I put system taurus.webinsite.com on the internet about a week ago running CentOS 5.3 with SELinux. After a few days, I installed rsec. I have been evaluating logs for four days and the following message concerned me. Does this indicate a serious threat to the integrity of my new system? If so, what are the next steps I need to take. I'm not a newbie and have several years of unix experience with AIX, Sun, and older versions of Red Hat Linux. I'm no security expert and am learning security on the fly. I think I have a pretty good set of rules in my iptables file, but I don't know how to interpret the sha1 checksum importance. Any help would be welcome. Thanks.
---------- Forwarded message ----------
Date: Mon, 31 Aug 2009 04:14:53 -0500
From: root <root@localhost.localdomain>
To:
root@localhost.localdomain
Subject: [rsec] *** Diff Check on taurus, Mon Aug 31 04:14:53 CDT 2009 ***
Security Warning: the sha1 checksum for one of your SUID files has changed,
maybe an intruder modified one of these suid binary in order to put in a backdoor...
- Checksum changed file : /usr/bin/Xorg
- Checksum changed file : /usr/lib/squid/ncsa_auth
- Checksum changed file : /usr/lib/squid/pam_auth