Re: Who changes /bin/ping on my system ?
On Tuesday 04 March 2014 12:33:16 Brian wrote: > On Tue 04 Mar 2014 at 09:16:15 +0100, Tim Ruehsen wrote: > > # ls -la /bin/ping > > -rwxr-xr-x 1 root root 46672 01-02-14 22:18:43 /bin/ping > > The file size indicates this is /bin/ping6 (amd64 platform) > > > Now I reinstalled iputils-ping: > > > > # ls -la /bin/ping > > -rwxr-xr-x 1 root root 44080 01-02-14 22:18:43 /bin/ping > > The file size indicates this is /bin/ping (amd64 platform) > > > For me it looks like ping utility is changed from time to time without > > setting the correct pcaps (rootkit bug ?). > > I'm unsure what to think but it seems you are involved and not a > bug/rootkit. I was really busy the last three days, so please apologize my late answer. And many thanks to everybody involved (I just read your posts). Here is an update: Last evening I let my machine running - this morning the ping tools look like: # ls -la /bin/ping* -rwxr-xr-x 1 root root 46672 Feb 1 22:18 /bin/ping -rwxr-xr-x 1 root root 50264 Feb 1 22:18 /bin/ping6 # ls -lac /bin/ping* -rwxr-xr-x 1 root root 46672 Mar 6 06:50 /bin/ping -rwxr-xr-x 1 root root 50264 Mar 6 06:51 /bin/ping6 The missing caps have been set ... # getcap `which ping` /bin/ping = cap_net_raw+ep # getcap `which ping6` /bin/ping6 = cap_net_raw+ep So, the file sizes changed again (I didn't record the size of ping6 utility in my initial post, and I do not remember it). And the ctime has been changed - I will look for a nightly cronjob. Chris ans Scott suggested that some special software (proxy, sniffer) might be involved. I will check that, too. I come back as soon as I find the reason. Regards, Tim -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/3814520.vkNvbtcoDY@blitz-lx
Re: Who changes /bin/ping on my system ?
On Tuesday 04 March 2014 09:16:15 Tim Ruehsen wrote: > Does anybody know who or what changes my ping utility ? Is this a known bug > (I couldn't find anything) ? I just found the package 'prelink' which explain the changes of my ping (and all other) binaries. I installed that ~10 years ago and forgot about it :-(. I am not sure if there is any benefit today with much faster CPU/Memory and SSD. I will disable it for a while to see if the pcap problem pops up again (last night prelink successfully set the pcaps for /bin/ping(6)). There might be some other software involved, still have to check that. Thanks to all for your kind help ! Tim -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1776918.i4j8SCGdgO@blitz-lx
transparent proxy (was: Re: Who changes /bin/ping on my system ?)
Hi Scott, On 03/04/2014 10:17 AM, Scott Ferguson wrote: > I route suspect boxes through a transparent proxy to see if there are > channels in use that shouldn't be. are you using port mirroring or any special software? iptables logging? - Chris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53180819.2040...@arcor.de
Re: Who changes /bin/ping on my system ?
On 06/03/14 01:04, Brian wrote: > On Wed 05 Mar 2014 at 22:48:08 +1100, Scott Ferguson wrote: > > '*cp -a* /bin/ping' preserves the suid bit or > capabilities. > > Thanks for the tip on the archive parameter, noted so I won't forget it - hopefully. Kind regards -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5317a920.2000...@gmail.com
Re: Who changes /bin/ping on my system ?
On Wed 05 Mar 2014 at 22:48:08 +1100, Scott Ferguson wrote: > Correction If you are going to offer one, so will I. :) You were referencing the line in the article which has If you copy ping, it loses its setuid bit and fails to work This is correct for 'cp /bin/ping'; either the suid bit or the capabilities is lost. 'cp -a /bin/ping' preserves the suid bit or capabilities. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/05032014134954.1e01f7587...@desktop.copernicus.demon.co.uk
Re: Who changes /bin/ping on my system ?
Correction On 05/03/14 22:41, Scott Ferguson wrote: > On 05/03/14 22:23, Brian wrote: >> On Wed 05 Mar 2014 at 10:37:44 +1100, Scott Ferguson wrote: >> >> >> root@testing-jan20:~# getcap /bin/ping >> /bin/ping = cap_net_raw+ep >> >> root@testing-jan20:~# cp /bin/ping /bin/myping > > Copying will remove the capabilities. Wrong article (about capabilities not copying), but still a good reference. > 3rd sentence, first block of code in > http://blog.fpmurphy.com/2009/05/linux-security-capabilities.html (good > article, referenced in my earlier post) > Kind regards -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53170ef8.4080...@gmail.com
Re: Who changes /bin/ping on my system ?
On 05/03/14 22:23, Brian wrote: > On Wed 05 Mar 2014 at 10:37:44 +1100, Scott Ferguson wrote: > >> There still remains the problem of why does it stop working. Bugreport? > > If the OP had an explanation for his /bin/ping in reality being > /bin/ping6 it might lead to a reason for his /bin/ping(6) losing its > capabilities. We then might not have to think in terms of a bug. Agreed. > > For example: > > root@testing-jan20:~# getcap /bin/ping > /bin/ping = cap_net_raw+ep > > root@testing-jan20:~# cp /bin/ping /bin/myping Copying will remove the capabilities. 3rd sentence, first block of code in http://blog.fpmurphy.com/2009/05/linux-security-capabilities.html (good article, referenced in my earlier post) > > root@testing-jan20:~# getcap /bin/myping > root@testing-jan20:~# > > brian@testing-jan20:~$ ping -c5 www.debian.org > PING www.debian.org (5.153.231.4) 56(84) bytes of data. > 64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=1 ttl=55 time=44.4 > ms > 64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=2 ttl=55 time=43.8 > ms > 64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=3 ttl=55 time=43.9 > ms > 64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=4 ttl=55 time=44.2 > ms > 64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=5 ttl=55 time=44.0 > ms > > --- www.debian.org ping statistics --- > 5 packets transmitted, 5 received, 0% packet loss, time 4005ms > rtt min/avg/max/mdev = 43.885/44.125/44.458/0.307 ms > > brian@testing-jan20:~$ myping -c5 www.debian.org > ping: icmp open socket: Operation not permitted > > Capabilities are preserved using mv. > > Interesting. Kind regards -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53170d5d.2070...@gmail.com
Re: Who changes /bin/ping on my system ?
On Wed 05 Mar 2014 at 10:37:44 +1100, Scott Ferguson wrote: > There still remains the problem of why does it stop working. Bugreport? If the OP had an explanation for his /bin/ping in reality being /bin/ping6 it might lead to a reason for his /bin/ping(6) losing its capabilities. We then might not have to think in terms of a bug. For example: root@testing-jan20:~# getcap /bin/ping /bin/ping = cap_net_raw+ep root@testing-jan20:~# cp /bin/ping /bin/myping root@testing-jan20:~# getcap /bin/myping root@testing-jan20:~# brian@testing-jan20:~$ ping -c5 www.debian.org PING www.debian.org (5.153.231.4) 56(84) bytes of data. 64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=1 ttl=55 time=44.4 ms 64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=2 ttl=55 time=43.8 ms 64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=3 ttl=55 time=43.9 ms 64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=4 ttl=55 time=44.2 ms 64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=5 ttl=55 time=44.0 ms --- www.debian.org ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4005ms rtt min/avg/max/mdev = 43.885/44.125/44.458/0.307 ms brian@testing-jan20:~$ myping -c5 www.debian.org ping: icmp open socket: Operation not permitted Capabilities are preserved using mv. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140305112347.gf8...@copernicus.demon.co.uk
Re: Who changes /bin/ping on my system ?
On 05/03/14 09:46, John Hasler wrote: > Scott Ferguson writes: >> Sorry I don't have access to a Sid box at the moment - perhaps someone >> who has, and for whom ping is working could post the output of "getcap >> `which ping`"?? > > /bin/ping = cap_net_raw+p > Thanks John (it was a long shot guess on my part). So if the OP (Tim) doesn't need to get that output from getcap it should be reset:- # setcap cap_net_raw+p `which ping` NOTE: I haven't tested that as I'm not running unstable, adding the -v parameter will give much more information about the outcome. There still remains the problem of why does it stop working. Bugreport? Kind regards Refs:- man getcap man setcap man cap_from_text http://blog.fpmurphy.com/2009/05/linux-security-capabilities.html -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/531663c8.6030...@gmail.com
Re: Who changes /bin/ping on my system ?
On Wed 05 Mar 2014 at 09:29:18 +1100, Scott Ferguson wrote: > > On 04/03/14 19:16, Tim Ruehsen wrote: > >> Setting up iputils-ping (3:20121221-5) ... > >> Setcap worked! *Ping(6) is not suid!* > > The above line, emphasis mine, is what prompted second thoughts. > Perhaps one of the changes between the version you are running and mine > is that ping is no longer meant to run suid? In unstable iputils-ping recommends libcap2-bin, which has setcap. From the postinst: # If we have setcap is installed, try setting cap_net_raw+ep, # which allows us to install our binaries without the setuid # bit. Also: root@desktop:~# apt-get install iputils-ping --no-install-recommends Reading package lists... Done Building dependency tree Reading state information... Done Recommended packages: libcap2-bin The following NEW packages will be installed: iputils-ping 0 upgraded, 1 newly installed, 0 to remove and 170 not upgraded. Need to get 0 B/54.2 kB of archives. After this operation, 112 kB of additional disk space will be used. Selecting previously unselected package iputils-ping. (Reading database ... 45120 files and directories currently installed.) Preparing to unpack .../iputils-ping_3%3a20121221-5_i386.deb ... Unpacking iputils-ping (3:20121221-5) ... Processing triggers for man-db (2.6.5-3) ... Setting up iputils-ping (3:20121221-5) ... Setcap is not installed, falling back to setuid -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140304233708.ge8...@copernicus.demon.co.uk
Re: Who changes /bin/ping on my system ?
Scott Ferguson writes: > Sorry I don't have access to a Sid box at the moment - perhaps someone > who has, and for whom ping is working could post the output of "getcap > `which ping`"?? /bin/ping = cap_net_raw+p -- John Hasler jhas...@newsguy.com Elmwood, WI USA -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87lhwpk2fk@thumper.dhh.gt.org
Re: Who changes /bin/ping on my system ?
Second thoughts On 04/03/14 20:17, Scott Ferguson wrote: > On 04/03/14 19:16, Tim Ruehsen wrote: >> Hi, >> >> every now and than ping loses it's capabilities to be executed by a normal >> user. Like here: >> $ ping example.com >> ping: icmp open socket: Operation not permitted >> >> >> Now I reinstalled iputils-ping: >> # apt-get --reinstall install iputils-ping >> Reading package lists... Done >> Building dependency tree >> Reading state information... Done >> 0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded. >> Need to get 0 B/56.3 kB of archives. >> After this operation, 0 B of additional disk space will be used. >> (Reading database ... 443041 files and directories currently installed.) >> Preparing to unpack .../iputils-ping_3%3a20121221-5_amd64.deb ... >> Unpacking iputils-ping (3:20121221-5) over (3:20121221-5) ... >> Processing triggers for man-db (2.6.6-1) ... >> Setting up iputils-ping (3:20121221-5) ... >> Setcap worked! *Ping(6) is not suid!* The above line, emphasis mine, is what prompted second thoughts. Perhaps one of the changes between the version you are running and mine is that ping is no longer meant to run suid? Sorry I don't have access to a Sid box at the moment - perhaps someone who has, and for whom ping is working could post the output of "getcap `which ping`"?? I don't 'know' how this would be achieved, setcap is a clue, an iputils group 'might' be another, you could check the changelog in the docs directory. Perhaps *if* setcap is used when working you'd see the following (or similar)? # getcap `which ping` /usr/bin/ping = cap_net_raw+ep >> >> # ls -la /bin/ping >> -rwxr-xr-x 1 root root 44080 01-02-14 22:18:43 /bin/ping > > $ ls -l `which ping` > -rwsr-xr-x 1 root root 31104 Apr 13 2011 /bin/ping # different results > and I don't get your error - ever. > > iputils-ping 3:20101006-1+b1 i386 (Wheezy with backports). > >> Kind regards -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/531653be.1030...@gmail.com
Re: Who changes /bin/ping on my system ?
On Tue 04 Mar 2014 at 09:16:15 +0100, Tim Ruehsen wrote: > # ls -la /bin/ping > -rwxr-xr-x 1 root root 46672 01-02-14 22:18:43 /bin/ping The file size indicates this is /bin/ping6 (amd64 platform) > Now I reinstalled iputils-ping: > > # ls -la /bin/ping > -rwxr-xr-x 1 root root 44080 01-02-14 22:18:43 /bin/ping The file size indicates this is /bin/ping (amd64 platform) > For me it looks like ping utility is changed from time to time without > setting > the correct pcaps (rootkit bug ?). I'm unsure what to think but it seems you are involved and not a bug/rootkit. > Is there a good rootkit / malware scanner (I am already using chkrootkit with > no success) ? Nobody has any success with chkrootkit. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/04032014122114.0fa1f6e39...@desktop.copernicus.demon.co.uk
Re: Who changes /bin/ping on my system ?
On 04/03/14 19:16, Tim Ruehsen wrote: > Hi, > > every now and than ping loses it's capabilities to be executed by a normal > user. Like here: > $ ping example.com > ping: icmp open socket: Operation not permitted > > I didn't care so far and just reinstalled iputils-ping and everything worked > again. I did this three or four times since ~ November 2013. > > Today I had the problem again and took time to look at it a bit closer. Right > before, I made a apt-get update / apt-get dist-upgrade (but iputils-ping > wasn't included here). > > # ls -la /bin/ping > -rwxr-xr-x 1 root root 46672 01-02-14 22:18:43 /bin/ping > > Now I reinstalled iputils-ping: > # apt-get --reinstall install iputils-ping > Reading package lists... Done > Building dependency tree > Reading state information... Done > 0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded. > Need to get 0 B/56.3 kB of archives. > After this operation, 0 B of additional disk space will be used. > (Reading database ... 443041 files and directories currently installed.) > Preparing to unpack .../iputils-ping_3%3a20121221-5_amd64.deb ... > Unpacking iputils-ping (3:20121221-5) over (3:20121221-5) ... > Processing triggers for man-db (2.6.6-1) ... > Setting up iputils-ping (3:20121221-5) ... > Setcap worked! Ping(6) is not suid! > > # ls -la /bin/ping > -rwxr-xr-x 1 root root 44080 01-02-14 22:18:43 /bin/ping $ ls -l `which ping` -rwsr-xr-x 1 root root 31104 Apr 13 2011 /bin/ping # different results and I don't get your error - ever. iputils-ping 3:20101006-1+b1 i386 (Wheezy with backports). > > For me it looks like ping utility is changed from time to time without > setting > the correct pcaps (rootkit bug ?). I can't definitely say no, nor can I think of why a rootkit would do that. Certainly it's a bug. > > Does anybody know who or what changes my ping utility ? Is this a known bug > (I > couldn't find anything) ? Nor could I, though I only did a quick search. Definitely file a bugreport. > Is there a good rootkit / malware scanner (I am already using chkrootkit with > no success) ? No opinion there. Check the md5 of the binary as a start? I route suspect boxes through a transparent proxy to see if there are channels in use that shouldn't be. > > My system is a Debian Sid / unstable > > Thanks for any help or suggestions. > > Tim > > Kind regards -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53159a17.3030...@gmail.com