log/messages, I have:
>>>> 
>>>> May 4 08:01:11 server shutdown[10435]: shutting down for system reboot
>>>> 
>>>> "last" shows everyone logged out at the time.
>>>> 
>>>> Question: who done it?
>>> 
>>> the one with the root password!
>>
>> On many/most systems an ACPI daemon can also run script (which might invoke 
>> shutdown command) on press of power of/off button :P
>>
> The problem with that is, there's no way of knowing who did it then.
>
> Since the original question seemed reasonable, "the one with the root 
> password" is the obvious answer. No other user can do it unless something 
> odd has been set up.
>
> ONce talk begins of physical access, then there's no trace unless someone 
> has security cameras or does fingerprints on the button.

Alt-ctrl-del from the keyboard could do it, even if noone is logged on.
Halt run from a console could do it even by a user ( but they should be
logged on) (At elast on my system, halt can be run by users).


>
>    Michael

[toc] | [prev] | [next] | [standalone]

#1039

On 05/06/2011 09:54 AM, unruh wrote:
> On 2011-05-06, Michael Black<et472@ncf.ca>  wrote:
>> On Fri, 6 May 2011, Balwinder S Dheeman wrote:
>>
>>> On 05/06/2011 05:51 PM, DenverD wrote:
>>>> On 05/04/2011 10:32 PM, Todd wrote:
>>>>> Hi All,
>>>>>
>>>>> In /var/log/messages, I have:
>>>>>
>>>>> May 4 08:01:11 server shutdown[10435]: shutting down for system reboot
>>>>>
>>>>> "last" shows everyone logged out at the time.
>>>>>
>>>>> Question: who done it?
>>>>
>>>> the one with the root password!
>>>
>>> On many/most systems an ACPI daemon can also run script (which might invoke
>>> shutdown command) on press of power of/off button :P
>>>
>> The problem with that is, there's no way of knowing who did it then.
>>
>> Since the original question seemed reasonable, "the one with the root
>> password" is the obvious answer. No other user can do it unless something
>> odd has been set up.
>>
>> ONce talk begins of physical access, then there's no trace unless someone
>> has security cameras or does fingerprints on the button.
>
> Alt-ctrl-del from the keyboard could do it, even if noone is logged on.
> Halt run from a console could do it even by a user ( but they should be
> logged on) (At elast on my system, halt can be run by users).
>
>
>>
>>     Michael

Hi All,

Root access: would have showed up in "last"  (and everyone
at this company is trustworthy -- nice place to work)

crontab: have no shutdown or reboot entries

<ctrl><alt><del> this reboots.  The server powered off.

ACPI.  Some one may have pushed the button by accident.
The server case is pretty dust/dirt free.  Maybe someone
was dusting a little to aggressively.  Hmmm.

Hardware fault: the sata removable backup drive had also
failed.  Turned out the SATA cable connected to the motherboard
was loose.  If the pins cross each other, just maybe.  I
am thinking this is the best guess.

Anyone, it has not happened again.

Thank you all for the tip!  Very much appreciated.

-T

[toc] | [prev] | [next] | [standalone]

#1041

On 2011-05-06, unruh <unruh@wormhole.physics.ubc.ca> wrote:
> On 2011-05-06, Michael Black <et472@ncf.ca> wrote:
>> On Fri, 6 May 2011, Balwinder S Dheeman wrote:
>>
>>> On 05/06/2011 05:51 PM, DenverD wrote:
>>>> On 05/04/2011 10:32 PM, Todd wrote:
>>>>> Hi All,
>>>>> 
>>>>> In /var/log/messages, I have:
>>>>> 
>>>>> May 4 08:01:11 server shutdown[10435]: shutting down for system reboot
>>>>> 
>>>>> "last" shows everyone logged out at the time.
>>>>> 
>>>>> Question: who done it?
>>>> 
>>>> the one with the root password!
>>>
>>> On many/most systems an ACPI daemon can also run script (which might invoke 
>>> shutdown command) on press of power of/off button :P
>>>
>> The problem with that is, there's no way of knowing who did it then.
>>
>> Since the original question seemed reasonable, "the one with the root 
>> password" is the obvious answer. No other user can do it unless something 
>> odd has been set up.
>>
>> ONce talk begins of physical access, then there's no trace unless someone 
>> has security cameras or does fingerprints on the button.
>
> Alt-ctrl-del from the keyboard could do it, even if noone is logged on.
> Halt run from a console could do it even by a user ( but they should be
> logged on) (At elast on my system, halt can be run by users).

The issue with Alt-Ctrl-Del can be fixed by editing /etc/inittab.
However, the nannys at Mandriva insist on undoing the system
administrators edits.  It takes an edit to
/usr/share/msec/plugins/msec.py (or disabling msec) to fix that
problem.

-- 
Robert Riches
spamtrap42@jacob21819.net
(Yes, that is one of my email addresses.)

[toc] | [prev] | [next] | [standalone]

#1045

unruh wrote:

> On 2011-05-06, Michael Black <et472@ncf.ca> wrote:
>> On Fri, 6 May 2011, Balwinder S Dheeman wrote:
>>
>>> On 05/06/2011 05:51 PM, DenverD wrote:
>>>> On 05/04/2011 10:32 PM, Todd wrote:
>>>>> Hi All,
>>>>> 
>>>>> In /var/log/messages, I have:
>>>>> 
>>>>> May 4 08:01:11 server shutdown[10435]: shutting down for system reboot
>>>>> 
>>>>> "last" shows everyone logged out at the time.
>>>>> 
>>>>> Question: who done it?
>>>> 
>>>> the one with the root password!
>>>
>>> On many/most systems an ACPI daemon can also run script (which might
>>> invoke shutdown command) on press of power of/off button :P
>>>
>> The problem with that is, there's no way of knowing who did it then.
>>
>> Since the original question seemed reasonable, "the one with the root
>> password" is the obvious answer. No other user can do it unless something
>> odd has been set up.
>>
>> ONce talk begins of physical access, then there's no trace unless someone
>> has security cameras or does fingerprints on the button.
> 
> Alt-ctrl-del from the keyboard could do it, even if noone is logged on.
> Halt run from a console could do it even by a user ( but they should be
> logged on) (At elast on my system, halt can be run by users).
> 
> 
>>
>>    Michael


/etc/inittab

....

#ca::ctrlaltdel:/sbin/shutdown -t3 -r now


Not on my systems

[toc] | [prev] | [standalone]

Back to top | Article view | comp.os.linux.misc

csiph-web