Ad Widget

Collapse

SSH and SSHD checksum alerts

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Pizzicato
    Junior Member
    • May 2014
    • 2
    #1

    SSH and SSHD checksum alerts

    Hi,
    I'm receiving this mails every now and then:

    Code:
    Trigger: /usr/bin/ssh has been changed on server Master
Trigger status: PROBLEM
Trigger severity: Average
Trigger URL: 

Item values:

1. Checksum of /usr/bin/ssh (Master:vfs.file.cksum[/usr/bin/ssh]): 1145939040
    and

    Code:
    Trigger: /usr/sbin/sshd has been changed on server Master
Trigger status: PROBLEM
Trigger severity: Average
Trigger URL: 

Item values:

1. Checksum of /usr/sbin/sshd (Master:vfs.file.cksum[/usr/sbin/sshd]): 184550857
    I got a little scared thinking that maybe I had been hacked, but i've run rkhunter and everything seems to be OK...

    Any idea?

    Thanks
    Tags: alerts, security, ssh, sshd
    • steveboyson
      Senior Member
      • Jul 2013
      • 582
      #2
      yum, zypper or dpkg updates came along? Just an idea ...

        Comment

        • Pizzicato
          Junior Member
          • May 2014
          • 2
          #3
          Thanks for the hint!
          I'm using Scientific Linux 6, by the way. It's based in RHEL6, and it comes by default with yum autoupdate enabled, but I disabled it some time ago. Is there any other autoupdate that I might be skipping?

          Also, yum.log does not show any sshd updates...

          Does anybody know what is the algorithm that Zabbix uses for checksums?

          I'm going to keep a file with the md5 chechsums of /usb/sbin/sshd, to check it myself each time I get that alert. We'll see if it clears anything.

          What's really strange is that I get the alert at the similar times, 3:58, 9:18, 10:38, alway ending in 8 ¿?¿?

          Cheers!

            Comment

            • jolibee
              Junior Member
              • Aug 2014
              • 1
              #4
              I've got a similar problem recently. Zabbix reports that /usr/bin/passwd has been changed. According to zabbix docs, zabbix uses unix cmd cksum to calculate the checksum of a file.
              stat shows that the change time of /usr/bin/passwd has been changed,but the content remains unchanged.
              The problem seems to be caused by prelink. You can check the original cksum of some file by issue the followling command:
              prelink -y /usr/bin/passwd | cksum, and then to compare with some other host's checksum.

              FYI:
              Why prelinked files and md5sum differs among servers? - Red Hat Customer Portal
              https://access.redhat.com/solutions/75013
              The checksum (md5sum) of the library /lib64/ld-2.5.so (package glibc-2.5-65) are different on the servers.



              Originally posted by Pizzicato
              Thanks for the hint!
              I'm using Scientific Linux 6, by the way. It's based in RHEL6, and it comes by default with yum autoupdate enabled, but I disabled it some time ago. Is there any other autoupdate that I might be skipping?

              Also, yum.log does not show any sshd updates...

              Does anybody know what is the algorithm that Zabbix uses for checksums?

              I'm going to keep a file with the md5 chechsums of /usb/sbin/sshd, to check it myself each time I get that alert. We'll see if it clears anything.

              What's really strange is that I get the alert at the similar times, 3:58, 9:18, 10:38, alway ending in 8 ¿?¿?

              Cheers!

                Comment

                Previous template Next
                Working...