Dear Dan,
I had 2 machines with yum update run around the same time.
Both the mysqls got updated. The one machine below are some of the alerts.
Below for machine 1 the alerts got immediately into my email when the
update happen. But there were some later around 2014 Feb 14 18:31:02.
Further down I have added the machine 2 email alerts why I dont receive
immediate alerts as machine 1 all the alerts are like next morning.
MACHINE 1
OSSEC HIDS Notification.
2014 Feb 14 12:26:37
Received From: localhost->/var/log/messages
Rule: 2933 fired (level 7) -> "Yum package updated."
Portion of the log(s):
Feb 14 12:26:37 localhost yum[19925]: Updated:
nss-sysinit-3.15.3-6.el6_5.x86_64
--END OF NOTIFICATION
OSSEC HIDS Notification.
2014 Feb 14 12:26:37
Received From: localhost->/var/log/messages
Rule: 2933 fired (level 7) -> "Yum package updated."
Portion of the log(s):
Feb 14 12:26:37 localhost yum[19925]: Updated: nss-3.15.3-6.el6_5.x86_64
--END OF NOTIFICATION
OSSEC HIDS Notification.
2014 Feb 14 12:26:39
Received From: localhost->/var/log/messages
Rule: 2933 fired (level 7) -> "Yum package updated."
Portion of the log(s):
Feb 14 12:26:38 localhost yum[19925]: Updated:
mysql-libs-5.1.73-3.el6_5.x86_64
--END OF NOTIFICATION
OSSEC HIDS Notification.
2014 Feb 14 12:26:39
Received From: localhost->/var/log/messages
Rule: 2933 fired (level 7) -> "Yum package updated."
Portion of the log(s):
Feb 14 12:26:39 localhost yum[19925]: Updated: mysql-5.1.73-3.el6_5.x86_64
--END OF NOTIFICATION
OSSEC HIDS Notification.
2014 Feb 14 12:26:43
Received From: localhost->/var/log/messages
Rule: 2933 fired (level 7) -> "Yum package updated."
Portion of the log(s):
Feb 14 12:26:41 localhost yum[19925]: Updated:
kernel-firmware-2.6.32-431.5.1.el6.noarch
--END OF NOTIFICATION
OSSEC HIDS Notification.
2014 Feb 14 12:26:49
Received From: localhost->/var/log/messages
Rule: 2932 fired (level 7) -> "New Yum package installed."
Portion of the log(s):
Feb 14 12:26:48 localhost yum[19925]: Installed:
kernel-2.6.32-431.5.1.el6.x86_64
--END OF NOTIFICATION
OSSEC HIDS Notification.
2014 Feb 14 12:26:49
Received From: localhost->/var/log/secure
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Feb 14 12:26:48 localhost useradd[20076]: failed adding user 'mysql', data
deleted
--END OF NOTIFICATION
OSSEC HIDS Notification.
2014 Feb 14 12:26:51
Received From: localhost->/var/log/messages
Rule: 2933 fired (level 7) -> "Yum package updated."
Portion of the log(s):
Feb 14 12:26:50 localhost yum[19925]: Updated:
mysql-server-5.1.73-3.el6_5.x86_64
--END OF NOTIFICATION
OSSEC HIDS Notification.
2014 Feb 14 12:26:51
Received From: localhost->/var/log/messages
Rule: 2933 fired (level 7) -> "Yum package updated."
Portion of the log(s):
Feb 14 12:26:51 localhost yum[19925]: Updated:
nss-tools-3.15.3-6.el6_5.x86_64
--END OF NOTIFICATION
OSSEC HIDS Notification.
2014 Feb 14 12:26:51
Received From: localhost->/var/log/messages
Rule: 2933 fired (level 7) -> "Yum package updated."
Portion of the log(s):
Feb 14 12:26:51 localhost yum[19925]: Updated: wget-1.12-1.11.el6_5.x86_64
--END OF NOTIFICATION
OSSEC HIDS Notification.
2014 Feb 14 12:26:53
Received From: localhost->/var/log/messages
Rule: 2933 fired (level 7) -> "Yum package updated."
Portion of the log(s):
Feb 14 12:26:52 localhost yum[19925]: Updated:
kernel-headers-2.6.32-431.5.1.el6.x86_64
OSSEC HIDS Notification.
2014 Feb 14 18:31:02
Received From: localhost->syscheck
Rule: 551 fired (level 7) -> "Integrity checksum changed again (2nd time)."
Portion of the log(s):
Integrity checksum changed for: '/usr/libexec/mysqld'
Size changed from '7587056' to '7589360'
Old md5sum was: '34090928febd2bd008e10b2b289163a3'
New md5sum is : '9a9e9695ed83be1705ccf2b9d80aee3f'
Old sha1sum was: 'edc449d18156169597e1f9c32981491c62c12d1f'
New sha1sum is : '49c9b2d0c6f64c3e8725ff874dcead55fae7570c'
--END OF NOTIFICATION
OSSEC HIDS Notification.
2014 Feb 14 18:31:03
Received From: localhost->syscheck
Rule: 551 fired (level 7) -> "Integrity checksum changed again (2nd time)."
Portion of the log(s):
Integrity checksum changed for: '/usr/libexec/mysqlmanager'
Size changed from '1568952' to '1569016'
Old md5sum was: '5f59e7dbc854b10cab8aa37b0ba0304f'
New md5sum is : '01ab01d908c175046a0235f586d88cd8'
Old sha1sum was: '6022e2316d5c39aeaaa417417803eb7caf05cb90'
New sha1sum is : 'd3ea987ca6e153d1c0e373817f570592b1c41b5e'
--END OF NOTIFICATION
MACHINE 2.
OSSEC HIDS Notification.
2014 Feb 15 03:51:54
Received From: envotechpro->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Portion of the log(s):
Integrity checksum changed for: '/etc/rc.d/rc0.d/K36mysqld'
OSSEC HIDS Notification.
2014 Feb 15 03:51:30
Received From: envotechpro->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Portion of the log(s):
Integrity checksum changed for: '/etc/rc.d/rc5.d/S64mysqld'
Old md5sum was: 'dbafcc483699bf9755855793ab29395a'
New md5sum is : 'c809b007467029392ff7362b3535c5f4'
Old sha1sum was: '115caa694ec142e9ba64aac43f86dd0ef1f70162'
New sha1sum is : '475ef4bad5c5b1ba732c329f2ba79b0e36b06254'
OSSEC HIDS Notification.
2014 Feb 15 03:52:18
Received From: envotechpro->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Portion of the log(s):
Integrity checksum changed for: '/etc/rc.d/rc2.d/S64mysqld'
OSSEC HIDS Notification.
2014 Feb 15 03:52:38
Received From: envotechpro->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Portion of the log(s):
Integrity checksum changed for: '/etc/rc.d/rc1.d/K36mysqld'
OSSEC HIDS Notification.
2014 Feb 15 03:54:10
Received From: envotechpro->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Portion of the log(s):
Integrity checksum changed for: '/etc/rc.d/init.d/mysqld'
Size changed from '6752' to '7026'
Regards,
Frwa.
On Friday, February 14, 2014 6:51:41 PM UTC+8, dan (ddpbsd) wrote:
>
>
> On Feb 14, 2014 5:47 AM, "frwa onto" <[email protected] <javascript:>>
> wrote:
> >
> > Dear Dan,
> > I wish I can further explore but looking at the message is
> garble nothing I can understand how to research further. I got another
> message as below. I dont get this well "localhost useradd[20076]: failed
> adding user 'mysql', data deleted"? Is this another false positive ?
> >
>
> The original message was a keep alive, internal to ossec. Every once in a
> while they slip through.
> No idea about the usrradd message, that looks like something you would
> need to investigate. Was the mysql package being installed by a legitimate
> admin? If yes, then the message probably isn't too important. If not, why
> was it being installed?
> It seems like a fairly straight forward investigation at this point.
>
> > OSSEC HIDS Notification.
> > 2014 Feb 14 12:26:49
> >
> > Received From: localhost->/var/log/messages
> > Rule: 2932 fired (level 7) -> "New Yum package installed."
> > Portion of the log(s):
> >
> > Feb 14 12:26:48 localhost yum[19925]: Installed:
> kernel-2.6.32-431.5.1.el6.x86_64
> >
> >
> >
> > --END OF NOTIFICATION
> >
> >
> >
> > OSSEC HIDS Notification.
> > 2014 Feb 14 12:26:49
> >
> > Received From: localhost->/var/log/secure
> >
> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> > Portion of the log(s):
> >
> > Feb 14 12:26:48 localhost useradd[20076]: failed adding user 'mysql',
> data deleted
> >
> >
> >
> > --END OF NOTIFICATION
> >
> >
> >
> > OSSEC HIDS Notification.
> > 2014 Feb 14 12:26:51
> >
> > Received From: localhost->/var/log/messages
> > Rule: 2933 fired (level 7) -> "Yum package updated."
> > Portion of the log(s):
> >
> > Feb 14 12:26:50 localhost yum[19925]: Updated:
> mysql-server-5.1.73-3.el6_5.x86_64
> >
> >
> >
> > --END OF NOTIFICATION
> >
> >
> > Regards,
> > Frwa.
> >
> > On Friday, February 14, 2014 12:20:36 PM UTC+8, dan (ddpbsd) wrote:
> >>
> >>
> >> On Feb 13, 2014 11:19 PM, "frwa onto" <[email protected]> wrote:
> >> >
> >> > Hi All,
> >> > I received this . How debug on this ?
> >> >
> >> > OSSEC HIDS Notification.
> >> > 2014 Feb 12 03:50:01
> >> >
> >> > Received From: localhost->ossec-keepalive
> >> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
> system."
> >> > Portion of the log(s):
> >> >
> >> > --MARK--:
> ZO.YkF9zgXH6)n0F!tM.n,(F/?U0m4[@0=(!wdd*1'?,Uh^#B9r,odBmc+v3bpI1U8Gz#=Y+yfzAnXg,Ax;,^7jzeE,fb)odVc&^[Im6,MbjdVT*B'%k0==49_9spF9sIUQ&K2QGi?.ZVQLE
> >> >
> >>
> >> It's a false positive, and a thorn in our sidea. Ignore it. Do a search
> if you need more info.
> >>
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send an email to [email protected].
> >>
> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
