It's CentOS5 and it definitely didn't update on its own (quite closely controlled and only has access to our in-house repos).
There was an identical host (on another hostname/IP of course) created at the same time as the one, which did not throw the same alerts. I can't see anything dodgy going on on the system, so I'll continue to monitor closely... -- ChrisP Chris Phillips Service Designer, intY Ltd. +44 (0)1454 640 532 From: [email protected] [mailto:[email protected]] On Behalf Of Frank Stefan Sundberg Solli Sent: 03 August 2011 13:51 To: [email protected] Subject: Re: [ossec-list] Several hundred alerts for "Integrity checksum changed" Hi. This amount of Checksum Changes have never happened to me, on any of my CPanel or Debian/Ubuntu/FreeBSD-servers. What kind of disitribution do you run? Maybe you/the system auto updated itself to a new version. On Wed, Aug 3, 2011 at 2:11 PM, Chris Phillips <[email protected]<mailto:[email protected]>> wrote: Hi All, Recently, I received about 400+ "Alert Level 7" notifications, for a single server, all related to "Integrity checksum changed" events. I am really worried about this, but I can see no reason why it has happened. The situation has not re-occurred and has not happened on any of the other servers we have OSSEC installed on. Can anyone please explain what could cause this? I am hoping it's some sort of obscure but OK OSSEC anomaly! Cheers, -- ChrisP (slightly panicky) -----Original Message----- From: OSSEC HIDS Sent: 28 July 2011 08:46 To: Chris Phillips Subject: OSSEC Notification (myserver) - Alert level 7 OSSEC HIDS Notification. 2011 Jul 28 08:46:23 Received From: (myserver) >syscheck Rule: 550 fired (level 7) -> "Integrity checksum changed." Portion of the log(s): Integrity checksum changed for: '/sbin/debugfs' Old md5sum was: 'fd96fc82b74a47577835538ccf6d2adb' New md5sum is : 'c4c01019d7806734e857996adc63cf17' Old sha1sum was: 'c57a92218bd321ff8b27c154e2f5b29185530728' New sha1sum is : '4550b5743fe3368bc1bac683c60c14c232b671e5' --END OF NOTIFICATION -- MVH/With regards Frank -- Name: Frank Stefan Sundberg Solli E-mail: [email protected]<mailto:[email protected]> GPG: 684119F4 Scanned by MailDefender - managed email security from intY - www.maildefender.net<http://www.maildefender.net> ________________________________ Information in this electronic mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this mail by anyone else is unauthorised. If you are not the intended recipient any use, disclosure, copying or distribution of this message is prohibited and may be unlawful. When addressed to our customers, any information contained in this message is subject to intY's Terms & Conditions. Please rely on your own virus scanning and procedures with regard to any attachments to this message. Scanned by MailDefender - managed email security from intY - www.maildefender.net<http://www.maildefender.net>
