I have recently installed a Host based intrusion detection system(HIDS) which also runs integrity checks on files. It uses MD5/SHA1 for the checksum.I have started receiving alerts from the HIDS about changes in the integrity checksum of some files like:-
'/webmin/virtual-server/history/quotaused' '/webmin/virtual-server/history/mailcount' '/webmin/virtual-server/history/rx' '/webmin/virtual-server/history/bin' '/webmin/virtual-server/domains/128......50' '/webmin/virtual-server/domains/2345......50'
Do these files undergo regular changes ? I have already looked up the HIDS mail archives and it seems that the system fires a lot of false postivies due to ‘prelinking’.
Anyway my main query is the possibility that these files change regularly and hence trigger alerts ? The other possibility is that my box is owned and that is the tougher to accept part.
Am using webmin version 1.510, also virtualmin GPL 3.79.