Integrity Checksum changing on some files

2 posts / 0 new
Last post
#1 Sat, 12/18/2010 - 00:14
acmishra

Integrity Checksum changing on some files

Hi,

I have recently installed a Host based intrusion detection system(HIDS) which also runs integrity checks on files. It uses MD5/SHA1 for the checksum.I have started receiving alerts from the HIDS about changes in the integrity checksum of some files like:-

'/webmin/virtual-server/history/quotaused'
'/webmin/virtual-server/history/mailcount'
'/webmin/virtual-server/history/rx'
'/webmin/virtual-server/history/bin'
'/webmin/virtual-server/domains/128......50'
'/webmin/virtual-server/domains/2345......50'

Do these files undergo regular changes ? I have already looked up the HIDS mail archives and it seems that the system fires a lot of false postivies due to 'prelinking'.

Anyway my main query is the possibility that these files change regularly and hence trigger alerts ? The other possibility is that my box is owned and that is the tougher to accept part. :p

Am using webmin version 1.510, also virtualmin GPL 3.79.

Sat, 12/18/2010 - 08:19
andreychek

Yup! I suspect any of the files in that "history" directory are changed regularly... probably from the collectinfo.pl script that runs a few times an hour (which handles statistics collection).

Files in the "domains" directory would change anytime any feature or setting related to a domain is changed.

I wouldn't personally be too concerned about changes to the above files, generally attackers mess with more interesting components of the system :-)

-Eric

Topic locked