Who changes /bin/ping on my system ?
Hi,
every now and than ping loses it's capabilities to be executed by a normal
user. Like here:
$ ping example.com
ping: icmp open socket: Operation not permitted
I didn't care so far and just reinstalled iputils-ping and everything worked
again. I did this three or four times since ~ November 2013.
Today I had the problem again and took time to look at it a bit closer. Right
before, I made a apt-get update / apt-get dist-upgrade (but iputils-ping
wasn't included here).
# ls -la /bin/ping
-rwxr-xr-x 1 root root 46672 01-02-14 22:18:43 /bin/ping
Now I reinstalled iputils-ping:
# apt-get --reinstall install iputils-ping
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 0 B/56.3 kB of archives.
After this operation, 0 B of additional disk space will be used.
(Reading database ... 443041 files and directories currently installed.)
Preparing to unpack .../iputils-ping_3%3a20121221-5_amd64.deb ...
Unpacking iputils-ping (3:20121221-5) over (3:20121221-5) ...
Processing triggers for man-db (2.6.6-1) ...
Setting up iputils-ping (3:20121221-5) ...
Setcap worked! Ping(6) is not suid!
# ls -la /bin/ping
-rwxr-xr-x 1 root root 44080 01-02-14 22:18:43 /bin/ping
For me it looks like ping utility is changed from time to time without setting
the correct pcaps (rootkit bug ?).
Does anybody know who or what changes my ping utility ? Is this a known bug (I
couldn't find anything) ?
Is there a good rootkit / malware scanner (I am already using chkrootkit with
no success) ?
My system is a Debian Sid / unstable
Thanks for any help or suggestions.
Tim
Reply to: