sshd.exe infected with IDP.Generic?

sshd.exe infected with IDP.Generic?

[Ernie Rael]

On Win7. To get an elevated shell, I typically do "$ ssh xxx@yyy". And 
not very often.

Below is an excerpt of something potentially horrible that just happened.

Note the

    rm *

I exited the shell. I did the "ssh..." again (yeah I'm crazy), in a 
different bash window. And this time avast reported that it stashed 
sshd.exe into the virus chest.

I'm not sure who/what the culprit is, or what's going on. But it does 
look like there was (is?) some kind of infection somewhere on my system. 
I had used ftp earlier to put a file to a remote, but...?

I didn't realize that netstat was a windows command (not that I wouldn't 
have used it).

I've got the sshd.exe file. It has a date of Feb 18. So

  * Can I check if the bits in sshd.exe are as expected?
  * Any suggestions on cleaning up and/or restoring sanity? (I'm running
    a full virus scan right now, should be amusing...)
  * How can I get sshd.exe back? Is there a cygwin command to check that
    the packages are all as they should be?

-ernie

=============== EXCERPT ==========================

>
> $ ssh xxx@yyy
> Last login: Mon May 18 21:37:37 2020 from 192.168.0.11
>       ____________________, ______________________________________
>    .QQQQQQQQQQQQQQQQQQQQQQQQL_ |                                      |
>  .gQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ__ 
> |                                      |
>  ........
>
> ADMIN ~
> $ netstat -b -a | less
>
>
> ######################### worked but had to ^Z/kill to get out
>
> ADMIN ~
> $
>
> ADMIN ~
> $
>
> ADMIN ~
> $ rm *
> rm: cannot remove 'play': Is a directory
> rm: cannot remove 'system': Is a directory
>
> ADMIN erra@spirit ~
> $
>
>
> ADMIN ~/play
> $ netstat -b -a | less
>
> ######################### let netstat complete normally, got out of 
> less ok
>
>
> ADMIN ~/play
> $ client_loop: send disconnect: Connection reset by peer

Re: sshd.exe infected with IDP.Generic?

[Marco Atzeri]

On 10.07.2020 21:01, Ernie Rael wrote:
> On Win7. To get an elevated shell, I typically do "$ ssh xxx@yyy". And 
> not very often.
> 
> Below is an excerpt of something potentially horrible that just happened.
> 
> Note the
> 
>     rm *
> 
> I exited the shell. I did the "ssh..." again (yeah I'm crazy), in a 
> different bash window. And this time avast reported that it stashed 
> sshd.exe into the virus chest.
> 

check on a online virus scan.
I will bet in a false positive

Re: sshd.exe infected with IDP.Generic?

[Brian Inglis]

On 2020-07-10 13:59, Marco Atzeri via Cygwin wrote:
> On 10.07.2020 21:01, Ernie Rael wrote:
>> On Win7. To get an elevated shell, I typically do "$ ssh xxx@yyy". And not
>> very often.
>> Below is an excerpt of something potentially horrible that just happened.
>> Note the
>> rm *
>> I exited the shell. I did the "ssh..." again (yeah I'm crazy), in a different
>> bash window. And this time avast reported that it stashed sshd.exe into the
>> virus chest.

> check on a online virus scan.
> I will bet in a false positive

IDP.Generic is just a generic *warning* from an identity detection protection
scanner that a flakey AV detects privileged software contains some instructions
or does something that it recognizes as similar to some identity theft malware.

$ sha256sum /usr/sbin/sshd.exe
e666018d4a22b5424385d3752b0a2718a3525e68cf1b448d4f7037bfa40c77eb */usr/sbin/sshd.exe

https://www.virustotal.com/gui/file/e666018d4a22b5424385d3752b0a2718a3525e68cf1b448d4f7037bfa40c77eb/detection

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in IEC units and prefixes, physical quantities in SI.]

Re: sshd.exe infected with IDP.Generic?

[Ernie Rael]

Thanks for response Marco and Brian.

I guess I'll chalk up to coincidence the "rm *" that I didn't knowingly 
type (it was in the typeahead buffer when less finally finished and I 
had been "randomly" hitting keys to get it to end) followed shortly 
thereafter by avast moving sshd.exe to quarantine. I suppose the command 
could have mysteriously come from some history since I do use the rm 
command regularly ;-) Hmm, use -I? I lost almost nothing since the admin 
acct in cygwin's /home is only used for ssh to local and there are 
backups to look at.

As far as getting things back to normal...

Asking avast to "put it back" failed. I did "extract" it, but 
owner/permissions seem screwed up.
> $ ls -l sshd.exe
> ----rwxr-x+ 1 Administrators SYSTEM 721939 Feb 18 09:05 sshd.exe
I put it back, with u+rx, ran cygwin's setup and it's package had been 
updated recently, sshd was updated, and things seem back to normal. 
First I had virus scanned the entire system, took all day, it did find 
something in an archived copy of a system I had 10 years ago.

-ernie

PS virustotal is cool
https://www.virustotal.com/gui/file/8cba0094cf589c9b39c6814ae11e7fc32e0d9988e280004b6a18ca7e2014c71d/detection

On 7/10/2020 12:01 PM, Ernie Rael wrote:
> On Win7. To get an elevated shell, I typically do "$ ssh xxx@yyy". And 
> not very often.
>
> Below is an excerpt of something potentially horrible that just happened.
>
> Note the
>
>    rm *
>
> I exited the shell. I did the "ssh..." again (yeah I'm crazy), in a 
> different bash window. And this time avast reported that it stashed 
> sshd.exe into the virus chest.
>
> I'm not sure who/what the culprit is, or what's going on. But it does 
> look like there was (is?) some kind of infection somewhere on my 
> system. I had used ftp earlier to put a file to a remote, but...?
>
> I didn't realize that netstat was a windows command (not that I 
> wouldn't have used it).
>
> I've got the sshd.exe file. It has a date of Feb 18. So
>
>  * Can I check if the bits in sshd.exe are as expected?
>  * Any suggestions on cleaning up and/or restoring sanity? (I'm running
>    a full virus scan right now, should be amusing...)
>  * How can I get sshd.exe back? Is there a cygwin command to check that
>    the packages are all as they should be?
>
> -ernie
>
> =============== EXCERPT ==========================
>
>>
>> $ ssh xxx@yyy
>> Last login: Mon May 18 21:37:37 2020 from 192.168.0.11
>>       ____________________, ______________________________________
>>    .QQQQQQQQQQQQQQQQQQQQQQQQL_ |                                      |
>>  .gQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ__ 
>> |                                      |
>>  ........
>>
>> ADMIN ~
>> $ netstat -b -a | less
>>
>>
>> ######################### worked but had to ^Z/kill to get out
>>
>> ADMIN ~
>> $
>>
>> ADMIN ~
>> $
>>
>> ADMIN ~
>> $ rm *
>> rm: cannot remove 'play': Is a directory
>> rm: cannot remove 'system': Is a directory
>>
>> ADMIN erra@spirit ~
>> $
>>
>>
>> ADMIN ~/play
>> $ netstat -b -a | less
>>
>> ######################### let netstat complete normally, got out of 
>> less ok
>>
>>
>> ADMIN ~/play
>> $ client_loop: send disconnect: Connection reset by peer
>
> -- 
> Problem reports: https://cygwin.com/problems.html
> FAQ: https://cygwin.com/faq/
> Documentation: https://cygwin.com/docs.html
> Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple

Re: sshd.exe infected with IDP.Generic?

[Brian Inglis]

On 2020-07-11 08:47, Ernie Rael wrote:
> I guess I'll chalk up to coincidence the "rm *" that I didn't knowingly type (it
> was in the typeahead buffer when less finally finished and I had been "randomly"
> hitting keys to get it to end) followed shortly thereafter by avast moving
> sshd.exe to quarantine. I suppose the command could have mysteriously come from
> some history since I do use the rm command regularly ;-) Hmm, use -I? I lost
> almost nothing since the admin acct in cygwin's /home is only used for ssh to
> local and there are backups to look at.
> 
> As far as getting things back to normal...
> 
> Asking avast to "put it back" failed. I did "extract" it, but owner/permissions
> seem screwed up.
>> $ ls -l sshd.exe
>> ----rwxr-x+ 1 Administrators SYSTEM 721939 Feb 18 09:05 sshd.exe
> I put it back, with u+rx, ran cygwin's setup and it's package had been updated
> recently, sshd was updated, and things seem back to normal. First I had virus
> scanned the entire system, took all day, it did find something in an archived
> copy of a system I had 10 years ago.

To extract anything from your downloaded packages directory, you can use an
elevated admin shell command like:

$ tar -xv -C / -f <downloaded packages
directory>/*tp*%3a%2f%2f*cygwin*%2f/x86*/release/openssh/openssh-8.3p1-1.tar.xz
usr/sbin/sshd.exe

to extract the relative path under the Cygwin root  (important, why I jam -c /
before -f to avoid forgetting it!) - that way I don't have to mv it from under
my current directory if I forget to add it at the end.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in IEC units and prefixes, physical quantities in SI.]