I just got a network alert that I've never seen before, on one of the few Ubuntu boxes that we have:
The following monitoring trigger has been fired:
/vmlinuz has been changed on server XXXXX: PROBLEM
2012.09.19 06:24:33
Trigger key: vfs.file.cksum[/vmlinuz]
Value: 3397367448
Host: XXXXX
The checksum of vmlinuz
changed. I see from Wikipedia that this has something to do with the kernel.
Should I care that its checksum has changed? This particular server does run Wordpress which is known for vulnerabilities in its 3rd party plugins, so I tend to take alerts from it pretty seriously.
I'm making the conclusion that this server has been compromised. Better safe than sorry, as /var/log/apache2/access.log
is 0 bytes, and there should be a bit (not much, but a bit) of data in there, and it clearly looks like something (a bot most likely) covering their tracks. Time to pull out last nights backup :)