Hello,

I got 4 mails from logwatch couple of minutes ago they contain 4 pages of this

Received From: ns1->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Portion of the log(s):

Integrity checksum changed for: '/usr/bin/bmp2tiff'
Old md5sum was: '02ae38e1c90ac4cfea62616d11d33609'
New md5sum is : '6045b8cac3f2667fcc9e6f51594d5f6b'
Old sha1sum was: '07f8f7079305c2339578b101a57109df62fbc1d9'
New sha1sum is : '9194a43dfd2476e3fb8227052ca869598e9966fd'


I ran rkhunter & chrootkit and nothing came up. I was wondering if there is a yum update cron somewhere that I don't know about am I hacked. The only services running on this server is sendmail, ssh, and rtorrent. %99.999 of the ports are blocked.

Hi.

There is a yum service which runs yum on a daily basis. Try 'chkconfig --list | grep yum' to see if it's switched on (or even installed).

Dave

If new software was (legitimately) installed, your RPM database should reflect this. In the example you cite, you could check the date the package was installed by

If the instal date is quite recent, then you need to check further to see if an automatic update happened. (I would think it would be logged somewhere.) If the install date is old then it sounds like something fishy is going on.

You can also check files properties (date, md5, etc) against the RPM database by

Again, a match would simply mean you need to check further to make sure that a recent change was legitimate.

chkconfig --list | grep yum shows
I have no idea what this means.

Also rpm -qi -f /usr/bin/bmp2tiff shows that these files are modified 15 days ago(first day of server)

rpm --verify -f /usr/bin/bmp2tiff

returns nothing

chkconfig shows the yum service is enabled on run level 3. (You can check which run level you are in by typing the runlevel command. The second field is your current run level.)

The data for the files you checked are consistent with the RPM database. (No output means everything matched.) My logic may have been wrong about the install date -- that might be the original install date and not when it was last updated.

See if you have a /var/log/yum.log file. If so, see if it shows this and other packages recently updated. If so, then I don't think you have anything to worry about.

thanks for the help

/var/log/yum.log show no updates for the past 15 days

That doesn't sound good to me. Maybe I just told you the wrong place to look. Hopefully somebody with more experience will view this thread and shed some light on this.

It would be a good idea to post what distro you are using.

blackhole54 thank you very much for your help

I'm using fedora core 5

Could it have been something like a prelinking run?