Re: Who changes /bin/ping on my system ?

To: debian-user@lists.debian.org
Subject: Re: Who changes /bin/ping on my system ?
From: Scott Ferguson <scott.ferguson.debian.user@gmail.com>
Date: Tue, 04 Mar 2014 20:17:11 +1100
Message-id: <[🔎] 53159A17.3030508@gmail.com>
In-reply-to: <[🔎] 2984066.dquGzppmP6@blitz-lx>
References: <[🔎] 2984066.dquGzppmP6@blitz-lx>

On 04/03/14 19:16, Tim Ruehsen wrote:
> Hi,
> 
> every now and than ping loses it's capabilities to be executed by a normal 
> user. Like here:
> $ ping example.com
> ping: icmp open socket: Operation not permitted
> 
> I didn't care so far and just reinstalled iputils-ping and everything worked 
> again. I did this three or four times since ~ November 2013.
> 
> Today I had the problem again and took time to look at it a bit closer. Right 
> before, I made a apt-get update / apt-get dist-upgrade (but iputils-ping 
> wasn't included here).
> 
> # ls -la /bin/ping
> -rwxr-xr-x 1 root root 46672 01-02-14 22:18:43 /bin/ping
> 
> Now I reinstalled iputils-ping:
> # apt-get --reinstall install iputils-ping
> Reading package lists... Done
> Building dependency tree       
> Reading state information... Done
> 0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
> Need to get 0 B/56.3 kB of archives.
> After this operation, 0 B of additional disk space will be used.
> (Reading database ... 443041 files and directories currently installed.)
> Preparing to unpack .../iputils-ping_3%3a20121221-5_amd64.deb ...
> Unpacking iputils-ping (3:20121221-5) over (3:20121221-5) ...
> Processing triggers for man-db (2.6.6-1) ...
> Setting up iputils-ping (3:20121221-5) ...
> Setcap worked! Ping(6) is not suid!
> 
> # ls -la /bin/ping
> -rwxr-xr-x 1 root root 44080 01-02-14 22:18:43 /bin/ping

$ ls -l `which ping`
-rwsr-xr-x 1 root root 31104 Apr 13  2011 /bin/ping # different results
and I don't get your error - ever.

iputils-ping         3:20101006-1+b1 i386 (Wheezy with backports).

> 
> For me it looks like ping utility is changed from time to time without setting 
> the correct pcaps (rootkit bug ?).

I can't definitely say no, nor can I think of why a rootkit would do
that. Certainly it's a bug.

> 
> Does anybody know who or what changes my ping utility ? Is this a known bug (I 
> couldn't find anything) ?

Nor could I, though I only did a quick search. Definitely file a bugreport.

> Is there a good rootkit / malware scanner (I am already using chkrootkit with 
> no success) ?

No opinion there.

Check the md5 of the binary as a start?

I route suspect boxes through a transparent proxy to see if there are
channels in use that shouldn't be.

> 
> My system is a Debian Sid / unstable
> 
> Thanks for any help or suggestions.
> 
>       Tim
> 
> 

Kind regards

Reply to:

Follow-Ups:
- Re: Who changes /bin/ping on my system ?
  - From: Scott Ferguson <scott.ferguson.debian.user@gmail.com>
- transparent proxy (was: Re: Who changes /bin/ping on my system ?)
  - From: Chris <ch2009@arcor.de>

References:
- Who changes /bin/ping on my system ?
  - From: Tim Ruehsen <tim.ruehsen@gmx.de>

Prev by Date: Re: Email filtering - was Re: Here's how to make yourself happier
Next by Date: Re: Firmware stuff - was systemd troll
Previous by thread: Who changes /bin/ping on my system ?
Next by thread: Re: Who changes /bin/ping on my system ?
Index(es):
- Date
- Thread