Hi, Camelot,
Is there a way to accordion log files in Apple forum; they are too long but I will show them anyway.
You are right. Normally I don't suspect hacker's attack immediately. I just meant that it could be a theoretically possible way to mess up a OS X server because I think repetitive RAID rebuild is harmful to the hardware.
What leads me to the theory is that for the whole week, there is an unknown computer showing up in local area network. I saw him on my sidebar of the Finder with a hostname hppc. He sometimes mysteriously disappears and sometimes shows up in the midnight. I have no way of tracking him because I can only ping a known IP but I could not ping a strange hostname and hence impossible to track who the hack hppc is, not to mention trace route, whois, and nslookup. My firewall cannot show a nice history diagram of who has visited my network. I am stuck!
I think he is doing the arp spoofing or DNS spoofing attack, a way that can sniff user passwords across the network. It irritates me very much because I trust OS X for its robust build. I don't even install any flash in my server system for security reason.
How can my server suddenly crash for no apparent reason, which then triggers RAID rebuild? It looks like my server remain breached.
The SMC and CR 2032 Lithium coin cell battery are fine as time and date are normal all the time. My 10.6.8 Server Admin crashes with a chance of about 10% probability, more often than 10.5.x OS X server but I think this is inherited flaw from 10.6.3.
Per your suggestion, here is the excerpt of log file; I have removed the MAC address:
npvhash=4095
PAE enabled
64 bit mode enabled
Darwin Kernel Version 10.8.0: Tue Jun 7 16:33:36 PDT 2011; root:xnu-1504.15.3~1/RELEASE_I386
vm_page_bootstrap: 2044359 free pages and 36409 wired pages
standard timeslicing quantum is 10000 us
mig_table_max_displ = 73
AppleACPICPU: ProcessorId=0 LocalApicId=0 Enabled
AppleACPICPU: ProcessorId=1 LocalApicId=1 Enabled
AppleACPICPU: ProcessorId=2 LocalApicId=7 Enabled
AppleACPICPU: ProcessorId=3 LocalApicId=6 Enabled
AppleACPICPU: ProcessorId=4 LocalApicId=0 Disabled
AppleACPICPU: ProcessorId=5 LocalApicId=0 Disabled
AppleACPICPU: ProcessorId=6 LocalApicId=0 Disabled
AppleACPICPU: ProcessorId=7 LocalApicId=0 Disabled
calling mpo_policy_init for TMSafetyNet
Security policy loaded: Safety net for Time Machine (TMSafetyNet)
calling mpo_policy_init for Quarantine
Security policy loaded: Quarantine policy (Quarantine)
calling mpo_policy_init for Sandbox
Security policy loaded: Seatbelt sandbox policy (Sandbox)
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
MAC Framework successfully initialized
using 16384 buffer headers and 4096 cluster IO buffer headers
IOAPIC: Version 0x20 Vectors 64:87
ACPI: System State [S0 S3 S4 S5] (S3)
PFM64 0xf10000000, 0xf0000000
[ PCI configuration begin ]
PCI configuration changed (bridge=5 device=1 cardbus=0)
[ PCI configuration end, bridges 14 devices 28 ]
AppleIntelCPUPowerManagement: (built 16:44:45 Jun 7 2011) initialization complete
mbinit: done (64 MB memory set for mbuf pool)
rooting via boot-uuid from /chosen: AAF256FD-A28F-3614-AE49-F1DD13207974
Waiting on <dict ID="0"><key>IOProviderClass</key><string ID="1">IOResources</string><key>IOResourceMatch</key><string ID="2">boot-uuid-media</string></dict>
com.apple.AppleFSCompressionTypeZlib kmod start
com.apple.AppleFSCompressionTypeZlib load succeeded
AppleIntelCPUPowerManagementClient: ready
FireWire (OHCI) TI ID 8025 built-in now active, GUID 001d4ffffe720d48; max speed s800.
Got boot device = IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/RP01@1C/IOPCI2PCIBridge/ SAS@0/AppleRAIDCard/SAS Target 50080007001E7C5D@1/IOSCSITargetDevice/IOSCSILogicalUnitNub@1/AppleRAIDCardDiskD river/IOBlockStorageServices/IOBlockStorageDriver/APPLE RAID Card Media/IOGUIDPartitionScheme/OS@2
BSD root: disk0s2, major 14, minor 2
ioqueue_depth = 60, ioscale = 2
IPv6 packet filtering initialized, default to accept, logging disabled
AppleIntel8254XEthernet: Ethernet address
AppleIntel8254XEthernet: Ethernet address
systemShutdown false
Apple16X50ACPI1: Identified Serial Port on ACPI Device=UAR1
Apple16X50ACPI::start FOUND DB9 Property for AAPL,connector
Apple16X50UARTSync: Detected 16550AF/C/CF FIFO=16 MaxBaud=115200
Previous Shutdown Cause: 5
DSMOS has arrived
ioqueue_depth = 60, ioscale = 2
Ethernet [Intel8254X]: Link down on en0
Ethernet [Intel8254x]: Link up on en0, 100-Megabit, Full-duplex, Symmetric flow-control, Debug [792d,6f08,0de1,0e00,45e1,4000]