I didn't see a response for this. I'm having the same issue. Since upgrading to the latest version of OSSEC many of my servers are generating this alert.
See below. ---------- OSSEC HIDS Notification. 2007 Oct 02 05:11:12 Received From: (xxxxxx) x.x.x.x->syscheck Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum." Portion of the log(s): File 'C:\WINDOWS/system32/inetsrv/History/MBSchema_0000030206_0000000000.xml' was deleted. Unable to retrieve checksum. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Oct 02 05:11:12 Received From: (xxxxxx) x.x.x.x->syscheck Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum." Portion of the log(s): File 'C:\WINDOWS/system32/inetsrv/History/MBSchema_0000030207_0000000000.xml' was deleted. Unable to retrieve checksum. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Oct 02 05:11:12 Received From: (xxxxxx) x.x.x.x->syscheck Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum." Portion of the log(s): File 'C:\WINDOWS/system32/inetsrv/History/MBSchema_0000030208_0000000000.xml' was deleted. Unable to retrieve checksum. --END OF NOTIFICATION Thanks, -chad ------------------------------ *From:* [email protected] [mailto:[EMAIL PROTECTED] *On Behalf Of *Clayton Dillard *Sent:* Wednesday, August 29, 2007 4:55 PM *To:* ossec-list *Subject:* [ossec-list] [Fwd: OSSEC Notification - (RPSSQL01) 10.10.1.253 - Alert level 7] Recently installed OSSEC agent on a Windows Server 2003 R2 box with MS SQL 2005 on it, as well as IIS. Getting this alert. Anyone got any insight as to whether this is normal as IIS gens backups of the config and purges old ones? Thanks in advance, Clayton Dillard -------- Forwarded Message -------- *From*: OSSEC HIDS <[EMAIL PROTECTED]<[EMAIL PROTECTED]> > *To*: [EMAIL PROTECTED] *Subject*: OSSEC Notification - (RPSSQL01) 10.10.1.253 - Alert level 7 *Date*: Wed, 29 Aug 2007 14:55:08 EDT OSSEC HIDS Notification. 2007 Aug 29 14:54:56 Received From: (RPSSQL01) x.x.x.x->syscheck Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum." Portion of the log(s): File 'C:\WINDOWS/system32/inetsrv/History/MBSchema_0000000088_0000000000.xml' was deleted. Unable to retrieve checksum. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Aug 29 14:54:56 Received From: (RPSSQL01) x.x.x.x->syscheck Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum." Portion of the log(s): File 'C:\WINDOWS/system32/inetsrv/History/MetaBase_0000000088_0000000000.xml' was deleted. Unable to retrieve checksum. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Aug 29 14:54:56 Received From: (RPSSQL01) x.x.x.x->syscheck Rule: 550 fired (level 7) -> "Integrity checksum changed." Portion of the log(s): Integrity checksum changed for: 'C:\WINDOWS/system32/inetsrv/MetaBase.xml' Old md5sum was: 'ef3df1597cbd473280064e6b3d1cfc81' New md5sum is : 'fbe18ed853cfc84594097085c21a2c36' Old sha1sum was: '13613487f40d277c23438431269ae0e5fd761726' New sha1sum is : '2169491d00a7f7b2c498767e9c351d8ed9abfe4b' --END OF NOTIFICATION *Clayton Dillard* *Director of Information Technology* *RPS Technology LLC* Tel: 919-319-4301 x205 Cell: 919-414-0265 Fax: 919-882-8261 The information in this e-mail, and any attachment therein, is confidential and for use by the addressee only. If you are not the intended recipient, please return the e-mail to the sender and delete it from your computer. Although RPS Technology attempts to sweep e-mail and attachments for viruses, it does not guarantee that either are virus-free and accepts no liability for any damage sustained as a result of viruses.
