Re: Who changes /bin/ping on my system ?
On 04/03/14 19:16, Tim Ruehsen wrote:
> Hi,
>
> every now and than ping loses it's capabilities to be executed by a normal
> user. Like here:
> $ ping example.com
> ping: icmp open socket: Operation not permitted
>
> I didn't care so far and just reinstalled iputils-ping and everything worked
> again. I did this three or four times since ~ November 2013.
>
> Today I had the problem again and took time to look at it a bit closer. Right
> before, I made a apt-get update / apt-get dist-upgrade (but iputils-ping
> wasn't included here).
>
> # ls -la /bin/ping
> -rwxr-xr-x 1 root root 46672 01-02-14 22:18:43 /bin/ping
>
> Now I reinstalled iputils-ping:
> # apt-get --reinstall install iputils-ping
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> 0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
> Need to get 0 B/56.3 kB of archives.
> After this operation, 0 B of additional disk space will be used.
> (Reading database ... 443041 files and directories currently installed.)
> Preparing to unpack .../iputils-ping_3%3a20121221-5_amd64.deb ...
> Unpacking iputils-ping (3:20121221-5) over (3:20121221-5) ...
> Processing triggers for man-db (2.6.6-1) ...
> Setting up iputils-ping (3:20121221-5) ...
> Setcap worked! Ping(6) is not suid!
>
> # ls -la /bin/ping
> -rwxr-xr-x 1 root root 44080 01-02-14 22:18:43 /bin/ping
$ ls -l `which ping`
-rwsr-xr-x 1 root root 31104 Apr 13 2011 /bin/ping # different results
and I don't get your error - ever.
iputils-ping 3:20101006-1+b1 i386 (Wheezy with backports).
>
> For me it looks like ping utility is changed from time to time without setting
> the correct pcaps (rootkit bug ?).
I can't definitely say no, nor can I think of why a rootkit would do
that. Certainly it's a bug.
>
> Does anybody know who or what changes my ping utility ? Is this a known bug (I
> couldn't find anything) ?
Nor could I, though I only did a quick search. Definitely file a bugreport.
> Is there a good rootkit / malware scanner (I am already using chkrootkit with
> no success) ?
No opinion there.
Check the md5 of the binary as a start?
I route suspect boxes through a transparent proxy to see if there are
channels in use that shouldn't be.
>
> My system is a Debian Sid / unstable
>
> Thanks for any help or suggestions.
>
> Tim
>
>
Kind regards
Reply to: