On 04/03/14 19:16, Tim Ruehsen wrote: > Hi, > > every now and than ping loses it's capabilities to be executed by a normal > user. Like here: > $ ping example.com > ping: icmp open socket: Operation not permitted > > I didn't care so far and just reinstalled iputils-ping and everything worked > again. I did this three or four times since ~ November 2013. > > Today I had the problem again and took time to look at it a bit closer. Right > before, I made a apt-get update / apt-get dist-upgrade (but iputils-ping > wasn't included here). > > # ls -la /bin/ping > -rwxr-xr-x 1 root root 46672 01-02-14 22:18:43 /bin/ping > > Now I reinstalled iputils-ping: > # apt-get --reinstall install iputils-ping > Reading package lists... Done > Building dependency tree > Reading state information... Done > 0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded. > Need to get 0 B/56.3 kB of archives. > After this operation, 0 B of additional disk space will be used. > (Reading database ... 443041 files and directories currently installed.) > Preparing to unpack .../iputils-ping_3%3a20121221-5_amd64.deb ... > Unpacking iputils-ping (3:20121221-5) over (3:20121221-5) ... > Processing triggers for man-db (2.6.6-1) ... > Setting up iputils-ping (3:20121221-5) ... > Setcap worked! Ping(6) is not suid! > > # ls -la /bin/ping > -rwxr-xr-x 1 root root 44080 01-02-14 22:18:43 /bin/ping
$ ls -l `which ping` -rwsr-xr-x 1 root root 31104 Apr 13 2011 /bin/ping # different results and I don't get your error - ever. iputils-ping 3:20101006-1+b1 i386 (Wheezy with backports). > > For me it looks like ping utility is changed from time to time without > setting > the correct pcaps (rootkit bug ?). I can't definitely say no, nor can I think of why a rootkit would do that. Certainly it's a bug. > > Does anybody know who or what changes my ping utility ? Is this a known bug > (I > couldn't find anything) ? Nor could I, though I only did a quick search. Definitely file a bugreport. > Is there a good rootkit / malware scanner (I am already using chkrootkit with > no success) ? No opinion there. Check the md5 of the binary as a start? I route suspect boxes through a transparent proxy to see if there are channels in use that shouldn't be. > > My system is a Debian Sid / unstable > > Thanks for any help or suggestions. > > Tim > > Kind regards -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53159a17.3030...@gmail.com