I am concerned about an integrity checksum change message from OSSEC. I haven't seen this particular message before in the five years since this server has been running (not that I examine these messages closely after the initial period of the server's setup ). The file in question is /usr/sbin/groupmems.
The server is an Ubuntu 18.04 on a VPS. I also have a VM running the same version of Ubuntu. I calculated checksums of this file on both the server and the VM and they are the same, the new checksum reported by OSSEC in its message.
Can someone explain how OSSEC has detected a change if the file on the VM and the server have the same checksum? Nothing has been updated on either machine in the two week period before the message from OSSEC.
Thanks.
The message from OSSEC:
OSSEC HIDS Notification. 2022 Dec 25 22:15:41
Received From: ord-2->syscheck Rule: 552 fired (level 7) -> "Integrity
checksum changed again (3rd time)." Portion of the log(s):
Integrity checksum changed for: '/usr/sbin/groupmems'
Old md5sum was: 'df3ef88ed4e8fcfbcfae47abf5715639'
New md5sum is : '4364ce02d363d7e8e239ceea003210d2'
Old sha1sum was: 'e84dd002f9a391b885d02db9ec0f96926bc6b0e7'
New sha1sum is : '6d6911789741620369d40077c1ad8691bfbb233b'
