Mail Archives: cygwin/2020/07/10/16:38:09

Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca> · Fri, 10 Jul 2020 14:37:19 -0600

On 2020-07-10 13:59, Marco Atzeri via Cygwin wrote:
> On 10.07.2020 21:01, Ernie Rael wrote:
>> On Win7. To get an elevated shell, I typically do "$ ssh xxx AT yyy". And not
>> very often.
>> Below is an excerpt of something potentially horrible that just happened.
>> Note the
>> rm *
>> I exited the shell. I did the "ssh..." again (yeah I'm crazy), in a different
>> bash window. And this time avast reported that it stashed sshd.exe into the
>> virus chest.

> check on a online virus scan.
> I will bet in a false positive

IDP.Generic is just a generic *warning* from an identity detection protection
scanner that a flakey AV detects privileged software contains some instructions
or does something that it recognizes as similar to some identity theft malware.

$ sha256sum /usr/sbin/sshd.exe
e666018d4a22b5424385d3752b0a2718a3525e68cf1b448d4f7037bfa40c77eb */usr/sbin/sshd.exe

https://www.virustotal.com/gui/file/e666018d4a22b5424385d3752b0a2718a3525e68cf1b448d4f7037bfa40c77eb/detection

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in IEC units and prefixes, physical quantities in SI.]
--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

X-Recipient:	archive-cygwin AT delorie DOT com
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.3.2 sourceware.org 7CF393844044
Authentication-Results:	sourceware.org; dmarc=none (p=none dis=none)
	header.from=SystematicSw.ab.ca
Authentication-Results:	sourceware.org;
	spf=none smtp.mailfrom=brian DOT inglis AT systematicsw DOT ab DOT ca
X-Authority-Analysis:	v=2.3 cv=ePaIcEh1 c=1 sm=1 tr=0
	a=kiZT5GMN3KAWqtYcXc+/4Q==:117 a=kiZT5GMN3KAWqtYcXc+/4Q==:17
	a=IkcTkHD0fZMA:10 a=kCJs_k7SAAAA:8 a=JZeu4sPTHj9YQVegERsA:9 a=QEXdDO2ut3YA:10
	a=O_VvhT6p5l8eO1peqfxq:22
Subject:	Re: sshd.exe infected with IDP.Generic?
To:	cygwin AT cygwin DOT com
References:	<14cda058-251c-21f2-e153-edf37ef9ef91 AT raelity DOT com>
	<a2092c3c-e153-7035-5806-68d143000ddd AT gmail DOT com>
From:	Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca>
Autocrypt:	addr=Brian DOT Inglis AT SystematicSw DOT ab DOT ca; prefer-encrypt=mutual;
	keydata=
	mDMEXopx8xYJKwYBBAHaRw8BAQdAnCK0qv/xwUCCZQoA9BHRYpstERrspfT0NkUWQVuoePa0
	LkJyaWFuIEluZ2xpcyA8QnJpYW4uSW5nbGlzQFN5c3RlbWF0aWNTdy5hYi5jYT6IlgQTFggA
	PhYhBMM5/lbU970GBS2bZB62lxu92I8YBQJeinHzAhsDBQkJZgGABQsJCAcCBhUKCQgLAgQW
	AgMBAh4BAheAAAoJEB62lxu92I8Y0ioBAI8xrggNxziAVmr+Xm6nnyjoujMqWcq3oEhlYGAO
	WacZAQDFtdDx2koSVSoOmfaOyRTbIWSf9/Cjai29060fsmdsDLg4BF6KcfMSCisGAQQBl1UB
	BQEBB0Awv8kHI2PaEgViDqzbnoe8B9KMHoBZLS92HdC7ZPh8HQMBCAeIfgQYFggAJhYhBMM5
	/lbU970GBS2bZB62lxu92I8YBQJeinHzAhsMBQkJZgGAAAoJEB62lxu92I8YZwUBAJw/74rF
	IyaSsGI7ewCdCy88Lce/kdwX7zGwid+f8NZ3AQC/ezTFFi5obXnyMxZJN464nPXiggtT9gN5
	RSyTY8X+AQ==
Organization:	Systematic Software
Message-ID:	<cfe9b0ab-4056-b773-3a49-e811e80c43b7@SystematicSw.ab.ca>
Date:	Fri, 10 Jul 2020 14:37:19 -0600
User-Agent:	Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101
	Thunderbird/68.10.0
MIME-Version:	1.0
In-Reply-To:	<a2092c3c-e153-7035-5806-68d143000ddd@gmail.com>
X-CMAE-Envelope:	MS4wfDJhY5YA8+aVp4odhl6gUxsaN7ULEZQK9ilBAPXrlVYRmnLO0Oc46Y7kY9PZAn4GD1wPWv7X6tsH8UM1cFw0A+9UU+4ssaPYL0q80aoJ7AFZ9tDg3yPW
	TfWax6+5fPOC/Dcc4yQO/NCuBSoD9Ydbh32jQGAL/yW18Jtj6vfN7IcPz673mOPI9V+8ZeRLYqjLuNX7+aPLg4NRuerwrp7EjCQ=
X-Spam-Status:	No, score=-9.2 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS,
	KAM_LAZY_DOMAIN_SECURITY, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_BL,
	RCVD_IN_MSPIKE_L3, SPF_HELO_NONE, SPF_NONE,
	TXREP autolearn=no autolearn_force=no version=3.4.2
X-Spam-Checker-Version:	SpamAssassin 3.4.2 (2018-09-13) on
	server2.sourceware.org
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.29
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe:	<http://cygwin.com/mailman/options/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<http://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
Reply-To:	cygwin AT cygwin DOT com
Errors-To:	cygwin-bounces AT cygwin DOT com
Sender:	"Cygwin" <cygwin-bounces AT cygwin DOT com>

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019