- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Which user shutdown system?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-17-2014 02:22 AM - last edited on 01-19-2014 08:37 PM by Lisa198503
01-17-2014 02:22 AM - last edited on 01-19-2014 08:37 PM by Lisa198503
Hi
I'm new at it. Could anyone help to find that who (remote user) shutdown my HP UX server
Here some info from log.
cat /etc/shutdownlog > 20:07 Thu Jan 9, 2014. Halt:
cat /var/adm/syslog/OLDsyslog.log>>>>
Jan 9 18:28:27 drapp su: + tc root-t24bus
Jan 9 19:29:11 drapp ftpd[17189]: Data port : 20
Jan 9 19:29:11 drapp ftpd[17189]: FTP server (Revision 5.0 Version wuftpd-2.6.1 Thu Apr 29 06:48:40 GMT 2010) ready.
Jan 9 19:29:11 drapp ftpd[17189]: FTP LOGIN FROM 172.31.1.101 [172.31.1.101], t24drdev
Jan 9 19:33:57 drapp ftpd[17189]: refused PORT 40015c88,22910 from 172.31.1.101 [172.31.1.101]
Jan 9 19:33:57 drapp ftpd[17189]: refused PORT 40015c88,30267 from 172.31.1.101 [172.31.1.101]
Jan 9 19:33:57 drapp ftpd[17189]: refused PORT 40015c88,50826 from 172.31.1.101 [172.31.1.101]
Jan 9 19:33:58 drapp ftpd[17189]: refused PORT 40015c88,23000 from 172.31.1.101 [172.31.1.101]
Jan 9 19:33:58 drapp ftpd[17189]: refused PORT 40015c88,42008 from 172.31.1.101 [172.31.1.101]
Jan 9 19:35:31 drapp ftpd[17189]: refused PORT 40015c88,53651 from 172.31.1.101 [172.31.1.101]
Jan 9 19:35:32 drapp ftpd[17189]: refused PORT 40015c88,64139 from 172.31.1.101 [172.31.1.101]
Jan 9 19:35:32 drapp ftpd[17189]: refused PORT 40015c88,42050 from 172.31.1.101 [172.31.1.101]
Jan 9 19:35:32 drapp ftpd[17189]: refused PORT 40015c88,25064 from 172.31.1.101 [172.31.1.101]
Jan 9 19:35:32 drapp ftpd[17189]: refused PORT 40015c88,41991 from 172.31.1.101 [172.31.1.101]
Jan 9 19:36:44 drapp ftpd[17189]: FTP session closed
Jan 9 19:36:44 drapp ftpd[17542]: Data port : 20
Jan 9 19:36:44 drapp ftpd[17542]: FTP server (Revision 5.0 Version wuftpd-2.6.1 Thu Apr 29 06:48:40 GMT 2010) ready.
Jan 9 19:36:44 drapp ftpd[17542]: FTP LOGIN FROM 172.31.1.101 [172.31.1.101], t24drdev
Jan 9 19:36:49 drapp ftpd[17542]: FTP session closed
Jan 9 19:36:50 drapp ftpd[17550]: Data port : 20
Jan 9 19:36:50 drapp ftpd[17550]: FTP server (Revision 5.0 Version wuftpd-2.6.1 Thu Apr 29 06:48:40 GMT 2010) ready.
Jan 9 19:36:50 drapp ftpd[17550]: FTP LOGIN FROM 172.31.1.101 [172.31.1.101], t24drdev
Jan 9 19:37:04 drapp ftpd[17550]: FTP session closed
Jan 9 19:48:56 drapp sshd[17893]: SSH: Server;Ltype: Version;Remote: 172.31.1.73-54049;Protocol: 2.0;Client: PuTTY_Release_0.62
Jan 9 19:49:03 drapp sshd[17893]: Accepted keyboard-interactive/pam for root from 172.31.1.73 port 54049 ssh2
Jan 9 19:50:27 drapp sshd[17995]: SSH: Server;Ltype: Version;Remote: 172.31.1.73-54065;Protocol: 2.0;Client: WinSCP_release_5.1.3
Jan 9 19:50:36 drapp sshd[17995]: Accepted keyboard-interactive/pam for root from 172.31.1.73 port 54065 ssh2
Jan 9 19:50:36 drapp sshd[17995]: subsystem request for sftp by user root
Jan 9 20:06:45 drapp lvmpud[2042]: LVM daemon exiting.
Jan 9 20:06:48 drapp HP-PRM: [18832]: prmconfig: configuration reset
Jan 9 20:06:48 drapp /usr/sbin/envd[1812]: terminated by signal 15
Jan 9 20:06:48 drapp sshd[1096]: Received signal 15; terminating.
Jan 9 20:06:48 drapp cimserver: cimserver[1702] is shutting down due to reboot
Jan 9 20:06:48 drapp cimserver[1702]: PGS10031: CIM server HP-UX WBEM Services stopped.
Jan 9 20:06:48 drapp diagmond[1809]: Exit due to user requested abort
Jan 9 20:06:54 drapp vmunix: Warning: The validity of the tunable values could not be completely verified, because the value of the tunable 'lcpu_attr' will not be known until the system is booted. The tunable values will be verified during boot. Please check the console messages during boot to see if there are any tunable value errors.
Jan 9 20:06:56 drapp inetd[1232]: Going down on signal 15
Jan 9 20:07:07 drapp rpcbind: rpcbind terminating on signal.
Jan 9 20:07:08 drapp su: + tty?? root-sfmdb
Jan 9 20:07:15 drapp syslogd: going down on signal 15
Advance thanks
Tanvir
P.S. This post has been splitted off from other thread in HP-UX>System Administration, and edited its subject. - HP Forum Moderator
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-17-2014 11:40 AM
01-17-2014 11:40 AM
Re: Which user shutdown system?
>Could anyone help to find that who (remote user) shutdown my HP-UX server
Only root can shutdown a system. Or any user in /etc/shutdown.allow.
You can also use last(1) to see who logged in/out about that time.
The start of shutdown?
Jan 9 20:06:45 drapp lvmpud[2042]: LVM daemon exiting.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2014 11:20 AM
01-18-2014 11:20 AM
Re: log file of shutdown hp-ux.
> Jan 9 19:48:56 drapp sshd[17893]: SSH: Server;Ltype: Version;Remote: 172.31.1.73-54049;Protocol: 2.0;Client: PuTTY_Release_0.62
> Jan 9 19:49:03 drapp sshd[17893]: Accepted keyboard-interactive/pam for root from 172.31.1.73 port 54049 ssh2
Here is someone logging on as root from IP address 172.31.1.73. (Note that both messages have the same process ID 17893, implying that both messages refer to the same session.)
The first message indicates that the client was PuTTY (release 0.62).
Then, another connection was established from the same source IP address for the purpose of SFTP file transfer, again logging in as root:
> Jan 9 19:50:27 drapp sshd[17995]: SSH: Server;Ltype: Version;Remote: 172.31.1.73-54065;Protocol: 2.0;Client: WinSCP_release_5.1.3
> Jan 9 19:50:36 drapp sshd[17995]: Accepted keyboard-interactive/pam for root from 172.31.1.73 port 54065 ssh2
> Jan 9 19:50:36 drapp sshd[17995]: subsystem request for sftp by user root
If the "last" command indicates these two sessions were the only ones active at the time of shutdown, then the only way to find out who it was is to find out who was logged on to the 172.31.1.73 system at that time.
The combination of client applications used (PuTTY + WinSCP) indicates that the client host is very likely to be a Windows system. PuTTY alone does not guarantee that: there is also a Unix/Linux port of PuTTY. As far as I know, WinSCP exists for Windows only.
This is exactly why there is a standard security recommendation for all Unix-like systems to not allow remote logins as root: if the root password is known to several people, there will be no record identifying which one of them actually used the account.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-22-2014 08:22 PM
01-22-2014 08:22 PM
Re: log file of shutdown hp-ux.
Thanks to Dennis & Matti for ur support.
As Matti said, Here is the "last -R" output
t24drdev pts/ta 172.31.101.1 Thu Jan 9 22:32 - 22:33 (00:01)
t24drdev pts/ta 172.31.101.1 Thu Jan 9 22:27 - 22:31 (00:04)
root pts/ta 172.31.1.101 Thu Jan 9 20:48 - 20:58 (00:10)
t24drdev pts/tb 172.31.101.6 Thu Jan 9 20:44 - 20:45 (00:00)
root pts/0 172.31.1.73 Thu Jan 9 20:40 - 21:02 (00:21)
reboot system boot Thu Jan 9 20:38 still logged in
t24drdev pts/th 172.31.101.6 Thu Jan 9 20:02 - 20:38 (00:35)
t24drdev pts/tg 172.31.101.6 Thu Jan 9 20:02 - 20:38 (00:36)
t24drdev pts/tf 172.31.101.6 Thu Jan 9 20:01 - 20:07 (00:05)
t24drdev pts/te 172.31.101.6 Thu Jan 9 20:01 - 20:38 (00:37)
t24drdev pts/tb 172.31.101.6 Thu Jan 9 20:00 - 20:38 (00:37)
t24drdev pts/td 172.31.101.6 Thu Jan 9 19:55 - 20:38 (00:43)
t24drdev pts/tb 172.31.101.6 Thu Jan 9 19:54 - 19:59 (00:05)
root pts/2 172.31.1.73 Thu Jan 9 19:49 - 20:05 (00:16)
t24drdev ftp 172.31.1.101 Thu Jan 9 19:36 - 19:37 (00:00)
t24drdev ftp 172.31.1.101 Thu Jan 9 19:36 - 19:36 (00:00)
t24drdev pts/tb 172.31.1.101 Thu Jan 9 19:31 - 19:39 (00:07)
t24drdev ftp 172.31.1.101 Thu Jan 9 19:29 - 19:36 (00:07)
t24drdev pts/tc 172.31.101.3 Thu Jan 9 19:20 - 20:07 (00:46)
t24drdev pts/tc 172.31.101.3 Thu Jan 9 19:13 - 19:18 (00:04)
root pts/tb 172.31.1.101 Thu Jan 9 19:06 - 19:27 (00:21)
t24drdev pts/ti 172.31.1.95 Thu Jan 9 18:51 - 20:38 (01:47)
Please identify for me it will helpful for me.
Again thanks for your effort.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-22-2014 11:03 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2014 01:44 AM
01-23-2014 01:44 AM
Re: Which user shutdown system?
issue solved
Thanks to all.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2014 08:59 AM
01-23-2014 08:59 AM
Re: Which user shutdown system?
>Thanks to all.
If you're happy, please click on on the Kudos star for each helpful answer.