What does this look like to you folks.

What does this look like to you folks.

[SJ Wright]

First, a little background:

In quite a few previous edits of my .bash_aliases file, I've used the 
same alias to cd to a particular folder. Tonight I typed it in and got 
the following as a return:
> [/cygdrive/c/blu/newest]
> mintty-cygwin>>smith
> + laugh
> + pwd
> /cygdrive/c/blu/newest
> + cd /cygdrive/c/taiga/
> + pwd
> /cygdrive/c/taiga
> + cd /cygdrive/c/taiga
> [/cygdrive/c/blu/newest]
When I went to view .bash_aliases in nano, the alias 'smith' (changed at 
my prerogative for discussion on this list) was missing. As far as I 
know, it was there as recently as 5 AM today; I believe I used it around 
noon today (27 September) as well.

Should I be worried? I've never heard of Cygwin being a target for  
--the precise term escapes me at the moment so I'll say-- this kind of 
intrusion, if that's what it is.  As for potential "routes in," I have 
sshd running on cygrunsrv but nothing else. Time to change my login 
password, maybe?

Steve W.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: What does this look like to you folks?

[SJ Wright]

SJ Wright wrote:
> First, a little background:
>
> In quite a few previous edits of my .bash_aliases file, I've used the 
> same alias to cd to a particular folder. Tonight I typed it in and got 
> the following as a return:
>> [/cygdrive/c/blu/newest]
>> mintty-cygwin>>smith
>> + laugh
>> + pwd
>> /cygdrive/c/blu/newest
>> + cd /cygdrive/c/taiga/
>> + pwd
>> /cygdrive/c/taiga
>> + cd /cygdrive/c/taiga
>> [/cygdrive/c/blu/newest]
> When I went to view .bash_aliases in nano, the alias 'smith' (changed 
> at my prerogative for discussion on this list) was missing. As far as 
> I know, it was there as recently as 5 AM today; I believe I used it 
> around noon today (27 September) as well.
>
> Should I be worried? I've never heard of Cygwin being a target for  
> --the precise term escapes me at the moment so I'll say-- this kind of 
> intrusion, if that's what it is.  As for potential "routes in," I have 
> sshd running on cygrunsrv but nothing else. Time to change my login 
> password, maybe?
>
> Steve W.
>
> -- 
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>
>
Of course, I edited the path for the alias back into .bash_aliases 
(didn't want to give up the convenience, after all) but was prudent 
enough to use another word than "smith" for it. {Think first Duke of 
Marlborough.}

SJW


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: What does this look like to you folks?

[Gregg Levine]

On Mon, Sep 27, 2010 at 11:26 PM, SJ Wright <sjwright68@charter.net> wrote:
> SJ Wright wrote:
>>
>> First, a little background:
>>
>> In quite a few previous edits of my .bash_aliases file, I've used the same
>> alias to cd to a particular folder. Tonight I typed it in and got the
>> following as a return:
>>>
>>> [/cygdrive/c/blu/newest]
>>> mintty-cygwin>>smith
>>> + laugh
>>> + pwd
>>> /cygdrive/c/blu/newest
>>> + cd /cygdrive/c/taiga/
>>> + pwd
>>> /cygdrive/c/taiga
>>> + cd /cygdrive/c/taiga
>>> [/cygdrive/c/blu/newest]
>>
>> When I went to view .bash_aliases in nano, the alias 'smith' (changed at
>> my prerogative for discussion on this list) was missing. As far as I know,
>> it was there as recently as 5 AM today; I believe I used it around noon
>> today (27 September) as well.
>>
>> Should I be worried? I've never heard of Cygwin being a target for  --the
>> precise term escapes me at the moment so I'll say-- this kind of intrusion,
>> if that's what it is.  As for potential "routes in," I have sshd running on
>> cygrunsrv but nothing else. Time to change my login password, maybe?
>>
>> Steve W.
>>
>> --
>>
> Of course, I edited the path for the alias back into .bash_aliases (didn't
> want to give up the convenience, after all) but was prudent enough to use
> another word than "smith" for it. {Think first Duke of Marlborough.}
>
> SJW
>

Hello!
Well I ran Google on that term, and came up with the Wikipedia page.
((Which I won't cite here.)) But don't you mean Mr Churchill the PM
actually? (He also was entitled to use that entry into the peerage.)

You may not have anything to worry about, however I am not a security
expert as far as Cygwin goes, I'm more of a user on it, and even on
Linux.

I do suggest you change your passwords for both that system and for the SSH one.

If that's not possible then make it impossible for the system to be
reached that way online via SSH.
-----
Gregg C Levine gregg.drwho8@gmail.com
"This signature fought the Time Wars, time and again."

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: What does this look like to you folks?

[SJ Wright]

Gregg Levine wrote:
> On Mon, Sep 27, 2010 at 11:26 PM, SJ Wright <sjwright68@charter.net> wrote:
>   
>> SJ Wright wrote:
>>     
>>> First, a little background:
>>>
>>> In quite a few previous edits of my .bash_aliases file, I've used the same
>>> alias to cd to a particular folder. Tonight I typed it in and got the
>>> following as a return:
>>>       
>>>> [/cygdrive/c/blu/newest]
>>>> mintty-cygwin>>smith
>>>> + laugh
>>>> + pwd
>>>> /cygdrive/c/blu/newest
>>>> + cd /cygdrive/c/taiga/
>>>> + pwd
>>>> /cygdrive/c/taiga
>>>> + cd /cygdrive/c/taiga
>>>> [/cygdrive/c/blu/newest]
>>>>         
>>> When I went to view .bash_aliases in nano, the alias 'smith' (changed at
>>> my prerogative for discussion on this list) was missing. As far as I know,
>>> it was there as recently as 5 AM today; I believe I used it around noon
>>> today (27 September) as well.
>>>
>>> Should I be worried? I've never heard of Cygwin being a target for  --the
>>> precise term escapes me at the moment so I'll say-- this kind of intrusion,
>>> if that's what it is.  As for potential "routes in," I have sshd running on
>>> cygrunsrv but nothing else. Time to change my login password, maybe?
>>>
>>> Steve W.
>>>
>>> --
>>>
>>>       
>> Of course, I edited the path for the alias back into .bash_aliases (didn't
>> want to give up the convenience, after all) but was prudent enough to use
>> another word than "smith" for it. {Think first Duke of Marlborough.}
>>
>> SJW
>>
>>     
>
> Hello!
> Well I ran Google on that term, and came up with the Wikipedia page.
> ((Which I won't cite here.)) But don't you mean Mr Churchill the PM
> actually? (He also was entitled to use that entry into the peerage.)
>
> You may not have anything to worry about, however I am not a security
> expert as far as Cygwin goes, I'm more of a user on it, and even on
> Linux.
>
> I do suggest you change your passwords for both that system and for the SSH one.
>
> If that's not possible then make it impossible for the system to be
> reached that way online via SSH.
> -----
> Gregg C Levine gregg.drwho8@gmail.com
> "This signature fought the Time Wars, time and again."
>
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>
>
>   
Anyone else care to chime in/advise/suggest something?

Presently I'm doing a context search of my Cygwin folder for the word 
"laugh" (the outstanding non-command word or phrase used in the harmless 
hack). I've already scanned, by eye, grep and two developer-type text 
editors, my dotfiles and the default ones in /etc/defaults/ -- though 
frankly this last seems a little too obvious a route for anyone who's 
going to drop a 'sleeper' script that fouls up a shell alias to take.

Ever notice how hackers and "script kiddies" tend to make targets of 
things people already are complaining about? Windows, numerous websites, 
and this, the latest maintenance upgrade of Cygwin. (But then, this is 
just an observation -- the only proof I have is in what happened to the 
change-directory alias known as "smith" in my .bash_aliases file, since 
modified.)

SJ Wright


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: What does this look like to you folks?

[SJ Wright]

SJ Wright wrote:
> Gregg Levine wrote:
>> On Mon, Sep 27, 2010 at 11:26 PM, SJ Wright <sjwright68@charter.net> 
>> wrote:
>>  
>>> SJ Wright wrote:
>>>    
>>>> First, a little background:
>>>>
>>>> In quite a few previous edits of my .bash_aliases file, I've used 
>>>> the same
>>>> alias to cd to a particular folder. Tonight I typed it in and got the
>>>> following as a return:
>>>>      
>>>>> [/cygdrive/c/blu/newest]
>>>>> mintty-cygwin>>smith
>>>>> + laugh
>>>>> + pwd
>>>>> /cygdrive/c/blu/newest
>>>>> + cd /cygdrive/c/taiga/
>>>>> + pwd
>>>>> /cygdrive/c/taiga
>>>>> + cd /cygdrive/c/taiga
>>>>> [/cygdrive/c/blu/newest]
>>>>>         
>>>> When I went to view .bash_aliases in nano, the alias 'smith' 
>>>> (changed at
>>>> my prerogative for discussion on this list) was missing. As far as 
>>>> I know,
>>>> it was there as recently as 5 AM today; I believe I used it around 
>>>> noon
>>>> today (27 September) as well.
>>>>
>>>> Should I be worried? I've never heard of Cygwin being a target for  
>>>> --the
>>>> precise term escapes me at the moment so I'll say-- this kind of 
>>>> intrusion,
>>>> if that's what it is.  As for potential "routes in," I have sshd 
>>>> running on
>>>> cygrunsrv but nothing else. Time to change my login password, maybe?
>>>>
>>>> Steve W.
>>>>
>>>> -- 
>>>>
>>>>       
>>> Of course, I edited the path for the alias back into .bash_aliases 
>>> (didn't
>>> want to give up the convenience, after all) but was prudent enough 
>>> to use
>>> another word than "smith" for it. {Think first Duke of Marlborough.}
>>>
>>> SJW
>>>
>>>     
>>
>> Hello!
>> Well I ran Google on that term, and came up with the Wikipedia page.
>> ((Which I won't cite here.)) But don't you mean Mr Churchill the PM
>> actually? (He also was entitled to use that entry into the peerage.)
>>
>> You may not have anything to worry about, however I am not a security
>> expert as far as Cygwin goes, I'm more of a user on it, and even on
>> Linux.
>>
>> I do suggest you change your passwords for both that system and for 
>> the SSH one.
>>
>> If that's not possible then make it impossible for the system to be
>> reached that way online via SSH.
>> -----
>> Gregg C Levine gregg.drwho8@gmail.com
>> "This signature fought the Time Wars, time and again."
>>
>> -- 
>> Problem reports:       http://cygwin.com/problems.html
>> FAQ:                   http://cygwin.com/faq/
>> Documentation:         http://cygwin.com/docs.html
>> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>
>>
>>   
> Anyone else care to chime in/advise/suggest something?
>
> Presently I'm doing a context search of my Cygwin folder for the word 
> "laugh" (the outstanding non-command word or phrase used in the 
> harmless hack). I've already scanned, by eye, grep and two 
> developer-type text editors, my dotfiles and the default ones in 
> /etc/defaults/ -- though frankly this last seems a little too obvious 
> a route for anyone who's going to drop a 'sleeper' script that fouls 
> up a shell alias to take.
>
> Ever notice how hackers and "script kiddies" tend to make targets of 
> things people already are complaining about? Windows, numerous 
> websites, and this, the latest maintenance upgrade of Cygwin. (But 
> then, this is just an observation -- the only proof I have is in what 
> happened to the change-directory alias known as "smith" in my 
> .bash_aliases file, since modified.)
>
> SJ Wright
>
>
> -- 
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>
>
I just discovered what was going on. Someone had cloned the two bash 
aliases I most often use as scripts in a folder of the same name in my 
root Cygwin folder. Both of them had content similar to this:
> set -x
> function laugh(){
>
> pwd
> cd /cygdrive/c/taiga/
>
> pwd
> cd "$PWD"
> }
> laugh
(The above is "smith" in the main /scripts folder and "smith.sh" in the 
sub-folder in which I keep edits.)
With a change to my ssh and system password, it's likely it will be a 
while before this sort of thing happens again. I plan in the meantime to 
srm these files and attempt to better secure the /scripts folder, its 
local access as well.

Steve W.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple