Several hundred alerts for "Integrity checksum changed"
Chris Phillips
Recently, I received about 400+ "Alert Level 7" notifications, for a single server, all related to "Integrity checksum changed" events.
I am really worried about this, but I can see no reason why it has happened.
The situation has not re-occurred and has not happened on any of the other servers we have OSSEC installed on.
Can anyone please explain what could cause this? I am hoping it's some sort of obscure but OK OSSEC anomaly!
Cheers,
--
ChrisP (slightly panicky)
-----Original Message-----
From: OSSEC HIDS
Sent: 28 July 2011 08:46
To: Chris Phillips
Subject: OSSEC Notification (myserver) - Alert level 7
OSSEC HIDS Notification.
2011 Jul 28 08:46:23
Received From: (myserver) >syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Portion of the log(s):
Integrity checksum changed for: '/sbin/debugfs'
Old md5sum was: 'fd96fc82b74a47577835538ccf6d2adb'
New md5sum is : 'c4c01019d7806734e857996adc63cf17'
Old sha1sum was: 'c57a92218bd321ff8b27c154e2f5b29185530728'
New sha1sum is : '4550b5743fe3368bc1bac683c60c14c232b671e5'
--END OF NOTIFICATION
Frank Stefan Sundberg Solli
Daniel Cid
http://www.ossec.net/wiki/Know_How:Check_Sums
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
Chris Phillips
It’s CentOS5 and it definitely didn’t update on its own (quite closely controlled and only has access to our in-house repos).
There was an identical host (on another hostname/IP of course) created at the same time as the one, which did not throw the same alerts.
I can’t see anything dodgy going on on the system, so I’ll continue to monitor closely...
Scanned by MailDefender - managed email security from intY - www.maildefender.net
Information in this electronic mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this mail by anyone else is unauthorised. If you are not the intended recipient any use, disclosure, copying or distribution of this message is prohibited and may be unlawful. When addressed to our customers, any information contained in this message is subject to intY's Terms & Conditions. Please rely on your own virus scanning and procedures with regard to any attachments to this message.
Scanned by MailDefender - managed email security from intY - www.maildefender.net
Chris Phillips
That is just what I needed to hear/read!
I can see that we do have prelinking turned ON, but not sure it's a "choice" rather than an OS default, so we may end up switching it OFF as I doubt we see any benefits from it.
Cheers,
From: ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] On Behalf Of Daniel Cid
Sent: 03 August 2011 13:57
To: ossec...@googlegroups.com
Subject: Re: [ossec-list] Several hundred alerts for "Integrity checksum changed"
Jason 'XenoPhage' Frisvold
Hash: SHA1
On Aug 3, 2011, at 10:41 AM, Chris Phillips wrote:
> Many Thanks Daniel,
>
> That is just what I needed to hear/read!
>
> I can see that we do have prelinking turned ON, but not sure it's a "choice" rather than an OS default, so we may end up switching it OFF as I doubt we see any benefits from it.
Prelinking seems to benefit desktop situations more than server situations, provided the server is mostly static with respect to the daemons running. So turning it off on a server could result in a few milliseconds of delay on a reboot or restart of a service, but overall likely won't cause any issues during normal operation.
- ---------------------------
Jason 'XenoPhage' Frisvold
xeno...@godshell.com
- ---------------------------
"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iEYEARECAAYFAk459JwACgkQ8CjzPZyTUTRdwQCeP6Lra2YR2n6sKIQr8NcGFPqq
CD0An1/qMuY6e+fCM50CrAI2aI+1JRT9
=PE0i
-----END PGP SIGNATURE-----