Hi. This amount of Checksum Changes have never happened to me, on any of my CPanel or Debian/Ubuntu/FreeBSD-servers. What kind of disitribution do you run? Maybe you/the system auto updated itself to a new version.
On Wed, Aug 3, 2011 at 2:11 PM, Chris Phillips <[email protected]>wrote: > Hi All, > > Recently, I received about 400+ "Alert Level 7" notifications, for a single > server, all related to "Integrity checksum changed" events. > > I am really worried about this, but I can see no reason why it has > happened. > > The situation has not re-occurred and has not happened on any of the other > servers we have OSSEC installed on. > > Can anyone please explain what could cause this? I am hoping it's some > sort of obscure but OK OSSEC anomaly! > > Cheers, > -- > ChrisP (slightly panicky) > > > -----Original Message----- > From: OSSEC HIDS > Sent: 28 July 2011 08:46 > To: Chris Phillips > Subject: OSSEC Notification (myserver) - Alert level 7 > > OSSEC HIDS Notification. > 2011 Jul 28 08:46:23 > > Received From: (myserver) >syscheck > Rule: 550 fired (level 7) -> "Integrity checksum changed." > Portion of the log(s): > > Integrity checksum changed for: '/sbin/debugfs' > Old md5sum was: 'fd96fc82b74a47577835538ccf6d2adb' > New md5sum is : 'c4c01019d7806734e857996adc63cf17' > Old sha1sum was: 'c57a92218bd321ff8b27c154e2f5b29185530728' > New sha1sum is : '4550b5743fe3368bc1bac683c60c14c232b671e5' > > --END OF NOTIFICATION > -- MVH/With regards Frank -- Name: Frank Stefan Sundberg Solli E-mail: [email protected] GPG: 684119F4
