I need to understand why my server turned off
- by Dema
Our organization was robbed and definitely it was inside job. I was set up. I work as a manager and as system administrator in this organization and everything goes against me. The only clue I have is that someone accidentally or intentionally turned of a server that is in the office indicating that some one was inside at the time that no one should be.
This is the only evidence I have that can justify me. I looked the log files and they show that the Power button was pressed.
Can you help me to find out that that was not a bug or systems overheat?
I will post the log files and if you will ask more I will gladly provide the information.
Messages:
Dec 24 21:43:14 jamx shutdown[27883]: shutting down for system halt
Dec 24 21:43:15 jamx init: Switching to runlevel: 0
Dec 24 21:43:15 jamx smartd[3047]: smartd received signal 15: Terminated
Dec 24 21:43:15 jamx smartd[3047]: smartd is exiting (exit status 0)
Dec 24 21:43:15 jamx avahi-daemon[3015]: Got SIGTERM, quitting.
Dec 24 21:43:15 jamx avahi-daemon[3015]: Leaving mDNS multicast group on interface eth0.IPv6 with address fe80::221:85ff:fe11:8221.
Dec 24 21:43:15 jamx avahi-daemon[3015]: Leaving mDNS multicast group on interface eth0.IPv4 with address 82.207.41.239.
Dec 24 21:43:15 jamx shutdown[27962]: shutting down for system halt
Dec 24 21:43:15 jamx saslauthd[2983]: server_exit : master exited: 2983
Dec 24 21:43:29 jamx nmbd[2921]: [2010/12/24 21:43:29, 0] nmbd/nmbd.c:terminate(58)
Dec 24 21:43:29 jamx nmbd[2921]: Got SIGTERM: going down...
Dec 24 21:43:31 jamx clamd[2526]: Pid file removed.
Dec 24 21:43:31 jamx clamd[2526]: --- Stopped at Fri Dec 24 21:43:31 2010
Dec 24 21:43:31 jamx clamd[2526]: Socket file removed.
Dec 24 21:43:31 jamx mydns[2645]: jamx.org.ua up 9h44m48s (35088s) 117 questions (0/s) NOERROR=117 SERVFAIL=0 NXDOMAIN=0 NOTIMP=0 REFUSED=0 (100% TCP, 117 queries)
Dec 24 21:43:31 jamx mydns[2645]: terminated
Dec 24 21:43:34 jamx ntpd[2512]: ntpd exiting on signal 15
Dec 24 21:43:34 jamx hcid[2265]: Got disconnected from the system message bus
Dec 24 21:43:35 jamx rpc.statd[2167]: Caught signal 15, un-registering and exiting.
Dec 24 21:43:35 jamx portmap[28473]: connect from 127.0.0.1 to unset(status): request from unprivileged port
Dec 24 21:43:35 jamx auditd[2021]: The audit daemon is exiting.
Dec 24 21:43:35 jamx kernel: audit(1293219815.505:4044): audit_pid=0 old=2021 by auid=4294967295
Dec 24 21:43:35 jamx pcscd: pcscdaemon.c:572:signal_trap() Preparing for suicide
Dec 24 21:43:36 jamx pcscd: hotplug_libusb.c:376:HPRescanUsbBus() Hotplug stopped
Dec 24 21:43:36 jamx pcscd: readerfactory.c:1379:RFCleanupReaders() entering cleaning function
Dec 24 21:43:36 jamx pcscd: pcscdaemon.c:532:at_exit() cleaning /var/run
Dec 24 21:43:36 jamx kernel: Kernel logging (proc) stopped.
Dec 24 21:43:36 jamx kernel: Kernel log daemon terminating.
Dec 24 21:43:37 jamx exiting on signal 15
Acpid:
[Fri Dec 24 21:43:14 2010] received event "button/power PWRF 00000080 00000001"
[Fri Dec 24 21:43:14 2010] notifying client 2382[68:68]
[Fri Dec 24 21:43:14 2010] executing action "/bin/ps awwux | /bin/grep gnome-power-manager | /bin/grep -qv grep || /sbin/shutdown -h now"
[Fri Dec 24 21:43:14 2010] BEGIN HANDLER MESSAGES
[Fri Dec 24 21:43:15 2010] END HANDLER MESSAGES
[Fri Dec 24 21:43:15 2010] action exited with status 0
[Fri Dec 24 21:43:15 2010] completed event "button/power PWRF 00000080 00000001"
[Fri Dec 24 21:43:15 2010] received event "button/power PWRF 00000080 00000002"
[Fri Dec 24 21:43:15 2010] notifying client 2382[68:68]
[Fri Dec 24 21:43:15 2010] executing action "/bin/ps awwux | /bin/grep gnome-power-manager | /bin/grep -qv grep || /sbin/shutdown -h now"
[Fri Dec 24 21:43:15 2010] BEGIN HANDLER MESSAGES
[Fri Dec 24 21:43:15 2010] END HANDLER MESSAGES
[Fri Dec 24 21:43:15 2010] action exited with status 0
[Fri Dec 24 21:43:15 2010] completed event "button/power PWRF 00000080 00000002"
[Fri Dec 24 21:43:34 2010] exiting
