Re: MD5 checksum changed
From: Bill Unruh (unruh_at_string.physics.ubc.ca)
Date: 17 Aug 2004 23:40:42 GMT
email@example.com (Jonathan L Cunningham) writes:
]I've got a box running Mandrake 9. It e-mailed me a warning
]yesterday that a file had changed (this is from Mandrake's
]msec security check).
]Anyway, yesterday msec e-mailed me to say:
] Security Warning: These files belonging to packages have changed of
]on the system :
]- Newly modified : /usr/lib/postfix/pickup
]I couldn't get to the machine until today, but today I did
] $ rpm -V postfix
]and, if I'm interpreting what it says correctly, the file
]size hasn't changed, but the MD5 checksum has changed.
That means the contents have changed. Did you recently install a new
version of postfix?
]I can't find any *other* evidence of possible intrusion,
]there is nothing strange in any of the logs (lots of the
]usual probes, lots of spam being rejected normally etc.)
]That doesn't mean there isn't any, but how likely is it
]that the file has got corrupt? The machine doesn't have
]a high real workload, but the disc is kept busy logging
]all that spam being rejected and it's been running
]continuously for some months now (the machine is about
]four years old, but has only been pressed into service
]as the mail/web server for a few months).
]If it was cracked, and they hid their traces so well,
]how come they missed just the one file? And why *that*
]file? There's security, and there's paranoia.
]What I'd like to do is simply replace that single file
]from the original postfix rpm package, to see if it
]changes again, but can't see how in the rpm man pages
](I'd have expected it to be easy, but haven't used rpm
]for anything complex).
Replace the package withe the
]What do you all think? Wipe the disc, and reinstall
]everything? Upgrade to the latest version of postfix?
rpm -Va|grep '^..5'>/tmp/verify
to see if there is something else suspicious.
]Oh, and it's probably time to think about a new version
]of Linux anyway. I chose Mandrake because I got it
]as cover discs from a Linux mag, and I knew that it
]would either be very easy to install or impossible
]because I've tried Mandrake 7 and 8 in the past, but
]for this particular use, it may be overkill. Suggestions
]for a minimalist small-server Linux welcome. It doesn't
]particularly need an X Server or a Desktop, but free
]would be nice, and easy to set up essential :-).
]Sorry this is so long.
] Use jlc1 at address, not spam.