How can I tell who/what shutdown my CentOS VPS?

CentOS 5.7 VPS (running on OpenVZ)

My VPS shut down this morning and I'm not sure why. I contacted my VPS host and they indicated that the server "was off". They powered it back on but I'm confused on how/why exactly it was shut down. The host didn't volunteer information/opinion on why it was shut down.

I checked /var/log/messages and noticed the following:

Nov 23 11:12:13 echo shutdown[5748]: shutting down for system halt 
Nov 23 11:12:13 echo init: Switching to runlevel: 0 
Nov 23 11:12:13 echo saslauthd[15407]: server_exit     : master exited: 15407 
Nov 23 11:12:20 echo xinetd[12074]: Exiting... Nov 23 11:12:20 echo exiting on signal 15

I checked /var/log/secure and noticed the following:

Nov 23 11:12:13 echo userhelper[5748]: running '/sbin/halt' with root privileges on behalf of 'root' 
Nov 23 11:12:19 echo sshd[11982]: Received signal 15; terminating.

I don't see any unauthorized SSH connections. I have SSH listening on a different port, only accepting authorized keys, and only accepting connections from specific IPs (via iptables restrictions).

Is there anywhere else I can look to prove or disprove the theory that my VPS host did this?


UPDATE: I ran last and here's what I get for the most recent entries (I edited the hostname/username) Both of the one's with "mike" are me and legit.

mike     pts/1        c-11-11-11-11 Wed Nov 23 11:56   still logged in
reboot   system boot  2.6.18-194.8.1.e Wed Nov 23 11:48          (01:42)
mike     pts/0        foo.foo.com Mon Nov 21 16:27 - 20:39  (04:11)

Any idea what the "reboot" is?


Solution 1:

You can see that this was triggered by "UserHelper" which is a gui wrapper to pam, but since you don't post any logs previous I still cannot give you a definitive answer to what is using "userhelper".

When executing "last" it will show you date/time of all system reboots. Completely normal and expected.

To see the last reboot you can use:

last reboot | head -1

or if you want to list reboot history just use last reboot

for shutdown info:

last -x|grep shutdown

As for your concern about sshd, the daemon is being terminated with sig 15, per the shutdown procedure, also as expected.