I originally posted this in the wrong forum, and gave up on anyone resembling a moderator moving it at my request, here it is again:

This AM I was alerted that my server was down. I verified and couldn't conect to it in any fashion when I tried.

Opened a ticket with Rackshack, and they booted it, it was shutdown. These are the log entries:

Oct 29 02:25:34 homer login: PAM-listfile: Couldn't open /etc/telnet.pamlist
Oct 29 02:25:40 homer login(pam_unix)[1453]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=root
Oct 29 02:25:42 homer login[1453]: FAILED LOGIN 1 FROM (null) FOR root, Authentication failure
Oct 29 02:25:44 homer shutdown: shutting down for system reboot

There is nothing suspicious before that, and after that, all shutdown stuff until Rackshack rebooted the server for us this AM. Something is up, but I don't know what.

We are running the latest and greatest Ensim patches, telnet is disabled, we only allow SSH2, root login is disabled, etc. Ideas?


The last security log entries before reboot are:

Oct 29 02:24:05 homer xinetd[998]: START: pop3 pid=12660 from=68.211.21.10
Oct 29 02:26:02 homer sshd[943]: Received signal 15; terminating.

The pop3 is me. Why would sshd do that?

Ideas?