Re: MD5 checksum changed

From: Bill Unruh (unruh_at_string.physics.ubc.ca)
Date: 08/18/04


Date: 17 Aug 2004 23:40:42 GMT

spam@softluck.plus.com (Jonathan L Cunningham) writes:

]I've got a box running Mandrake 9. It e-mailed me a warning
]yesterday that a file had changed (this is from Mandrake's
]msec security check).

]Anyway, yesterday msec e-mailed me to say:
] Security Warning: These files belonging to packages have changed of
]status
]on the system :
]- Newly modified : /usr/lib/postfix/pickup

]I couldn't get to the machine until today, but today I did
] $ rpm -V postfix
]and, if I'm interpreting what it says correctly, the file
]size hasn't changed, but the MD5 checksum has changed.

That means the contents have changed. Did you recently install a new
version of postfix?

]I can't find any *other* evidence of possible intrusion,
]there is nothing strange in any of the logs (lots of the
]usual probes, lots of spam being rejected normally etc.)

]That doesn't mean there isn't any, but how likely is it
]that the file has got corrupt? The machine doesn't have
]a high real workload, but the disc is kept busy logging
]all that spam being rejected and it's been running
]continuously for some months now (the machine is about
]four years old, but has only been pressed into service
]as the mail/web server for a few months).

]If it was cracked, and they hid their traces so well,
]how come they missed just the one file? And why *that*
]file? There's security, and there's paranoia.

]What I'd like to do is simply replace that single file
]from the original postfix rpm package, to see if it
]changes again, but can't see how in the rpm man pages
](I'd have expected it to be easy, but haven't used rpm
]for anything complex).

Replace the package withe the
--force
option.

]What do you all think? Wipe the disc, and reinstall
]everything? Upgrade to the latest version of postfix?

rpm -Va|grep '^..5'>/tmp/verify
to see if there is something else suspicious.

]Oh, and it's probably time to think about a new version
]of Linux anyway. I chose Mandrake because I got it
]as cover discs from a Linux mag, and I knew that it
]would either be very easy to install or impossible
]because I've tried Mandrake 7 and 8 in the past, but
]for this particular use, it may be overkill. Suggestions
]for a minimalist small-server Linux welcome. It doesn't
]particularly need an X Server or a Desktop, but free
]would be nice, and easy to set up essential :-).

]Sorry this is so long.

]Jonathan

]--
] Use jlc1 at address, not spam.



Relevant Pages

  • MD5 checksum changed
    ... I've got a box running Mandrake 9. ... It's running the Apache it came with, postfix for smtp ... AFAIK, I haven't missed any security patches, I read ... from the original postfix rpm package, ...
    (comp.os.linux.security)
  • Re: Lost XP product key - before install.
    ... Most of the guides for Linux are called HOWTOs. ... > I believe all I did was go to the Firefox site and download the ... > that the preferable way would have been to find the right RPM for my ... Isn't Mandrake quite old now, ...
    (uk.comp.homebuilt)
  • Elm 2.4ME+ PL124d (25) RPM announcement
    ... Experimental RPM spec file for ELM 2.4ME+ PL124d ... Package elm binary RPM build on Linux Mandrake release 7.2 ...
    (comp.mail.elm)
  • ELM ME+ 2.5 PLalpha19 RPM announcement
    ... Experimental RPM spec file for Elm ME+ 2.5 PLalpha19 ... Package elm binary RPM build on Linux Mandrake release 7.2 ... Package elm-mod binary RPM build on Linux Mandrake release 7.2 ... Regression of In-Reply-To header field editing ...
    (comp.mail.elm)
  • ELM ME+ 2.5 PLalpha19 RPM announcement (repost)
    ... Experimental RPM spec file for Elm ME+ 2.5 PLalpha19 ... Package elm binary RPM build on Linux Mandrake release 7.2 ... Package elm-mod binary RPM build on Linux Mandrake release 7.2 ... Regression of In-Reply-To header field editing ...
    (comp.mail.elm)