For a couple of weeks we've been trying to isolate intermittent cases where
OSSEC is reporting MD5 and SHA1 checksums changing for a file, only to have
it report again in a future syscheck (someones 1 interval, sometimes many)
that the checksums have changed back to the values they were before. This
is occurring for multiple file types (I've seen it on XML files, DLLs,
EXEs), and random file locations (*usually* not in a systems folder). I
think I finally gathered enough data to confirm for myself that something
odd is happening within OSSEC and that there is indeed nothing changing
with these files themselves.
I reset checksums a couple of days ago to try and isolate this. Early
yesterday morning we got a notification of a checksum change on a file & I
captured that as well as manually verifying that nothing appeared to have
changed with the file (permissions, timestamps, filesize, etc.) and also
took checksums via Microsoft's FCIV tool. Late last night (several
syscheck intervals later), we got another notification of checksum changes
for the file, and the "new" checksum values are the same values as when I
reset the checksums. Again I manual inspected the file & saw no changes.
I also took checksums again via FCIV, and it did *not* show the same
checksum changes that OSSEC is showing - the checksums stayed the same in
FCIV.
This isn't happening "frequently" - across a number of hosts we might see 1
every couple of days or so, but it's frequent enough that something
definitely isn't right.
Here's the data from the syscheck file on the OSSEC server showing the
checksums changing & changing back:
#++42496:33279:0:0:26eaa73ad814dd683c15793ff7d42064:293e598a173486f93382adaf6df920cd778dcc4f
!1454994181 C:\Windows/System32/ftp.exe
#++42496:33279:0:0:421e97cfc72a29693870accb04b12251:20622de42a9fd24d86193b63ace46400bf5efd0b
!1455110967 C:\Windows/System32/ftp.exe
!!+42496:33279:0:0:26eaa73ad814dd683c15793ff7d42064:293e598a173486f93382adaf6df920cd778dcc4f
!1455166981 C:\Windows/System32/ftp.exe
And here's the output from FCIV showing that the checksums never changed
according to it:
AFTER FIRST CHANGE NOTIFICATION:
C:\FCIV\fciv.exe -add C:\windows\system32\ftp.exe -both
//
// File Checksum Integrity Verifier version 2.05.
//
MD5 SHA-1
-------------------------------------------------------------------------
9996103f8a650bdb3586c9aae1101912 e2e444f527dc7d20732bfec10055de916647565f
c:\windows\system32\ftp.exe
AFTER SECOND CHANGE NOTIFICATION:
C:\FCIV\fciv.exe -add C:\windows\system32\ftp.exe -both
//
// File Checksum Integrity Verifier version 2.05.
//
MD5 SHA-1
-------------------------------------------------------------------------
9996103f8a650bdb3586c9aae1101912 e2e444f527dc7d20732bfec10055de916647565f
c:\windows\system32\ftp.exe
Anyone seeing similar behavior (this seems to only affect our Windows
systems)? Any ideas?
Thanks.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
