Re: last

From: Peter Pentchev (roam@ringlet.net)
Date: 10/03/01 

Date: Wed, 3 Oct 2001 15:29:08 +0300
From: Peter Pentchev <roam@ringlet.net>
To: ANdrei <andrei@abc.ro>

On Wed, Oct 03, 2001 at 02:04:23PM +0300, ANdrei wrote:
> rik@rikrose.net wrote:
> >
> > On Wed, 3 Oct 2001, ANdrei wrote:
> > > it wasn't for sure me :), but i just had my firewall down for a few
> > > mins, and then it happened... was this just a coincidence?
> >
> > It could have been a power cut, or even a brown out, or someone else while
> > you were working on the firewall :)
>
> nope, in that case you don't get that log entry from last (i'm almost
> sure about that) and your file-systems get checked at startup for sure,
> and mine didn't... it was a clkean shutdown...

No, it wasn't. It was either a power failure, or somebody hitting
the power button, but it was by no means a clean shutdown.

Had it been a clean shutdown, last(1) would have said something like:

reboot ~ Sun Sep 30 21:20
shutdown ~ Sun Sep 30 21:13
roam ttyv0 Sun Sep 30 21:08 - shutdown (00:05)

That is, there would have been an entry named 'shutdown', and the
logout time of the still-logged-in users would have been marked as
'shutdown', not 'crash' as in your logs. The absence of a 'shutdown'
entry in your logs means that the system did not record a wtmp entry
at the time of the shutdown, meaning the system was not really doing
a clean shutdown. The 'crash' in the logout time field means that
upon starting at the next boot-up, the system found still unclosed
wtmp records, and concluded that there had been an unclean reboot.

G'luck,
Peter 

-- 
I am not the subject of this sentence.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message