Re: Who changes /bin/ping on my system ?

[Tim Ruehsen <tim.ruehsen@gmx.de>]

On Tuesday 04 March 2014 12:33:16 Brian wrote:
> On Tue 04 Mar 2014 at 09:16:15 +0100, Tim Ruehsen wrote:
> > # ls -la /bin/ping
> > -rwxr-xr-x 1 root root 46672 01-02-14 22:18:43 /bin/ping
> 
> The file size indicates this is /bin/ping6 (amd64 platform)
> 
> > Now I reinstalled iputils-ping:
> > 
> > # ls -la /bin/ping
> > -rwxr-xr-x 1 root root 44080 01-02-14 22:18:43 /bin/ping
> 
> The file size indicates this is /bin/ping (amd64 platform)
> 
> > For me it looks like ping utility is changed from time to time without
> > setting the correct pcaps (rootkit bug ?).
> 
> I'm unsure what to think but it seems you are involved and not a
> bug/rootkit.

I was really busy the last three days, so please apologize my late answer.
And many thanks to everybody involved (I just read your posts).

Here is an update:
Last evening I let my machine running - this morning the ping tools look like:
# ls -la /bin/ping*
-rwxr-xr-x 1 root root 46672 Feb  1 22:18 /bin/ping
-rwxr-xr-x 1 root root 50264 Feb  1 22:18 /bin/ping6

# ls -lac /bin/ping*                                                                                                             
-rwxr-xr-x 1 root root 46672 Mar  6 06:50 /bin/ping                                                                                        
-rwxr-xr-x 1 root root 50264 Mar  6 06:51 /bin/ping6                                                                                       

The missing caps have been set ...

# getcap `which ping`
/bin/ping = cap_net_raw+ep
# getcap `which ping6`
/bin/ping6 = cap_net_raw+ep

So, the file sizes changed again (I didn't record the size of ping6 utility in 
my initial post, and I do not remember it). And the ctime has been changed - I 
will look for a nightly cronjob.

Chris ans Scott suggested that some special software (proxy, sniffer) might be 
involved. I will check that, too.

I come back as soon as I find the reason.

Regards, Tim