Eureka Ikara

Asked: 2010-11-19 17:07:28 +0800 CST2010-11-19 17:07:28 +0800 CST 2010-11-19 17:07:28 +0800 CST

OSSEC integrity checksum alert - what caused the change?

Recently installed OSSEC on Linux machine to test.

Most results are expected, however yesterday I received emails with a number of notifications about Integrity checksum changing on files such as /usr/bin/whoami /usr/bin/md5sum /usr/bin/ls and about another 50 similar files

Since I didn't install any new versions of these files, how do I find out what caused the integrity checksum to change 2 days after I installed the OSSEC program?

Eureka

1 Answers

Voted

Best Answer

Rob Olmos
2010-11-19T18:26:24+08:002010-11-19T18:26:24+08:00
Two reasons are:

You've actually been hacked

Prelinking is enabled

You can disable prelinking by editing /etc/sysconfig/prelink from:

PRELINKING=yes

to:

PRELINKING=no

And running:

prelink -ua

Source: http://www.ossec.net/wiki/Know_How:Check_Sums
6

OSSEC integrity checksum alert - what caused the change?

Ping a Specific Port

How do I tell Git for Windows where to find my private RSA key?

How do you restart php-fpm?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

How can I sort du -h output by size

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?