rsec sha1 checksum change

anelson55447 · 08-31-2009, 04:53 PM

I put system taurus.webinsite.com on the internet about a week ago running CentOS 5.3 with SELinux. After a few days, I installed rsec. I have been evaluating logs for four days and the following message concerned me. Does this indicate a serious threat to the integrity of my new system? If so, what are the next steps I need to take. I'm not a newbie and have several years of unix experience with AIX, Sun, and older versions of Red Hat Linux. I'm no security expert and am learning security on the fly. I think I have a pretty good set of rules in my iptables file, but I don't know how to interpret the sha1 checksum importance. Any help would be welcome. Thanks.

---------- Forwarded message ----------
Date: Mon, 31 Aug 2009 04:14:53 -0500
From: root <root@localhost.localdomain>
To: root@localhost.localdomain
Subject: [rsec] *** Diff Check on taurus, Mon Aug 31 04:14:53 CDT 2009 ***

Security Warning: the sha1 checksum for one of your SUID files has changed,
maybe an intruder modified one of these suid binary in order to put in a backdoor...
- Checksum changed file : /usr/bin/Xorg
- Checksum changed file : /usr/lib/squid/ncsa_auth
- Checksum changed file : /usr/lib/squid/pam_auth

noden · 09-01-2009, 03:02 AM

If the checksum changed, the file changed.
Say you were checksumming the "shadow" password file and changed a password or added a new user, the checksum would change.
The same goes for the Squid auth. I dont know what is in these files though.
The user information for squid users is in /etc/squid/passwd right? So unless those are config files you edited or executables you updated, you should be alarmed.

You didnt change them yourself?

I dont know too much about those files but if you are not sure if you changed them yourself, replace them with new files and recalculate the sha1 checksum on them.
Having the pam files change should sound the alarm I guess.

I hope this is somewhat usefull. I never used Squid myself.

anelson55447 · 09-01-2009, 01:07 PM

Quote:

Originally Posted by noden

If the checksum changed, the file changed.
Say you were checksumming the "shadow" password file and changed a password or added a new user, the checksum would change.
The same goes for the Squid auth. I dont know what is in these files though.
The user information for squid users is in /etc/squid/passwd right? So unless those are config files you edited or executables you updated, you should be alarmed.

You didnt change them yourself?

I dont know too much about those files but if you are not sure if you changed them yourself, replace them with new files and recalculate the sha1 checksum on them.
Having the pam files change should sound the alarm I guess.

I hope this is somewhat usefull. I never used Squid myself.

Tak! The three files noted in the initial message are SUID elf binaries. I didn't change them myself. I don't have squid enabled yet. It's installed, but not configured or activated. It's possible that some of the automatic updates might have triggered the sha1 changes. The next days report from rsec does not include any further changes nor did it find any rootkits. Who knows?