From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from resqmta-po-08v.sys.comcast.net (resqmta-po-08v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:167]) by sourceware.org (Postfix) with ESMTPS id E60E33857C40 for ; Sat, 11 Jul 2020 14:48:06 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org E60E33857C40 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=raelity.com Authentication-Results: sourceware.org; spf=none smtp.mailfrom=err@raelity.com Received: from resomta-po-19v.sys.comcast.net ([96.114.154.243]) by resqmta-po-08v.sys.comcast.net with ESMTP id uGUljrEIFuSVzuGnNjgd5Q; Sat, 11 Jul 2020 14:48:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcastmailservice.net; s=20180828_2048; t=1594478885; bh=w8xwmVdV5lvdDEvmADLak6eoFeG2EO+i37AEQAoYXkA=; h=Received:Received:From:Subject:To:Message-ID:Date:MIME-Version: Content-Type; b=CT3seDCoSxMc0trzbVUN3buENNTjIijyyY2LJGQFyhE0TN3MrTNem5/WAk625BjfT FZSpTT3xB9H3mxG13i05EMn3W4x1Mvq1sVF+gktK6hDUjH1jTPVJ2cLrjuAZkF5KlK 15lvFVcsxUosZh02N4OgPVQwybStvhtm632djPSK38z3RLiIrpazAUanA6eWG2CxWK PFMjTHTpGm7jBHh48cFeWhlVZ/g6lkltkLGPBw6smbM+zJjN9mkcwWEfmHv/nUidAL ypzEGnOwXf4M3wv0rPGuj5sgVcVwkby3+sapK/2xZWcBaU5y/juR4P3nBMQ+7xIZH9 knrIMVRsK1FVg== Received: from [IPv6:::1] ([IPv6:2601:646:8300:b80:bddf:d99d:a82d:1da6]) by resomta-po-19v.sys.comcast.net with ESMTPSA id uGnKjk0usqDrPuGnMjgiPO; Sat, 11 Jul 2020 14:48:05 +0000 X-Xfinity-VMeta: sc=0.00;st=legit From: Ernie Rael Subject: Re: sshd.exe infected with IDP.Generic? To: cygwin@cygwin.com References: <14cda058-251c-21f2-e153-edf37ef9ef91@raelity.com> Message-ID: <0d7fac03-61f9-d512-8cb5-a643a361f2a3@raelity.com> Date: Sat, 11 Jul 2020 07:47:50 -0700 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <14cda058-251c-21f2-e153-edf37ef9ef91@raelity.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Antivirus: Avast (VPS 200711-2, 07/11/2020), Outbound message X-Antivirus-Status: Clean X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_00, BODY_8BITS, DKIM_SIGNED, DKIM_VALID, RCVD_IN_DNSWL_LOW, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Jul 2020 14:48:08 -0000 Thanks for response Marco and Brian. I guess I'll chalk up to coincidence the "rm *" that I didn't knowingly type (it was in the typeahead buffer when less finally finished and I had been "randomly" hitting keys to get it to end) followed shortly thereafter by avast moving sshd.exe to quarantine. I suppose the command could have mysteriously come from some history since I do use the rm command regularly ;-) Hmm, use -I? I lost almost nothing since the admin acct in cygwin's /home is only used for ssh to local and there are backups to look at. As far as getting things back to normal... Asking avast to "put it back" failed. I did "extract" it, but owner/permissions seem screwed up. > $ ls -l sshd.exe > ----rwxr-x+ 1 Administrators SYSTEM 721939 Feb 18 09:05 sshd.exe I put it back, with u+rx, ran cygwin's setup and it's package had been updated recently, sshd was updated, and things seem back to normal. First I had virus scanned the entire system, took all day, it did find something in an archived copy of a system I had 10 years ago. -ernie PS virustotal is cool https://www.virustotal.com/gui/file/8cba0094cf589c9b39c6814ae11e7fc32e0d9988e280004b6a18ca7e2014c71d/detection On 7/10/2020 12:01 PM, Ernie Rael wrote: > On Win7. To get an elevated shell, I typically do "$ ssh xxx@yyy". And > not very often. > > Below is an excerpt of something potentially horrible that just happened. > > Note the > >    rm * > > I exited the shell. I did the "ssh..." again (yeah I'm crazy), in a > different bash window. And this time avast reported that it stashed > sshd.exe into the virus chest. > > I'm not sure who/what the culprit is, or what's going on. But it does > look like there was (is?) some kind of infection somewhere on my > system. I had used ftp earlier to put a file to a remote, but...? > > I didn't realize that netstat was a windows command (not that I > wouldn't have used it). > > I've got the sshd.exe file. It has a date of Feb 18. So > >  * Can I check if the bits in sshd.exe are as expected? >  * Any suggestions on cleaning up and/or restoring sanity? (I'm running >    a full virus scan right now, should be amusing...) >  * How can I get sshd.exe back? Is there a cygwin command to check that >    the packages are all as they should be? > > -ernie > > =============== EXCERPT ========================== > >> >> $ ssh xxx@yyy >> Last login: Mon May 18 21:37:37 2020 from 192.168.0.11 >>       ____________________, ______________________________________ >>    .QQQQQQQQQQQQQQQQQQQQQQQQL_ |                                      | >>  .gQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ__ >> |                                      | >>  ........ >> >> ADMIN ~ >> $ netstat -b -a | less >> >> >> ######################### worked but had to ^Z/kill to get out >> >> ADMIN ~ >> $ >> >> ADMIN ~ >> $ >> >> ADMIN ~ >> $ rm * >> rm: cannot remove 'play': Is a directory >> rm: cannot remove 'system': Is a directory >> >> ADMIN erra@spirit ~ >> $ >> >> >> ADMIN ~/play >> $ netstat -b -a | less >> >> ######################### let netstat complete normally, got out of >> less ok >> >> >> ADMIN ~/play >> $ client_loop: send disconnect: Connection reset by peer > > -- > Problem reports: https://cygwin.com/problems.html > FAQ: https://cygwin.com/faq/ > Documentation: https://cygwin.com/docs.html > Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple