0

I installed OSSSEC to very files have chnaged or not. But sometimes it is giving me false waring and integrity checksums like following files have chnaged.

How can i makesure that files are chnaged system not by virus itslef. It is very confusing. It may be the case that file was actually chnaged by virus and i just ignored it

It get the following from OSSSEC logs

Integrity checksum changed for: '/etc/passwd,v'
Integrity checksum changed for: '/etc/userdomains'

Integrity checksum changed for: '/etc/shadow.cache'
Integrity checksum changed for: '/etc/domainusers'
Integrity checksum changed for: '/etc/userplans,v
Integrity checksum changed for: '/etc/trueuserdomains'
Integrity checksum changed for: '/etc/proftpd/passwd.vhosts.cache
radius
  • 9,545
  • 23
  • 45

2 Answers2

2

Compare the file(s) against a known good backup. See what changed, if something was changed that you don't recognize as being related to something you did then you may have cause for alarm.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • But i see it everyday.looks like thse files are chaged by system on daily basis and i am getting report everyday –  Oct 08 '10 at 07:11
  • 1
    The checksums are not recalculated automatically. You have to tell OSSSEC to calculate them again. Once a file changes, it will keep alerting you every day until you re-calculate the checksums and overwrite the checksums file. – Ladadadada Nov 02 '10 at 13:51
0

Welcome to the wonderful world of Linux/Posix/Unix where there are only a couple of viruses which were created as POCs. In practice there are no Linux viruses in the wild. That's not to say that these systems cannot be attacke by other means - but computer viruses are really only a problem for MS-Windows users (and on the pre-unix MACs).

All the files you have listed above contain information about the user accounts configured on your system. If you've added any users (or in some cases, changed a password) then these files would be amended.

Host-based integrity checking IDSs can't tell what the files do, nor who modified them - that's why it tells you what has changed rather than just telling you it's broken. As above, if you want to know how files have changed, then you need to know what the files do.

I would suggest that if you are not very familiar with the workings of the system you stop scanning config and data files and restrict your signature checking to executables and libs. But do use a rootkit checking tool regularly too.

symcbean
  • 19,931
  • 1
  • 29
  • 49
  • SO basically you means for rootkits or exploits or trojans , i need to check only executable files or libraries. Canyou give me some example of what are the direcories to san for or how can i configure osssec to check for integrity check or there is no need ofr integritty check , i can just use chkrootkit –  Oct 08 '10 at 13:12