How can I tell who/what shutdown my CentOS VPS?

linux centos vps openvz unexpected-shutdown

CentOS 5.7 VPS (running on OpenVZ)

My VPS shut down this morning and I'm not sure why. I contacted my VPS host and they indicated that the server "was off". They powered it back on but I'm confused on how/why exactly it was shut down. The host didn't volunteer information/opinion on why it was shut down.

I checked /var/log/messages and noticed the following: 

Nov 23 11:12:13 echo shutdown[5748]: shutting down for system halt 
Nov 23 11:12:13 echo init: Switching to runlevel: 0 
Nov 23 11:12:13 echo saslauthd[15407]: server_exit     : master exited: 15407 
Nov 23 11:12:20 echo xinetd[12074]: Exiting... Nov 23 11:12:20 echo exiting on signal 15

I checked /var/log/secure and noticed the following: 

Nov 23 11:12:13 echo userhelper[5748]: running '/sbin/halt' with root privileges on behalf of 'root' 
Nov 23 11:12:19 echo sshd[11982]: Received signal 15; terminating.

I don't see any unauthorized SSH connections. I have SSH listening on a different port, only accepting authorized keys, and only accepting connections from specific IPs (via iptables restrictions).

Is there anywhere else I can look to prove or disprove the theory that my VPS host did this?

UPDATE: I ran last and here's what I get for the most recent entries (I edited the hostname/username) Both of the one's with "mike" are me and legit. 

mike     pts/1        c-11-11-11-11 Wed Nov 23 11:56   still logged in
reboot   system boot  2.6.18-194.8.1.e Wed Nov 23 11:48          (01:42)
mike     pts/0        foo.foo.com Mon Nov 21 16:27 - 20:39  (04:11)

Any idea what the "reboot" is?


Solution 1:

You can see that this was triggered by "UserHelper" which is a gui wrapper to pam, but since you don't post any logs previous I still cannot give you a definitive answer to what is using "userhelper".

When executing "last" it will show you date/time of all system reboots. Completely normal and expected.

To see the last reboot you can use:

last reboot | head -1

or if you want to list reboot history just use last reboot

for shutdown info:

last -x|grep shutdown

As for your concern about sshd, the daemon is being terminated with sig 15, per the shutdown procedure, also as expected.

Related

Number of logical processors per VM?
Windows Task Scheduler - Run Action when Process (EXE) is NOT running
How does Apache interpret multiple SSLRandomSeed sources
How to manually run application as "IIS APPPOOL\MyAppPool" user
How to copy many Scheduled Tasks between Windows Server 2008 machines?
How do I convince Dell blades to PXE Boot
nginx error_page for 502 Bad Gateway errors
How to disable Request Filtering for a specific website on IIS 7.5?
Ping hostname works but nslookup to hostname doesn't
Security when SSH private keys are lost
Is bonding mode=5 a solution against MAC flapping?
NIC Teaming with Broadcom on HyperV 2008 R2