Re: Who changes /bin/ping on my system ?

2014-03-06 Thread Tim Ruehsen
On Tuesday 04 March 2014 12:33:16 Brian wrote:
> On Tue 04 Mar 2014 at 09:16:15 +0100, Tim Ruehsen wrote:
> > # ls -la /bin/ping
> > -rwxr-xr-x 1 root root 46672 01-02-14 22:18:43 /bin/ping
> 
> The file size indicates this is /bin/ping6 (amd64 platform)
> 
> > Now I reinstalled iputils-ping:
> > 
> > # ls -la /bin/ping
> > -rwxr-xr-x 1 root root 44080 01-02-14 22:18:43 /bin/ping
> 
> The file size indicates this is /bin/ping (amd64 platform)
> 
> > For me it looks like ping utility is changed from time to time without
> > setting the correct pcaps (rootkit bug ?).
> 
> I'm unsure what to think but it seems you are involved and not a
> bug/rootkit.

I was really busy the last three days, so please apologize my late answer.
And many thanks to everybody involved (I just read your posts).

Here is an update:
Last evening I let my machine running - this morning the ping tools look like:
# ls -la /bin/ping*
-rwxr-xr-x 1 root root 46672 Feb  1 22:18 /bin/ping
-rwxr-xr-x 1 root root 50264 Feb  1 22:18 /bin/ping6

# ls -lac /bin/ping*
 
-rwxr-xr-x 1 root root 46672 Mar  6 06:50 /bin/ping 
   
-rwxr-xr-x 1 root root 50264 Mar  6 06:51 /bin/ping6
   

The missing caps have been set ...

# getcap `which ping`
/bin/ping = cap_net_raw+ep
# getcap `which ping6`
/bin/ping6 = cap_net_raw+ep

So, the file sizes changed again (I didn't record the size of ping6 utility in 
my initial post, and I do not remember it). And the ctime has been changed - I 
will look for a nightly cronjob.

Chris ans Scott suggested that some special software (proxy, sniffer) might be 
involved. I will check that, too.

I come back as soon as I find the reason.

Regards, Tim


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/3814520.vkNvbtcoDY@blitz-lx



Re: Who changes /bin/ping on my system ?

2014-03-06 Thread Tim Ruehsen
On Tuesday 04 March 2014 09:16:15 Tim Ruehsen wrote:

> Does anybody know who or what changes my ping utility ? Is this a known bug
> (I couldn't find anything) ?

I just found the package 'prelink' which explain the changes of my ping (and 
all other) binaries. I installed that ~10 years ago and forgot about it :-(.

I am not sure if there is any benefit today with much faster CPU/Memory and 
SSD. I will disable it for a while to see if the pcap problem pops up again 
(last night prelink successfully set the pcaps for /bin/ping(6)).

There might be some other software involved, still have to check that.

Thanks to all for your kind help !

Tim


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/1776918.i4j8SCGdgO@blitz-lx



transparent proxy (was: Re: Who changes /bin/ping on my system ?)

2014-03-05 Thread Chris
Hi Scott,

On 03/04/2014 10:17 AM, Scott Ferguson wrote:
> I route suspect boxes through a transparent proxy to see if there are
> channels in use that shouldn't be.

are you using port mirroring or any special software? iptables logging?

- Chris


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/53180819.2040...@arcor.de



Re: Who changes /bin/ping on my system ?

2014-03-05 Thread Scott Ferguson
On 06/03/14 01:04, Brian wrote:
> On Wed 05 Mar 2014 at 22:48:08 +1100, Scott Ferguson wrote:
> 


> '*cp -a* /bin/ping' preserves the suid bit or
> capabilities.
> 
> 

Thanks for the tip on the archive parameter, noted so I won't forget it
- hopefully.

Kind regards


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/5317a920.2000...@gmail.com



Re: Who changes /bin/ping on my system ?

2014-03-05 Thread Brian
On Wed 05 Mar 2014 at 22:48:08 +1100, Scott Ferguson wrote:

> Correction

If you are going to offer one, so will I. :)

You were referencing the line in the article which has

   If you copy ping, it loses its setuid bit and fails to work

This is correct for 'cp /bin/ping'; either the suid bit or the
capabilities is lost. 'cp -a /bin/ping' preserves the suid bit or
capabilities.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/05032014134954.1e01f7587...@desktop.copernicus.demon.co.uk



Re: Who changes /bin/ping on my system ?

2014-03-05 Thread Scott Ferguson
Correction

On 05/03/14 22:41, Scott Ferguson wrote:
> On 05/03/14 22:23, Brian wrote:
>> On Wed 05 Mar 2014 at 10:37:44 +1100, Scott Ferguson wrote:
>>

>>
>>   root@testing-jan20:~# getcap /bin/ping
>>   /bin/ping = cap_net_raw+ep
>>
>>   root@testing-jan20:~# cp /bin/ping /bin/myping
> 
> Copying will remove the capabilities.

Wrong article (about capabilities not copying), but still a good reference.

> 3rd sentence, first block of code in
> http://blog.fpmurphy.com/2009/05/linux-security-capabilities.html  (good
> article, referenced in my earlier post)
> 


Kind regards


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/53170ef8.4080...@gmail.com



Re: Who changes /bin/ping on my system ?

2014-03-05 Thread Scott Ferguson
On 05/03/14 22:23, Brian wrote:
> On Wed 05 Mar 2014 at 10:37:44 +1100, Scott Ferguson wrote:
> 
>> There still remains the problem of why does it stop working. Bugreport?
> 
> If the OP had an explanation for his /bin/ping in reality being
> /bin/ping6 it might lead to a reason for his /bin/ping(6) losing its
> capabilities. We then might not have to think in terms of a bug.

Agreed.

> 
> For example:
> 
>   root@testing-jan20:~# getcap /bin/ping
>   /bin/ping = cap_net_raw+ep
> 
>   root@testing-jan20:~# cp /bin/ping /bin/myping

Copying will remove the capabilities.
3rd sentence, first block of code in
http://blog.fpmurphy.com/2009/05/linux-security-capabilities.html  (good
article, referenced in my earlier post)

> 
>   root@testing-jan20:~# getcap /bin/myping
>   root@testing-jan20:~#
> 
>   brian@testing-jan20:~$ ping -c5 www.debian.org
>   PING www.debian.org (5.153.231.4) 56(84) bytes of data.
>   64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=1 ttl=55 time=44.4 
> ms
>   64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=2 ttl=55 time=43.8 
> ms
>   64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=3 ttl=55 time=43.9 
> ms
>   64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=4 ttl=55 time=44.2 
> ms
>   64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=5 ttl=55 time=44.0 
> ms
> 
>   --- www.debian.org ping statistics ---
>   5 packets transmitted, 5 received, 0% packet loss, time 4005ms
>   rtt min/avg/max/mdev = 43.885/44.125/44.458/0.307 ms
> 
>   brian@testing-jan20:~$ myping -c5 www.debian.org
>   ping: icmp open socket: Operation not permitted
> 
> Capabilities are preserved using mv.
> 
> 
Interesting.

Kind regards


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/53170d5d.2070...@gmail.com



Re: Who changes /bin/ping on my system ?

2014-03-05 Thread Brian
On Wed 05 Mar 2014 at 10:37:44 +1100, Scott Ferguson wrote:

> There still remains the problem of why does it stop working. Bugreport?

If the OP had an explanation for his /bin/ping in reality being
/bin/ping6 it might lead to a reason for his /bin/ping(6) losing its
capabilities. We then might not have to think in terms of a bug.

For example:

  root@testing-jan20:~# getcap /bin/ping
  /bin/ping = cap_net_raw+ep

  root@testing-jan20:~# cp /bin/ping /bin/myping

  root@testing-jan20:~# getcap /bin/myping
  root@testing-jan20:~#

  brian@testing-jan20:~$ ping -c5 www.debian.org
  PING www.debian.org (5.153.231.4) 56(84) bytes of data.
  64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=1 ttl=55 time=44.4 ms
  64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=2 ttl=55 time=43.8 ms
  64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=3 ttl=55 time=43.9 ms
  64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=4 ttl=55 time=44.2 ms
  64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=5 ttl=55 time=44.0 ms

  --- www.debian.org ping statistics ---
  5 packets transmitted, 5 received, 0% packet loss, time 4005ms
  rtt min/avg/max/mdev = 43.885/44.125/44.458/0.307 ms

  brian@testing-jan20:~$ myping -c5 www.debian.org
  ping: icmp open socket: Operation not permitted

Capabilities are preserved using mv.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140305112347.gf8...@copernicus.demon.co.uk



Re: Who changes /bin/ping on my system ?

2014-03-04 Thread Scott Ferguson
On 05/03/14 09:46, John Hasler wrote:
> Scott Ferguson writes:
>> Sorry I don't have access to a Sid box at the moment - perhaps someone
>> who has, and for whom ping is working could post the output of "getcap
>> `which ping`"??
> 
> /bin/ping = cap_net_raw+p
> 

Thanks John (it was a long shot guess on my part).

So if the OP (Tim) doesn't need to get that output from getcap it should
be reset:-

# setcap cap_net_raw+p `which ping`

NOTE: I haven't tested that as I'm not running unstable, adding the -v
parameter will give much more information about the outcome.

There still remains the problem of why does it stop working. Bugreport?

Kind regards


Refs:-
man getcap
man setcap
man cap_from_text
http://blog.fpmurphy.com/2009/05/linux-security-capabilities.html


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/531663c8.6030...@gmail.com



Re: Who changes /bin/ping on my system ?

2014-03-04 Thread Brian
On Wed 05 Mar 2014 at 09:29:18 +1100, Scott Ferguson wrote:

> > On 04/03/14 19:16, Tim Ruehsen wrote:
> >> Setting up iputils-ping (3:20121221-5) ...
> >> Setcap worked! *Ping(6) is not suid!*
> 
> The above line, emphasis mine, is what prompted second thoughts.
> Perhaps one of the changes between the version you are running and mine
> is that ping is no longer meant to run suid?

In unstable iputils-ping recommends libcap2-bin, which has setcap. From
the postinst:

  # If we have setcap is installed, try setting cap_net_raw+ep,
  # which allows us to install our binaries without the setuid
  # bit.

Also:

  root@desktop:~# apt-get  install iputils-ping --no-install-recommends
  Reading package lists... Done
  Building dependency tree
  Reading state information... Done
  Recommended packages:
libcap2-bin
  The following NEW packages will be installed:
iputils-ping
  0 upgraded, 1 newly installed, 0 to remove and 170 not upgraded.
  Need to get 0 B/54.2 kB of archives.
  After this operation, 112 kB of additional disk space will be used.
  Selecting previously unselected package iputils-ping.
  (Reading database ... 45120 files and directories currently installed.)
  Preparing to unpack .../iputils-ping_3%3a20121221-5_i386.deb ...
  Unpacking iputils-ping (3:20121221-5) ...
  Processing triggers for man-db (2.6.5-3) ...
  Setting up iputils-ping (3:20121221-5) ...
  Setcap is not installed, falling back to setuid


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140304233708.ge8...@copernicus.demon.co.uk



Re: Who changes /bin/ping on my system ?

2014-03-04 Thread John Hasler
Scott Ferguson writes:
> Sorry I don't have access to a Sid box at the moment - perhaps someone
> who has, and for whom ping is working could post the output of "getcap
> `which ping`"??

/bin/ping = cap_net_raw+p
-- 
John Hasler 
jhas...@newsguy.com
Elmwood, WI USA


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87lhwpk2fk@thumper.dhh.gt.org



Re: Who changes /bin/ping on my system ?

2014-03-04 Thread Scott Ferguson
Second thoughts

On 04/03/14 20:17, Scott Ferguson wrote:
> On 04/03/14 19:16, Tim Ruehsen wrote:
>> Hi,
>>
>> every now and than ping loses it's capabilities to be executed by a normal 
>> user. Like here:
>> $ ping example.com
>> ping: icmp open socket: Operation not permitted
>>

>>
>> Now I reinstalled iputils-ping:
>> # apt-get --reinstall install iputils-ping
>> Reading package lists... Done
>> Building dependency tree   
>> Reading state information... Done
>> 0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
>> Need to get 0 B/56.3 kB of archives.
>> After this operation, 0 B of additional disk space will be used.
>> (Reading database ... 443041 files and directories currently installed.)
>> Preparing to unpack .../iputils-ping_3%3a20121221-5_amd64.deb ...
>> Unpacking iputils-ping (3:20121221-5) over (3:20121221-5) ...
>> Processing triggers for man-db (2.6.6-1) ...
>> Setting up iputils-ping (3:20121221-5) ...
>> Setcap worked! *Ping(6) is not suid!*

The above line, emphasis mine, is what prompted second thoughts.
Perhaps one of the changes between the version you are running and mine
is that ping is no longer meant to run suid?

Sorry I don't have access to a Sid box at the moment - perhaps someone
who has, and for whom ping is working could post the output of "getcap
`which ping`"??

I don't 'know' how this would be achieved, setcap is a clue, an iputils
group 'might' be another, you could check the changelog in the docs
directory.
Perhaps *if* setcap is used when working you'd see the following (or
similar)?
# getcap `which ping`
/usr/bin/ping = cap_net_raw+ep

>>
>> # ls -la /bin/ping
>> -rwxr-xr-x 1 root root 44080 01-02-14 22:18:43 /bin/ping
> 
> $ ls -l `which ping`
> -rwsr-xr-x 1 root root 31104 Apr 13  2011 /bin/ping # different results
> and I don't get your error - ever.
> 
> iputils-ping 3:20101006-1+b1 i386 (Wheezy with backports).
> 
>>


Kind regards


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/531653be.1030...@gmail.com



Re: Who changes /bin/ping on my system ?

2014-03-04 Thread Brian
On Tue 04 Mar 2014 at 09:16:15 +0100, Tim Ruehsen wrote:

> # ls -la /bin/ping
> -rwxr-xr-x 1 root root 46672 01-02-14 22:18:43 /bin/ping

The file size indicates this is /bin/ping6 (amd64 platform)
 
> Now I reinstalled iputils-ping:
> 
> # ls -la /bin/ping
> -rwxr-xr-x 1 root root 44080 01-02-14 22:18:43 /bin/ping

The file size indicates this is /bin/ping (amd64 platform)

> For me it looks like ping utility is changed from time to time without 
> setting 
> the correct pcaps (rootkit bug ?).

I'm unsure what to think but it seems you are involved and not a bug/rootkit.

> Is there a good rootkit / malware scanner (I am already using chkrootkit with 
> no success) ?

Nobody has any success with chkrootkit.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/04032014122114.0fa1f6e39...@desktop.copernicus.demon.co.uk



Re: Who changes /bin/ping on my system ?

2014-03-04 Thread Scott Ferguson
On 04/03/14 19:16, Tim Ruehsen wrote:
> Hi,
> 
> every now and than ping loses it's capabilities to be executed by a normal 
> user. Like here:
> $ ping example.com
> ping: icmp open socket: Operation not permitted
> 
> I didn't care so far and just reinstalled iputils-ping and everything worked 
> again. I did this three or four times since ~ November 2013.
> 
> Today I had the problem again and took time to look at it a bit closer. Right 
> before, I made a apt-get update / apt-get dist-upgrade (but iputils-ping 
> wasn't included here).
> 
> # ls -la /bin/ping
> -rwxr-xr-x 1 root root 46672 01-02-14 22:18:43 /bin/ping
> 
> Now I reinstalled iputils-ping:
> # apt-get --reinstall install iputils-ping
> Reading package lists... Done
> Building dependency tree   
> Reading state information... Done
> 0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
> Need to get 0 B/56.3 kB of archives.
> After this operation, 0 B of additional disk space will be used.
> (Reading database ... 443041 files and directories currently installed.)
> Preparing to unpack .../iputils-ping_3%3a20121221-5_amd64.deb ...
> Unpacking iputils-ping (3:20121221-5) over (3:20121221-5) ...
> Processing triggers for man-db (2.6.6-1) ...
> Setting up iputils-ping (3:20121221-5) ...
> Setcap worked! Ping(6) is not suid!
> 
> # ls -la /bin/ping
> -rwxr-xr-x 1 root root 44080 01-02-14 22:18:43 /bin/ping

$ ls -l `which ping`
-rwsr-xr-x 1 root root 31104 Apr 13  2011 /bin/ping # different results
and I don't get your error - ever.

iputils-ping 3:20101006-1+b1 i386 (Wheezy with backports).

> 
> For me it looks like ping utility is changed from time to time without 
> setting 
> the correct pcaps (rootkit bug ?).

I can't definitely say no, nor can I think of why a rootkit would do
that. Certainly it's a bug.

> 
> Does anybody know who or what changes my ping utility ? Is this a known bug 
> (I 
> couldn't find anything) ?

Nor could I, though I only did a quick search. Definitely file a bugreport.

> Is there a good rootkit / malware scanner (I am already using chkrootkit with 
> no success) ?

No opinion there.

Check the md5 of the binary as a start?

I route suspect boxes through a transparent proxy to see if there are
channels in use that shouldn't be.

> 
> My system is a Debian Sid / unstable
> 
> Thanks for any help or suggestions.
> 
>   Tim
> 
> 

Kind regards


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/53159a17.3030...@gmail.com