My server on RackShack has been rebooted, RS doesn't know why.

How can I tell what happened??

If they didn't do it, and you didn't do it I would start thinking a hack attempt possibly and start looking around your server.

I know I am talking paranoid, but if you have been rooted the server may have needed to be rebooted to install a rootkit.

How can I start investigating to see what happend and if I was hacked or it just crashed?

You will want to start by loading chkrootkit and running that to see if any are installed.

Here is a "How to" install it:

http://vito.pointclark.net/security/chkrootkit.html

It should be noted that RaQs are sometimes guilty of spontaneous-rebootilation and while you still should probably figure out why it happened, it isn't the first time a RaQ has rebooted itself.

Check and make sure the CPU did not overheat.

Mike

Cobalt has a rather basic way of approaching to see if a raq has been hacked:

What you should try is checking the binaries for an indication of a hack. Although it is not 100% accurate. You can be resonably sure that the server has been hacked if any of the following produces output.

Telnet to the server as admin and su - to root. Type these commands:
rpm -V procps
rpm -V fileutils
rpm -V net-tools
rpm -V util-linux

NOTE:util-linux will complain about:
S.5....T c /etc/pam.d/chfn
S.5....T c /etc/pam.d/chsh
S.5....T c /etc/pam.d/login
M...... /usr/bin/newgrp
M...... /usr/bin/write

If any other output should occur, such as issues with /bin or /usr/bin, our advice is to perform an OS restore to assure the security of your server. Be sure the restore files does not contain the hack. Please consult wth a security expert if an OS Restore is not an option.

Thanks, I ran those commands, and nothing turned up.

Should I try anything else??