Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: dhalliday on March 04, 2008, 10:34:41 PM
-
I have 3 servers running SME server (all updated to latest 7.3 with all latest patches). I was having issues with one of them where the machine would just stop listening to the WAN interface for short period.
Using tcpdump I did not see any unusual activity but on checking tcpdump itself it looks like I have 3 different versions but all machines are updated to the same patch level. See MD5 sum below.
I am now thinking 1, 2 or all three may have been hacked and new tcpdump installed. All claim to be using tcpdump-3.8.2.-12.el4_6.1
Is there a md5sum fingerprint database available for SMEServer / Centos that I can check my systems against to see if any files have been replaced? What is the correct MD5Sum for tcpdump on 7.3 (latest updates)?
Thanks,
Dave.
Machine 1
[root@download sbin]# md5sum /usr/sbin/tcpdump
13a7cee465ed4afd6480ac9fc3ab1224 /usr/sbin/tcpdump
[root@download sbin]# ls -l /usr/sbin/tcpdump
-rwxr-xr-x 1 root root 523208 Jan 26 04:22 /usr/sbin/tcpdump
[root@download sbin]# rpm -qf /usr/sbin/tcpdump
tcpdump-3.8.2-12.el4_6.1
Machine 2
[root@sea ~]# md5sum `which tcpdump`
3a37e5e8a2204ca2b80efa25db45853a /usr/sbin/tcpdump
[root@sea ~]# ls -l /usr/sbin/tcpdump
-rwxr-xr-x 1 root root 528772 Jan 26 04:22 /usr/sbin/tcpdump
[root@sea ~]# rpm -qf /usr/sbin/tcpdump
tcpdump-3.8.2-12.el4_6.1
Machine 3
-bash-3.00$ md5sum /usr/sbin/tcpdump
2c7581e2dec40e1076214baecc921656 /usr/sbin/tcpdump
-bash-3.00$ ls -l /usr/sbin/tcpdump
-rwxr-xr-x 1 root root 528772 Jan 26 04:22 /usr/sbin/tcpdump
-bash-3.00$ rpm -qf /usr/sbin/tcpdump
tcpdump-3.8.2-12.el4_6.1
-
As it says before you post:
Don't report security issues here - Contact security at contribs dot org
-
At this point im not sure it is a security issue, it could be but until I know what the fingerprint should be I cant be sure. But I have sent this off to the address that is suggested.
Thanks,
D.