* sshd.exe infected with IDP.Generic?
@ 2020-07-10 19:01 Ernie Rael
2020-07-10 19:59 ` Marco Atzeri
2020-07-11 14:47 ` Ernie Rael
0 siblings, 2 replies; 5+ messages in thread
From: Ernie Rael @ 2020-07-10 19:01 UTC (permalink / raw)
To: cygwin
On Win7. To get an elevated shell, I typically do "$ ssh xxx@yyy". And
not very often.
Below is an excerpt of something potentially horrible that just happened.
Note the
rm *
I exited the shell. I did the "ssh..." again (yeah I'm crazy), in a
different bash window. And this time avast reported that it stashed
sshd.exe into the virus chest.
I'm not sure who/what the culprit is, or what's going on. But it does
look like there was (is?) some kind of infection somewhere on my system.
I had used ftp earlier to put a file to a remote, but...?
I didn't realize that netstat was a windows command (not that I wouldn't
have used it).
I've got the sshd.exe file. It has a date of Feb 18. So
* Can I check if the bits in sshd.exe are as expected?
* Any suggestions on cleaning up and/or restoring sanity? (I'm running
a full virus scan right now, should be amusing...)
* How can I get sshd.exe back? Is there a cygwin command to check that
the packages are all as they should be?
-ernie
=============== EXCERPT ==========================
>
> $ ssh xxx@yyy
> Last login: Mon May 18 21:37:37 2020 from 192.168.0.11
> ____________________, ______________________________________
> .QQQQQQQQQQQQQQQQQQQQQQQQL_ | |
> .gQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ__
> | |
> ........
>
> ADMIN ~
> $ netstat -b -a | less
>
>
> ######################### worked but had to ^Z/kill to get out
>
> ADMIN ~
> $
>
> ADMIN ~
> $
>
> ADMIN ~
> $ rm *
> rm: cannot remove 'play': Is a directory
> rm: cannot remove 'system': Is a directory
>
> ADMIN erra@spirit ~
> $
>
>
> ADMIN ~/play
> $ netstat -b -a | less
>
> ######################### let netstat complete normally, got out of
> less ok
>
>
> ADMIN ~/play
> $ client_loop: send disconnect: Connection reset by peer
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: sshd.exe infected with IDP.Generic?
2020-07-10 19:01 sshd.exe infected with IDP.Generic? Ernie Rael
@ 2020-07-10 19:59 ` Marco Atzeri
2020-07-10 20:37 ` Brian Inglis
2020-07-11 14:47 ` Ernie Rael
1 sibling, 1 reply; 5+ messages in thread
From: Marco Atzeri @ 2020-07-10 19:59 UTC (permalink / raw)
To: cygwin
On 10.07.2020 21:01, Ernie Rael wrote:
> On Win7. To get an elevated shell, I typically do "$ ssh xxx@yyy". And
> not very often.
>
> Below is an excerpt of something potentially horrible that just happened.
>
> Note the
>
> rm *
>
> I exited the shell. I did the "ssh..." again (yeah I'm crazy), in a
> different bash window. And this time avast reported that it stashed
> sshd.exe into the virus chest.
>
check on a online virus scan.
I will bet in a false positive
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: sshd.exe infected with IDP.Generic?
2020-07-10 19:59 ` Marco Atzeri
@ 2020-07-10 20:37 ` Brian Inglis
0 siblings, 0 replies; 5+ messages in thread
From: Brian Inglis @ 2020-07-10 20:37 UTC (permalink / raw)
To: cygwin
On 2020-07-10 13:59, Marco Atzeri via Cygwin wrote:
> On 10.07.2020 21:01, Ernie Rael wrote:
>> On Win7. To get an elevated shell, I typically do "$ ssh xxx@yyy". And not
>> very often.
>> Below is an excerpt of something potentially horrible that just happened.
>> Note the
>> rm *
>> I exited the shell. I did the "ssh..." again (yeah I'm crazy), in a different
>> bash window. And this time avast reported that it stashed sshd.exe into the
>> virus chest.
> check on a online virus scan.
> I will bet in a false positive
IDP.Generic is just a generic *warning* from an identity detection protection
scanner that a flakey AV detects privileged software contains some instructions
or does something that it recognizes as similar to some identity theft malware.
$ sha256sum /usr/sbin/sshd.exe
e666018d4a22b5424385d3752b0a2718a3525e68cf1b448d4f7037bfa40c77eb */usr/sbin/sshd.exe
https://www.virustotal.com/gui/file/e666018d4a22b5424385d3752b0a2718a3525e68cf1b448d4f7037bfa40c77eb/detection
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in IEC units and prefixes, physical quantities in SI.]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: sshd.exe infected with IDP.Generic?
2020-07-10 19:01 sshd.exe infected with IDP.Generic? Ernie Rael
2020-07-10 19:59 ` Marco Atzeri
@ 2020-07-11 14:47 ` Ernie Rael
2020-07-11 19:45 ` Brian Inglis
1 sibling, 1 reply; 5+ messages in thread
From: Ernie Rael @ 2020-07-11 14:47 UTC (permalink / raw)
To: cygwin
Thanks for response Marco and Brian.
I guess I'll chalk up to coincidence the "rm *" that I didn't knowingly
type (it was in the typeahead buffer when less finally finished and I
had been "randomly" hitting keys to get it to end) followed shortly
thereafter by avast moving sshd.exe to quarantine. I suppose the command
could have mysteriously come from some history since I do use the rm
command regularly ;-) Hmm, use -I? I lost almost nothing since the admin
acct in cygwin's /home is only used for ssh to local and there are
backups to look at.
As far as getting things back to normal...
Asking avast to "put it back" failed. I did "extract" it, but
owner/permissions seem screwed up.
> $ ls -l sshd.exe
> ----rwxr-x+ 1 Administrators SYSTEM 721939 Feb 18 09:05 sshd.exe
I put it back, with u+rx, ran cygwin's setup and it's package had been
updated recently, sshd was updated, and things seem back to normal.
First I had virus scanned the entire system, took all day, it did find
something in an archived copy of a system I had 10 years ago.
-ernie
PS virustotal is cool
https://www.virustotal.com/gui/file/8cba0094cf589c9b39c6814ae11e7fc32e0d9988e280004b6a18ca7e2014c71d/detection
On 7/10/2020 12:01 PM, Ernie Rael wrote:
> On Win7. To get an elevated shell, I typically do "$ ssh xxx@yyy". And
> not very often.
>
> Below is an excerpt of something potentially horrible that just happened.
>
> Note the
>
> rm *
>
> I exited the shell. I did the "ssh..." again (yeah I'm crazy), in a
> different bash window. And this time avast reported that it stashed
> sshd.exe into the virus chest.
>
> I'm not sure who/what the culprit is, or what's going on. But it does
> look like there was (is?) some kind of infection somewhere on my
> system. I had used ftp earlier to put a file to a remote, but...?
>
> I didn't realize that netstat was a windows command (not that I
> wouldn't have used it).
>
> I've got the sshd.exe file. It has a date of Feb 18. So
>
> * Can I check if the bits in sshd.exe are as expected?
> * Any suggestions on cleaning up and/or restoring sanity? (I'm running
> a full virus scan right now, should be amusing...)
> * How can I get sshd.exe back? Is there a cygwin command to check that
> the packages are all as they should be?
>
> -ernie
>
> =============== EXCERPT ==========================
>
>>
>> $ ssh xxx@yyy
>> Last login: Mon May 18 21:37:37 2020 from 192.168.0.11
>> ____________________, ______________________________________
>> .QQQQQQQQQQQQQQQQQQQQQQQQL_ | |
>> .gQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ__
>> | |
>> ........
>>
>> ADMIN ~
>> $ netstat -b -a | less
>>
>>
>> ######################### worked but had to ^Z/kill to get out
>>
>> ADMIN ~
>> $
>>
>> ADMIN ~
>> $
>>
>> ADMIN ~
>> $ rm *
>> rm: cannot remove 'play': Is a directory
>> rm: cannot remove 'system': Is a directory
>>
>> ADMIN erra@spirit ~
>> $
>>
>>
>> ADMIN ~/play
>> $ netstat -b -a | less
>>
>> ######################### let netstat complete normally, got out of
>> less ok
>>
>>
>> ADMIN ~/play
>> $ client_loop: send disconnect: Connection reset by peer
>
> --
> Problem reports: https://cygwin.com/problems.html
> FAQ: https://cygwin.com/faq/
> Documentation: https://cygwin.com/docs.html
> Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: sshd.exe infected with IDP.Generic?
2020-07-11 14:47 ` Ernie Rael
@ 2020-07-11 19:45 ` Brian Inglis
0 siblings, 0 replies; 5+ messages in thread
From: Brian Inglis @ 2020-07-11 19:45 UTC (permalink / raw)
To: cygwin
On 2020-07-11 08:47, Ernie Rael wrote:
> I guess I'll chalk up to coincidence the "rm *" that I didn't knowingly type (it
> was in the typeahead buffer when less finally finished and I had been "randomly"
> hitting keys to get it to end) followed shortly thereafter by avast moving
> sshd.exe to quarantine. I suppose the command could have mysteriously come from
> some history since I do use the rm command regularly ;-) Hmm, use -I? I lost
> almost nothing since the admin acct in cygwin's /home is only used for ssh to
> local and there are backups to look at.
>
> As far as getting things back to normal...
>
> Asking avast to "put it back" failed. I did "extract" it, but owner/permissions
> seem screwed up.
>> $ ls -l sshd.exe
>> ----rwxr-x+ 1 Administrators SYSTEM 721939 Feb 18 09:05 sshd.exe
> I put it back, with u+rx, ran cygwin's setup and it's package had been updated
> recently, sshd was updated, and things seem back to normal. First I had virus
> scanned the entire system, took all day, it did find something in an archived
> copy of a system I had 10 years ago.
To extract anything from your downloaded packages directory, you can use an
elevated admin shell command like:
$ tar -xv -C / -f <downloaded packages
directory>/*tp*%3a%2f%2f*cygwin*%2f/x86*/release/openssh/openssh-8.3p1-1.tar.xz
usr/sbin/sshd.exe
to extract the relative path under the Cygwin root (important, why I jam -c /
before -f to avoid forgetting it!) - that way I don't have to mv it from under
my current directory if I forget to add it at the end.
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in IEC units and prefixes, physical quantities in SI.]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-07-11 19:45 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-10 19:01 sshd.exe infected with IDP.Generic? Ernie Rael
2020-07-10 19:59 ` Marco Atzeri
2020-07-10 20:37 ` Brian Inglis
2020-07-11 14:47 ` Ernie Rael
2020-07-11 19:45 ` Brian Inglis
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).