From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <err@raelity.com>
Received: from resqmta-po-06v.sys.comcast.net (resqmta-po-06v.sys.comcast.net
 [IPv6:2001:558:fe16:19:96:114:154:165])
 by sourceware.org (Postfix) with ESMTPS id 4F59F3857006
 for <cygwin@cygwin.com>; Fri, 10 Jul 2020 19:01:29 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 4F59F3857006
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=raelity.com
Authentication-Results: sourceware.org; spf=none smtp.mailfrom=err@raelity.com
Received: from resomta-po-10v.sys.comcast.net ([96.114.154.234])
 by resqmta-po-06v.sys.comcast.net with ESMTP
 id ty95jeiDbnasQtyH2jflDt; Fri, 10 Jul 2020 19:01:28 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=comcastmailservice.net; s=20180828_2048; t=1594407688;
 bh=mpLNmlww62tffP+jJMIXZmCIpn42H+TB+Pn4o/xl6xw=;
 h=Received:Received:To:From:Subject:Message-ID:Date:MIME-Version:
 Content-Type;
 b=A2aO0BsSurBPSOCnuMjCd54Oq+v9EfiYTxydEWh3r+vY+bZgtofWns9LN5ensQabr
 2kfG/V81Yr4l9azxVZeX/9+LT807KUrs6W1OllmPRkQvsPq/gnDnH4uumxbgz8w+KL
 ctmDSd/8xv5wjGH2Whpoo4MaLuYByYCEQVhdvijrIhKk/38Slfqc5qtBunK6wpFWH2
 FVuX8bBxgvw6sxakpLSbwQ+gHlA/RYm9YmuhWnTtdLlsdZNf95ar9VaZ3pgMitcbEq
 bM+kARE3KOMfqVLW1Am3Rz/hlsKGE04WNw0Zn0k57oNe1rwuPnz8oAsUETRIYExKo9
 nXQ3lE+EMCjSA==
Received: from [IPv6:::1] ([IPv6:2601:646:8300:b80:b530:fa8c:b2db:c550])
 by resomta-po-10v.sys.comcast.net with ESMTPSA
 id tyGzjCltkC2RUtyH0j5O7q; Fri, 10 Jul 2020 19:01:27 +0000
X-Xfinity-VMeta: sc=0.00;st=legit
To: cygwin@cygwin.com
From: Ernie Rael <err@raelity.com>
Subject: sshd.exe infected with IDP.Generic?
Message-ID: <14cda058-251c-21f2-e153-edf37ef9ef91@raelity.com>
Date: Fri, 10 Jul 2020 12:01:16 -0700
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Antivirus: Avast (VPS 200710-8, 07/10/2020), Outbound message
X-Antivirus-Status: Clean
X-Spam-Status: No, score=-0.6 required=5.0 tests=BAYES_00, BODY_8BITS,
 DKIM_SIGNED, DKIM_VALID, RCVD_IN_DNSWL_LOW, SPF_HELO_NONE, SPF_NONE,
 TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: cygwin@cygwin.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <http://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-request@cygwin.com?subject=help>
List-Subscribe: <http://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2020 19:01:30 -0000

On Win7. To get an elevated shell, I typically do "$ ssh xxx@yyy". And 
not very often.

Below is an excerpt of something potentially horrible that just happened.

Note the

    rm *

I exited the shell. I did the "ssh..." again (yeah I'm crazy), in a 
different bash window. And this time avast reported that it stashed 
sshd.exe into the virus chest.

I'm not sure who/what the culprit is, or what's going on. But it does 
look like there was (is?) some kind of infection somewhere on my system. 
I had used ftp earlier to put a file to a remote, but...?

I didn't realize that netstat was a windows command (not that I wouldn't 
have used it).

I've got the sshd.exe file. It has a date of Feb 18. So

  * Can I check if the bits in sshd.exe are as expected?
  * Any suggestions on cleaning up and/or restoring sanity? (I'm running
    a full virus scan right now, should be amusing...)
  * How can I get sshd.exe back? Is there a cygwin command to check that
    the packages are all as they should be?

-ernie

=============== EXCERPT ==========================

>
> $ ssh xxx@yyy
> Last login: Mon May 18 21:37:37 2020 from 192.168.0.11
>       ____________________, ______________________________________
>    .QQQQQQQQQQQQQQQQQQQQQQQQL_ |                                      |
>  .gQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ__ 
> |                                      |
>  ........
>
> ADMIN ~
> $ netstat -b -a | less
>
>
> ######################### worked but had to ^Z/kill to get out
>
> ADMIN ~
> $
>
> ADMIN ~
> $
>
> ADMIN ~
> $ rm *
> rm: cannot remove 'play': Is a directory
> rm: cannot remove 'system': Is a directory
>
> ADMIN erra@spirit ~
> $
>
>
> ADMIN ~/play
> $ netstat -b -a | less
>
> ######################### let netstat complete normally, got out of 
> less ok
>
>
> ADMIN ~/play
> $ client_loop: send disconnect: Connection reset by peer