Probably because of prelinking... More details here: http://www.ossec.net/wiki/Know_How:Check_Sums
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Wed, Aug 3, 2011 at 9:11 AM, Chris Phillips <[email protected]> wrote: > Hi All, > > Recently, I received about 400+ "Alert Level 7" notifications, for a single > server, all related to "Integrity checksum changed" events. > > I am really worried about this, but I can see no reason why it has happened. > > The situation has not re-occurred and has not happened on any of the other > servers we have OSSEC installed on. > > Can anyone please explain what could cause this? I am hoping it's some sort > of obscure but OK OSSEC anomaly! > > Cheers, > -- > ChrisP (slightly panicky) > > > -----Original Message----- > From: OSSEC HIDS > Sent: 28 July 2011 08:46 > To: Chris Phillips > Subject: OSSEC Notification (myserver) - Alert level 7 > > OSSEC HIDS Notification. > 2011 Jul 28 08:46:23 > > Received From: (myserver) >syscheck > Rule: 550 fired (level 7) -> "Integrity checksum changed." > Portion of the log(s): > > Integrity checksum changed for: '/sbin/debugfs' > Old md5sum was: 'fd96fc82b74a47577835538ccf6d2adb' > New md5sum is : 'c4c01019d7806734e857996adc63cf17' > Old sha1sum was: 'c57a92218bd321ff8b27c154e2f5b29185530728' > New sha1sum is : '4550b5743fe3368bc1bac683c60c14c232b671e5' > > --END OF NOTIFICATION >
