From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.137]) by sourceware.org (Postfix) with ESMTPS id A7C423857C42 for ; Sat, 11 Jul 2020 19:45:11 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org A7C423857C42 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=SystematicSw.ab.ca Authentication-Results: sourceware.org; spf=none smtp.mailfrom=brian.inglis@systematicsw.ab.ca Received: from [192.168.1.104] ([24.64.172.44]) by shaw.ca with ESMTP id uLQqj0wI0FXePuLQrjXoI0; Sat, 11 Jul 2020 13:45:10 -0600 X-Authority-Analysis: v=2.3 cv=ePaIcEh1 c=1 sm=1 tr=0 a=kiZT5GMN3KAWqtYcXc+/4Q==:117 a=kiZT5GMN3KAWqtYcXc+/4Q==:17 a=IkcTkHD0fZMA:10 a=JZeu4sPTHj9YQVegERsA:9 a=QEXdDO2ut3YA:10 Reply-To: cygwin@cygwin.com Subject: Re: sshd.exe infected with IDP.Generic? To: cygwin@cygwin.com References: <14cda058-251c-21f2-e153-edf37ef9ef91@raelity.com> <0d7fac03-61f9-d512-8cb5-a643a361f2a3@raelity.com> From: Brian Inglis Autocrypt: addr=Brian.Inglis@SystematicSw.ab.ca; prefer-encrypt=mutual; keydata= mDMEXopx8xYJKwYBBAHaRw8BAQdAnCK0qv/xwUCCZQoA9BHRYpstERrspfT0NkUWQVuoePa0 LkJyaWFuIEluZ2xpcyA8QnJpYW4uSW5nbGlzQFN5c3RlbWF0aWNTdy5hYi5jYT6IlgQTFggA PhYhBMM5/lbU970GBS2bZB62lxu92I8YBQJeinHzAhsDBQkJZgGABQsJCAcCBhUKCQgLAgQW AgMBAh4BAheAAAoJEB62lxu92I8Y0ioBAI8xrggNxziAVmr+Xm6nnyjoujMqWcq3oEhlYGAO WacZAQDFtdDx2koSVSoOmfaOyRTbIWSf9/Cjai29060fsmdsDLg4BF6KcfMSCisGAQQBl1UB BQEBB0Awv8kHI2PaEgViDqzbnoe8B9KMHoBZLS92HdC7ZPh8HQMBCAeIfgQYFggAJhYhBMM5 /lbU970GBS2bZB62lxu92I8YBQJeinHzAhsMBQkJZgGAAAoJEB62lxu92I8YZwUBAJw/74rF IyaSsGI7ewCdCy88Lce/kdwX7zGwid+f8NZ3AQC/ezTFFi5obXnyMxZJN464nPXiggtT9gN5 RSyTY8X+AQ== Organization: Systematic Software Message-ID: <7c1a509b-24d4-d00b-5693-e7efd5c437d8@SystematicSw.ab.ca> Date: Sat, 11 Jul 2020 13:45:08 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <0d7fac03-61f9-d512-8cb5-a643a361f2a3@raelity.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-CA Content-Transfer-Encoding: 7bit X-CMAE-Envelope: MS4wfLIzJQmMVWpMMmElrptt7+3/rZkqLT+ngT2Kk3UrFv+D2DzOC5B+PaSMVOiMxb5ZtHJGdrP5F103H5/w4GpJqqEJUtqvUD1FFEQBXmTTFbis6p7OtYHP 2zQNUioXWkQbrHAMqRQoX7M8kqnhCAJCDZcl3llrdTNswRkKop9+LUw5qkSzs911xEQuT+yUypbaug== X-Spam-Status: No, score=-9.0 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, RCVD_IN_DNSWL_LOW, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Jul 2020 19:45:13 -0000 On 2020-07-11 08:47, Ernie Rael wrote: > I guess I'll chalk up to coincidence the "rm *" that I didn't knowingly type (it > was in the typeahead buffer when less finally finished and I had been "randomly" > hitting keys to get it to end) followed shortly thereafter by avast moving > sshd.exe to quarantine. I suppose the command could have mysteriously come from > some history since I do use the rm command regularly ;-) Hmm, use -I? I lost > almost nothing since the admin acct in cygwin's /home is only used for ssh to > local and there are backups to look at. > > As far as getting things back to normal... > > Asking avast to "put it back" failed. I did "extract" it, but owner/permissions > seem screwed up. >> $ ls -l sshd.exe >> ----rwxr-x+ 1 Administrators SYSTEM 721939 Feb 18 09:05 sshd.exe > I put it back, with u+rx, ran cygwin's setup and it's package had been updated > recently, sshd was updated, and things seem back to normal. First I had virus > scanned the entire system, took all day, it did find something in an archived > copy of a system I had 10 years ago. To extract anything from your downloaded packages directory, you can use an elevated admin shell command like: $ tar -xv -C / -f /*tp*%3a%2f%2f*cygwin*%2f/x86*/release/openssh/openssh-8.3p1-1.tar.xz usr/sbin/sshd.exe to extract the relative path under the Cygwin root (important, why I jam -c / before -f to avoid forgetting it!) - that way I don't have to mv it from under my current directory if I forget to add it at the end. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. [Data in IEC units and prefixes, physical quantities in SI.]