cancel
Showing results for 
Search instead for 
Did you mean: 

Which user shutdown system?

SOLVED
Go to solution
Tanvir11077
Frequent Visitor

Which user shutdown system?

Hi

I'm new at it. Could anyone help to find that who (remote user) shutdown my HP UX server

Here some info from log.

 

cat /etc/shutdownlog > 20:07  Thu Jan  9, 2014.  Halt:

 

cat /var/adm/syslog/OLDsyslog.log>>>>

 

Jan  9 18:28:27 drapp su: + tc root-t24bus
Jan  9 19:29:11 drapp ftpd[17189]: Data port : 20
Jan  9 19:29:11 drapp ftpd[17189]: FTP server (Revision 5.0 Version wuftpd-2.6.1 Thu Apr 29 06:48:40 GMT 2010) ready.
Jan  9 19:29:11 drapp ftpd[17189]: FTP LOGIN FROM 172.31.1.101 [172.31.1.101], t24drdev
Jan  9 19:33:57 drapp ftpd[17189]: refused PORT 40015c88,22910 from 172.31.1.101 [172.31.1.101]
Jan  9 19:33:57 drapp ftpd[17189]: refused PORT 40015c88,30267 from 172.31.1.101 [172.31.1.101]
Jan  9 19:33:57 drapp ftpd[17189]: refused PORT 40015c88,50826 from 172.31.1.101 [172.31.1.101]
Jan  9 19:33:58 drapp ftpd[17189]: refused PORT 40015c88,23000 from 172.31.1.101 [172.31.1.101]
Jan  9 19:33:58 drapp ftpd[17189]: refused PORT 40015c88,42008 from 172.31.1.101 [172.31.1.101]
Jan  9 19:35:31 drapp ftpd[17189]: refused PORT 40015c88,53651 from 172.31.1.101 [172.31.1.101]
Jan  9 19:35:32 drapp ftpd[17189]: refused PORT 40015c88,64139 from 172.31.1.101 [172.31.1.101]
Jan  9 19:35:32 drapp ftpd[17189]: refused PORT 40015c88,42050 from 172.31.1.101 [172.31.1.101]
Jan  9 19:35:32 drapp ftpd[17189]: refused PORT 40015c88,25064 from 172.31.1.101 [172.31.1.101]
Jan  9 19:35:32 drapp ftpd[17189]: refused PORT 40015c88,41991 from 172.31.1.101 [172.31.1.101]
Jan  9 19:36:44 drapp ftpd[17189]: FTP session closed
Jan  9 19:36:44 drapp ftpd[17542]: Data port : 20
Jan  9 19:36:44 drapp ftpd[17542]: FTP server (Revision 5.0 Version wuftpd-2.6.1 Thu Apr 29 06:48:40 GMT 2010) ready.
Jan  9 19:36:44 drapp ftpd[17542]: FTP LOGIN FROM 172.31.1.101 [172.31.1.101], t24drdev
Jan  9 19:36:49 drapp ftpd[17542]: FTP session closed
Jan  9 19:36:50 drapp ftpd[17550]: Data port : 20
Jan  9 19:36:50 drapp ftpd[17550]: FTP server (Revision 5.0 Version wuftpd-2.6.1 Thu Apr 29 06:48:40 GMT 2010) ready.
Jan  9 19:36:50 drapp ftpd[17550]: FTP LOGIN FROM 172.31.1.101 [172.31.1.101], t24drdev
Jan  9 19:37:04 drapp ftpd[17550]: FTP session closed
Jan  9 19:48:56 drapp sshd[17893]: SSH: Server;Ltype: Version;Remote: 172.31.1.73-54049;Protocol: 2.0;Client: PuTTY_Release_0.62
Jan  9 19:49:03 drapp sshd[17893]: Accepted keyboard-interactive/pam for root from 172.31.1.73 port 54049 ssh2
Jan  9 19:50:27 drapp sshd[17995]: SSH: Server;Ltype: Version;Remote: 172.31.1.73-54065;Protocol: 2.0;Client: WinSCP_release_5.1.3
Jan  9 19:50:36 drapp sshd[17995]: Accepted keyboard-interactive/pam for root from 172.31.1.73 port 54065 ssh2
Jan  9 19:50:36 drapp sshd[17995]: subsystem request for sftp by user root
Jan  9 20:06:45 drapp lvmpud[2042]: LVM daemon exiting.
Jan  9 20:06:48 drapp HP-PRM: [18832]: prmconfig: configuration reset
Jan  9 20:06:48 drapp /usr/sbin/envd[1812]: terminated by signal 15
Jan  9 20:06:48 drapp sshd[1096]: Received signal 15; terminating.
Jan  9 20:06:48 drapp cimserver: cimserver[1702] is shutting down due to reboot
Jan  9 20:06:48 drapp cimserver[1702]: PGS10031: CIM server HP-UX WBEM Services stopped.
Jan  9 20:06:48 drapp diagmond[1809]: Exit due to user requested abort
Jan  9 20:06:54 drapp vmunix: Warning: The validity of the tunable values could not be completely verified, because the value of the tunable 'lcpu_attr' will not be known until the system is booted. The tunable values will be verified during boot. Please check the console messages during boot to see if there are any tunable value errors.
Jan  9 20:06:56 drapp inetd[1232]: Going down on signal 15
Jan  9 20:07:07 drapp rpcbind: rpcbind terminating on signal.
Jan  9 20:07:08 drapp su: + tty?? root-sfmdb
Jan  9 20:07:15 drapp syslogd: going down on signal 15

 

Advance thanks

 

Tanvir

 

P.S. This post has been splitted off from other thread in HP-UX>System Administration, and edited its subject. - HP Forum Moderator

6 REPLIES
Dennis Handly
Acclaimed Contributor

Re: Which user shutdown system?

>Could anyone help to find that who (remote user) shutdown my HP-UX server

 

Only root can shutdown a system.  Or any user in /etc/shutdown.allow.

 

You can also use last(1) to see who logged in/out about that time.

 

The start of shutdown?

Jan  9 20:06:45 drapp lvmpud[2042]: LVM daemon exiting.

Matti_Kurkela
Honored Contributor

Re: log file of shutdown hp-ux.

> Jan  9 19:48:56 drapp sshd[17893]: SSH: Server;Ltype: Version;Remote: 172.31.1.73-54049;Protocol: 2.0;Client: PuTTY_Release_0.62
> Jan  9 19:49:03 drapp sshd[17893]: Accepted keyboard-interactive/pam for root from 172.31.1.73 port 54049 ssh2

 

Here is someone logging on as root from IP address 172.31.1.73. (Note that both messages have the same process ID 17893, implying that both messages refer to the same session.)

 

The first message indicates that the client was PuTTY (release 0.62).

 

Then, another connection was established from the same source IP address for the purpose of SFTP file transfer, again logging in as root:

 

> Jan  9 19:50:27 drapp sshd[17995]: SSH: Server;Ltype: Version;Remote: 172.31.1.73-54065;Protocol: 2.0;Client: WinSCP_release_5.1.3
> Jan  9 19:50:36 drapp sshd[17995]: Accepted keyboard-interactive/pam for root from 172.31.1.73 port 54065 ssh2
> Jan  9 19:50:36 drapp sshd[17995]: subsystem request for sftp by user root

 

If the "last" command indicates these two sessions were the only ones active at the time of shutdown, then the only way to find out who it was is to find out who was logged on to the 172.31.1.73 system at that time.

 

The combination of client applications used (PuTTY + WinSCP) indicates that the client host is very likely to be a Windows system. PuTTY alone does not guarantee that: there is also a Unix/Linux port of PuTTY. As far as I know, WinSCP exists for Windows only.

 

This is exactly why there is a standard security recommendation for all Unix-like systems to not allow remote logins as root: if the root password is known to several people, there will be no record identifying which one of them actually used the account.

MK
Tanvir11077
Frequent Visitor

Re: log file of shutdown hp-ux.

Thanks to Dennis & Matti for ur support.

 

As Matti said, Here is the "last -R" output

 

t24drdev     pts/ta       172.31.101.1     Thu Jan  9 22:32 - 22:33  (00:01)
t24drdev     pts/ta       172.31.101.1     Thu Jan  9 22:27 - 22:31  (00:04)
root               pts/ta       172.31.1.101     Thu Jan  9 20:48 - 20:58  (00:10)
t24drdev     pts/tb       172.31.101.6     Thu Jan  9 20:44 - 20:45  (00:00)
root               pts/0        172.31.1.73        Thu Jan  9 20:40 - 21:02  (00:21)
reboot      system boot                              Thu Jan  9 20:38   still logged in
t24drdev    pts/th       172.31.101.6     Thu Jan  9 20:02 - 20:38  (00:35)
t24drdev    pts/tg       172.31.101.6     Thu Jan  9 20:02 - 20:38  (00:36)
t24drdev    pts/tf       172.31.101.6     Thu Jan  9 20:01 - 20:07  (00:05)
t24drdev    pts/te       172.31.101.6     Thu Jan  9 20:01 - 20:38  (00:37)
t24drdev    pts/tb       172.31.101.6     Thu Jan  9 20:00 - 20:38  (00:37)
t24drdev    pts/td       172.31.101.6     Thu Jan  9 19:55 - 20:38  (00:43)
t24drdev    pts/tb       172.31.101.6     Thu Jan  9 19:54 - 19:59  (00:05)
root              pts/2        172.31.1.73        Thu Jan  9 19:49 - 20:05  (00:16)
t24drdev    ftp             172.31.1.101     Thu Jan  9 19:36 - 19:37  (00:00)
t24drdev    ftp             172.31.1.101     Thu Jan  9 19:36 - 19:36  (00:00)
t24drdev    pts/tb       172.31.1.101     Thu Jan  9 19:31 - 19:39  (00:07)
t24drdev    ftp             172.31.1.101     Thu Jan  9 19:29 - 19:36  (00:07)
t24drdev    pts/tc       172.31.101.3     Thu Jan  9 19:20 - 20:07  (00:46)
t24drdev    pts/tc       172.31.101.3     Thu Jan  9 19:13 - 19:18  (00:04)
root              pts/tb       172.31.1.101     Thu Jan  9 19:06 - 19:27  (00:21)
t24drdev    pts/ti         172.31.1.95      Thu Jan  9 18:51 - 20:38  (01:47)

 

Please identify for me it will helpful for me.

 

Again thanks for your effort.

Dennis Handly
Acclaimed Contributor
Solution

Re: Which user shutdown system?

>Please identify for me it will helpful for me.

 

This root user seems to match that range:

root              pts/2        172.31.1.73        Thu Jan  9 19:49 - 20:05  (00:16)

Tanvir11077
Frequent Visitor

Re: Which user shutdown system?

issue solved

 

Thanks to all.

Dennis Handly
Acclaimed Contributor

Re: Which user shutdown system?

>Thanks to all.

 

If you're happy, please click on on the Kudos star for each helpful answer.