This post is duplicated. Answered in the other thread. On Thu, Feb 11, 2016 at 6:42 AM, <[email protected]> wrote:
> For a couple of weeks we've been trying to isolate intermittent cases > where OSSEC is reporting MD5 and SHA1 checksums changing for a file, only > to have it report again in a future syscheck (someones 1 interval, > sometimes many) that the checksums have changed back to the values they > were before. This is occurring for multiple file types (I've seen it on > XML files, DLLs, EXEs), and random file locations (*usually* not in a > systems folder). I think I finally gathered enough data to confirm for > myself that something odd is happening within OSSEC and that there is > indeed nothing changing with these files themselves. > > I reset checksums a couple of days ago to try and isolate this. Early > yesterday morning we got a notification of a checksum change on a file & I > captured that as well as manually verifying that nothing appeared to have > changed with the file (permissions, timestamps, filesize, etc.) and also > took checksums via Microsoft's FCIV tool. Late last night (several > syscheck intervals later), we got another notification of checksum changes > for the file, and the "new" checksum values are the same values as when I > reset the checksums. Again I manual inspected the file & saw no changes. > I also took checksums again via FCIV, and it did *not* show the same > checksum changes that OSSEC is showing - the checksums stayed the same in > FCIV. > > This isn't happening "frequently" - across a number of hosts we might see > 1 every couple of days or so, but it's frequent enough that something > definitely isn't right. > > Here's the data from the syscheck file on the OSSEC server showing the > checksums changing & changing back: > > #++42496:33279:0:0:26eaa73ad814dd683c15793ff7d42064:293e598a173486f93382adaf6df920cd778dcc4f > !1454994181 C:\Windows/System32/ftp.exe > > #++42496:33279:0:0:421e97cfc72a29693870accb04b12251:20622de42a9fd24d86193b63ace46400bf5efd0b > !1455110967 C:\Windows/System32/ftp.exe > > !!+42496:33279:0:0:26eaa73ad814dd683c15793ff7d42064:293e598a173486f93382adaf6df920cd778dcc4f > !1455166981 C:\Windows/System32/ftp.exe > > > And here's the output from FCIV showing that the checksums never changed > according to it: > > > AFTER FIRST CHANGE NOTIFICATION: > > C:\FCIV\fciv.exe -add C:\windows\system32\ftp.exe -both > > // > > // File Checksum Integrity Verifier version 2.05. > > // > > MD5 SHA-1 > > ------------------------------------------------------------------------- > > 9996103f8a650bdb3586c9aae1101912 e2e444f527dc7d20732bfec10055de916647565f > c:\windows\system32\ftp.exe > > > > > > AFTER SECOND CHANGE NOTIFICATION: > > C:\FCIV\fciv.exe -add C:\windows\system32\ftp.exe -both > > // > > // File Checksum Integrity Verifier version 2.05. > > // > > MD5 SHA-1 > > ------------------------------------------------------------------------- > > 9996103f8a650bdb3586c9aae1101912 e2e444f527dc7d20732bfec10055de916647565f > c:\windows\system32\ftp.exe > > > > Anyone seeing similar behavior (this seems to only affect our Windows > systems)? Any ideas? > > > Thanks. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
