• Guys,

    My security alert system is telling me that the checksum of a file like node_modules/nodebb-plugin-finder/npm.json has changeed. Can anybody tell me why it will change without me modifying anything?


  • Judging by @bdharrington7's code, his plugin is checking for new nodebb plugins in npm once a day and saving it locally in that npm.json file:

    https://github.com/bdharrington7/nodebb-plugin-finder/blob/master/library.js


  • @psychobunny

    Thanks. That was what I thought was happening and I don't think it is really a good idea.

    @bdharrington7, is this a behavior that can be coded to be configurable, that is, for the admin to enable/disable automatic checking of NodeBB plugins.

  • Community Rep

    Woah sorry I just saw this, been studying for interviews. I can put that in real quick 🙂

  • Community Rep

    Updated to allow you the option for auto-update, and some other stuff 🙂

    @planner Just out of curiosity, what software was telling you that and why would it be a security threat?

  • GNU/Linux Admin

    @bdharrington7 I imagine it's just monitoring checksums for files in case a rogue script went in and changed it (i.e. to add a malware script into header, etc). Neat 👍


  • @BDHarrington7

    I'm using OSSEC as my Host Intrusion Detection Systems (HIDS) and it's configured to send out alerts by email when it detects any activity on the server. In this case, it detected that the MD5/SHA1 checksum of certain files had changed, so it sent out an alert:

    OSSEC HIDS Notification.
    2014 Feb 21 03:44:49
    
    Received From: (server-name) xxx.yyy.zzz.000->syscheck
    Rule: 552 fired (level 7) -> "Integrity checksum changed again (3rd time)."
    Portion of the log(s):
    
    Integrity checksum changed for: 'forum/node_modules/nodebb-plugin-finder/npm.json'
    Size changed from '34934' to '36289'
    Old md5sum was: '87b3c6a957af2d8135fb4ea2455f5b36'
    New md5sum is : '34206f1cbf9602d33e81e72b3b074e61'
    Old sha1sum was: '08764bf37603c005923f2afd7b215f44e304884b'
    New sha1sum is : '3995ed7931cdf60ef4c8c65b88afe43013ab5190'
    

    It worried me because I was not expecting the file to change, but that was before @psychobunny posted a reply to my question.

    I'm paranoid about these things, but don't blame me. That's just my nature and a consequence of having a security background.

  • GNU/Linux Admin

    oooh... @planner, do you do pentesting? 😛


  • @julian

    In a previous incarnation, I did something like that.

  • Community Rep

    Cool stuff! I'll have to look at that for my server 🙂


Suggested Topics

| | | |