I have 3 servers running SME server (all updated to latest 7.3 with all latest patches). I was having issues with one of them where the machine would just stop listening to the WAN interface for short period.
Using tcpdump I did not see any unusual activity but on checking tcpdump itself it looks like I have 3 different versions but all machines are updated to the same patch level. See MD5 sum below.
I am now thinking 1, 2 or all three may have been hacked and new tcpdump installed. All claim to be using tcpdump-3.8.2.-12.el4_6.1
Is there a md5sum fingerprint database available for SMEServer / Centos that I can check my systems against to see if any files have been replaced? What is the correct MD5Sum for tcpdump on 7.3 (latest updates)?
Thanks,
Dave.
Machine 1
[root@download sbin]# md5sum /usr/sbin/tcpdump
13a7cee465ed4afd6480ac9fc3ab1224 /usr/sbin/tcpdump
[root@download sbin]# ls -l /usr/sbin/tcpdump
-rwxr-xr-x 1 root root 523208 Jan 26 04:22 /usr/sbin/tcpdump
[root@download sbin]# rpm -qf /usr/sbin/tcpdump
tcpdump-3.8.2-12.el4_6.1
Machine 2
[root@sea ~]# md5sum `which tcpdump`
3a37e5e8a2204ca2b80efa25db45853a /usr/sbin/tcpdump
[root@sea ~]# ls -l /usr/sbin/tcpdump
-rwxr-xr-x 1 root root 528772 Jan 26 04:22 /usr/sbin/tcpdump
[root@sea ~]# rpm -qf /usr/sbin/tcpdump
tcpdump-3.8.2-12.el4_6.1
Machine 3
-bash-3.00$ md5sum /usr/sbin/tcpdump
2c7581e2dec40e1076214baecc921656 /usr/sbin/tcpdump
-bash-3.00$ ls -l /usr/sbin/tcpdump
-rwxr-xr-x 1 root root 528772 Jan 26 04:22 /usr/sbin/tcpdump
-bash-3.00$ rpm -qf /usr/sbin/tcpdump
tcpdump-3.8.2-12.el4_6.1
2 Replies
867 Views