From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.138]) by sourceware.org (Postfix) with ESMTPS id 7CF393844044 for ; Fri, 10 Jul 2020 20:37:22 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 7CF393844044 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=SystematicSw.ab.ca Authentication-Results: sourceware.org; spf=none smtp.mailfrom=brian.inglis@systematicsw.ab.ca Received: from [192.168.1.104] ([24.64.172.44]) by shaw.ca with ESMTP id tzlnjt5aqFXePtzlojVAkg; Fri, 10 Jul 2020 14:37:21 -0600 X-Authority-Analysis: v=2.3 cv=ePaIcEh1 c=1 sm=1 tr=0 a=kiZT5GMN3KAWqtYcXc+/4Q==:117 a=kiZT5GMN3KAWqtYcXc+/4Q==:17 a=IkcTkHD0fZMA:10 a=kCJs_k7SAAAA:8 a=JZeu4sPTHj9YQVegERsA:9 a=QEXdDO2ut3YA:10 a=O_VvhT6p5l8eO1peqfxq:22 Reply-To: cygwin@cygwin.com Subject: Re: sshd.exe infected with IDP.Generic? To: cygwin@cygwin.com References: <14cda058-251c-21f2-e153-edf37ef9ef91@raelity.com> From: Brian Inglis Autocrypt: addr=Brian.Inglis@SystematicSw.ab.ca; prefer-encrypt=mutual; keydata= mDMEXopx8xYJKwYBBAHaRw8BAQdAnCK0qv/xwUCCZQoA9BHRYpstERrspfT0NkUWQVuoePa0 LkJyaWFuIEluZ2xpcyA8QnJpYW4uSW5nbGlzQFN5c3RlbWF0aWNTdy5hYi5jYT6IlgQTFggA PhYhBMM5/lbU970GBS2bZB62lxu92I8YBQJeinHzAhsDBQkJZgGABQsJCAcCBhUKCQgLAgQW AgMBAh4BAheAAAoJEB62lxu92I8Y0ioBAI8xrggNxziAVmr+Xm6nnyjoujMqWcq3oEhlYGAO WacZAQDFtdDx2koSVSoOmfaOyRTbIWSf9/Cjai29060fsmdsDLg4BF6KcfMSCisGAQQBl1UB BQEBB0Awv8kHI2PaEgViDqzbnoe8B9KMHoBZLS92HdC7ZPh8HQMBCAeIfgQYFggAJhYhBMM5 /lbU970GBS2bZB62lxu92I8YBQJeinHzAhsMBQkJZgGAAAoJEB62lxu92I8YZwUBAJw/74rF IyaSsGI7ewCdCy88Lce/kdwX7zGwid+f8NZ3AQC/ezTFFi5obXnyMxZJN464nPXiggtT9gN5 RSyTY8X+AQ== Organization: Systematic Software Message-ID: Date: Fri, 10 Jul 2020 14:37:19 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-CA Content-Transfer-Encoding: 7bit X-CMAE-Envelope: MS4wfDJhY5YA8+aVp4odhl6gUxsaN7ULEZQK9ilBAPXrlVYRmnLO0Oc46Y7kY9PZAn4GD1wPWv7X6tsH8UM1cFw0A+9UU+4ssaPYL0q80aoJ7AFZ9tDg3yPW TfWax6+5fPOC/Dcc4yQO/NCuBSoD9Ydbh32jQGAL/yW18Jtj6vfN7IcPz673mOPI9V+8ZeRLYqjLuNX7+aPLg4NRuerwrp7EjCQ= X-Spam-Status: No, score=-9.2 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_BL, RCVD_IN_MSPIKE_L3, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jul 2020 20:37:24 -0000 On 2020-07-10 13:59, Marco Atzeri via Cygwin wrote: > On 10.07.2020 21:01, Ernie Rael wrote: >> On Win7. To get an elevated shell, I typically do "$ ssh xxx@yyy". And not >> very often. >> Below is an excerpt of something potentially horrible that just happened. >> Note the >> rm * >> I exited the shell. I did the "ssh..." again (yeah I'm crazy), in a different >> bash window. And this time avast reported that it stashed sshd.exe into the >> virus chest. > check on a online virus scan. > I will bet in a false positive IDP.Generic is just a generic *warning* from an identity detection protection scanner that a flakey AV detects privileged software contains some instructions or does something that it recognizes as similar to some identity theft malware. $ sha256sum /usr/sbin/sshd.exe e666018d4a22b5424385d3752b0a2718a3525e68cf1b448d4f7037bfa40c77eb */usr/sbin/sshd.exe https://www.virustotal.com/gui/file/e666018d4a22b5424385d3752b0a2718a3525e68cf1b448d4f7037bfa40c77eb/detection -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. [Data in IEC units and prefixes, physical quantities in SI.]