File modification times can be manually manipulated - that's why you take the md5 sum to begin with. Any good rootkit will adjust the modification times after installation.
Trust the md5's: unless you've installed an update that modified the files listed (which seems unlikely in the case of /bin/ls), you're machine has been compromised and can no longer be trusted. JM On 07/14/2010, Bob Sauvage <[email protected]> wrote: > Hello everybody ! > > I just have an alert from OSSEC about integrity check on some bin files. > But when I do a "ls -l" the modification date is very old (2009). > When I do a "md5sum", Ossec has the correct sum. > > What can I do ? > > Thanks a lot and have a good day ! > > -/bin/ls > File: /bin/ls > Agent: *** > Modification time: 2010 Jul 14 05:59:25 > -/bin/tar > File: /bin/tar > Agent: *** > Modification time: 2010 Jul 14 05:59:23 > -/bin/ex > File: /bin/ex > Agent: *** > Modification time: 2010 Jul 14 05:59:21 > -/bin/gtar > File: /bin/gtar > Agent: *** > Modification time: 2010 Jul 14 05:59:19 > -/bin/vi > File: /bin/vi > Agent: *** > Modification time: 2010 Jul 14 05:59:17 > -/bin/rview > File: /bin/rview > Agent: *** > Modification time: 2010 Jul 14 05:59:17 > -/bin/rvi > File: /bin/rvi > Agent: *** > Modification time: 2010 Jul 14 05:59:17 > +/bin/cp > -/bin/cp > File: /bin/cp > Agent: *** > Modification time: 2010 Jul 14 05:59:17 > -/bin/mv > File: /bin/mv > Agent: *** > Modification time: 2010 Jul 14 05:59:15 > -/bin/view > File: /bin/view > Agent: *** > Modification time: 2010 Jul 14 05:59:13 > -/usr/bin/vdir > File: /usr/bin/vdir > Agent: *** > Modification time: 2010 Jul 14 05:56:56 > +/usr/bin/ex > -/usr/bin/ex > File: /usr/bin/ex > Agent: *** > Modification time: 2010 Jul 14 05:56:10 > -/usr/bin/vimdiff > File: /usr/bin/vimdiff > Agent: *** > Modification time: 2010 Jul 14 05:56:08 > -/usr/bin/rvim > File: /usr/bin/rvim > Agent: *** > Modification time: 2010 Jul 14 05:56:04 > -/usr/bin/chacl > File: /usr/bin/chacl > Agent: *** > Modification time: 2010 Jul 14 05:54:58 > -/usr/bin/rsync > File: /usr/bin/rsync > Agent: *** > Modification time: 2010 Jul 14 05:54:56 > -/usr/bin/vim > File: /usr/bin/vim > Agent: *** > Modification time: 2010 Jul 14 05:54:54 > -/usr/bin/setfacl > File: /usr/bin/setfacl > Agent: *** > Modification time: 2010 Jul 14 05:54:31 > -/usr/bin/dir > File: /usr/bin/dir > Agent: *** > Modification time: 2010 Jul 14 05:54:13 > -/usr/bin/getfacl > File: /usr/bin/getfacl > Agent: *** > Modification time: 2010 Jul 14 05:53:33 > +/usr/bin/install >
