Many Thanks Daniel, That is just what I needed to hear/read!
I can see that we do have prelinking turned ON, but not sure it's a "choice" rather than an OS default, so we may end up switching it OFF as I doubt we see any benefits from it. Cheers, -- ChrisP Chris Phillips Service Designer, intY Ltd. +44 (0)1454 640 532 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Daniel Cid Sent: 03 August 2011 13:57 To: [email protected] Subject: Re: [ossec-list] Several hundred alerts for "Integrity checksum changed" Probably because of prelinking... More details here: http://www.ossec.net/wiki/Know_How:Check_Sums Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Wed, Aug 3, 2011 at 9:11 AM, Chris Phillips <[email protected]> wrote: > Hi All, > > Recently, I received about 400+ "Alert Level 7" notifications, for a single > server, all related to "Integrity checksum changed" events. > > I am really worried about this, but I can see no reason why it has happened. > > The situation has not re-occurred and has not happened on any of the other > servers we have OSSEC installed on. > > Can anyone please explain what could cause this? I am hoping it's some sort > of obscure but OK OSSEC anomaly! > > Cheers, > -- > ChrisP (slightly panicky) > > > -----Original Message----- > From: OSSEC HIDS > Sent: 28 July 2011 08:46 > To: Chris Phillips > Subject: OSSEC Notification (myserver) - Alert level 7 > > OSSEC HIDS Notification. > 2011 Jul 28 08:46:23 > > Received From: (myserver) >syscheck > Rule: 550 fired (level 7) -> "Integrity checksum changed." > Portion of the log(s): > > Integrity checksum changed for: '/sbin/debugfs' > Old md5sum was: 'fd96fc82b74a47577835538ccf6d2adb' > New md5sum is : 'c4c01019d7806734e857996adc63cf17' > Old sha1sum was: 'c57a92218bd321ff8b27c154e2f5b29185530728' > New sha1sum is : '4550b5743fe3368bc1bac683c60c14c232b671e5' > > --END OF NOTIFICATION > Scanned by MailDefender - managed email security from intY - www.maildefender.net Information in this electronic mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this mail by anyone else is unauthorised. If you are not the intended recipient any use, disclosure, copying or distribution of this message is prohibited and may be unlawful. When addressed to our customers, any information contained in this message is subject to intY's Terms & Conditions. Please rely on your own virus scanning and procedures with regard to any attachments to this message. Scanned by MailDefender - managed email security from intY - www.maildefender.net
