X-Recipient:	archive-cygwin AT delorie DOT com
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.3.2 sourceware.org E60E33857C40
Authentication-Results:	sourceware.org;
	dmarc=none (p=none dis=none) header.from=raelity.com
Authentication-Results:	sourceware.org; spf=none smtp.mailfrom=err AT raelity DOT com
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=comcastmailservice.net; s=20180828_2048; t=1594478885;
	bh=w8xwmVdV5lvdDEvmADLak6eoFeG2EO+i37AEQAoYXkA=;
	h=Received:Received:From:Subject:To:Message-ID:Date:MIME-Version:
	Content-Type;
	b=CT3seDCoSxMc0trzbVUN3buENNTjIijyyY2LJGQFyhE0TN3MrTNem5/WAk625BjfT
	FZSpTT3xB9H3mxG13i05EMn3W4x1Mvq1sVF+gktK6hDUjH1jTPVJ2cLrjuAZkF5KlK
	15lvFVcsxUosZh02N4OgPVQwybStvhtm632djPSK38z3RLiIrpazAUanA6eWG2CxWK
	PFMjTHTpGm7jBHh48cFeWhlVZ/g6lkltkLGPBw6smbM+zJjN9mkcwWEfmHv/nUidAL
	ypzEGnOwXf4M3wv0rPGuj5sgVcVwkby3+sapK/2xZWcBaU5y/juR4P3nBMQ+7xIZH9
	knrIMVRsK1FVg==
X-Xfinity-VMeta:	sc=0.00;st=legit
From:	Ernie Rael <err AT raelity DOT com>
Subject:	Re: sshd.exe infected with IDP.Generic?
To:	cygwin AT cygwin DOT com
References:	<14cda058-251c-21f2-e153-edf37ef9ef91 AT raelity DOT com>
Message-ID:	<0d7fac03-61f9-d512-8cb5-a643a361f2a3@raelity.com>
Date:	Sat, 11 Jul 2020 07:47:50 -0700
User-Agent:	Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101
	Thunderbird/68.10.0
MIME-Version:	1.0
In-Reply-To:	<14cda058-251c-21f2-e153-edf37ef9ef91@raelity.com>
X-Antivirus:	Avast (VPS 200711-2, 07/11/2020), Outbound message
X-Antivirus-Status:	Clean
X-Spam-Status:	No, score=-0.7 required=5.0 tests=BAYES_00, BODY_8BITS,
	DKIM_SIGNED, DKIM_VALID, RCVD_IN_DNSWL_LOW, SPF_HELO_NONE, SPF_NONE,
	TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version:	SpamAssassin 3.4.2 (2018-09-13) on
	server2.sourceware.org
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.29
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe:	<http://cygwin.com/mailman/options/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<http://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
Errors-To:	cygwin-bounces AT cygwin DOT com
Sender:	"Cygwin" <cygwin-bounces AT cygwin DOT com>
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id 06BEmakO005555

Thanks for response Marco and Brian.

I guess I'll chalk up to coincidence the "rm *" that I didn't knowingly 
type (it was in the typeahead buffer when less finally finished and I 
had been "randomly" hitting keys to get it to end) followed shortly 
thereafter by avast moving sshd.exe to quarantine. I suppose the command 
could have mysteriously come from some history since I do use the rm 
command regularly ;-) Hmm, use -I? I lost almost nothing since the admin 
acct in cygwin's /home is only used for ssh to local and there are 
backups to look at.

As far as getting things back to normal...

Asking avast to "put it back" failed. I did "extract" it, but 
owner/permissions seem screwed up.
> $ ls -l sshd.exe
> ----rwxr-x+ 1 Administrators SYSTEM 721939 Feb 18 09:05 sshd.exe
I put it back, with u+rx, ran cygwin's setup and it's package had been 
updated recently, sshd was updated, and things seem back to normal. 
First I had virus scanned the entire system, took all day, it did find 
something in an archived copy of a system I had 10 years ago.

-ernie

PS virustotal is cool
https://www.virustotal.com/gui/file/8cba0094cf589c9b39c6814ae11e7fc32e0d9988e280004b6a18ca7e2014c71d/detection

On 7/10/2020 12:01 PM, Ernie Rael wrote:
> On Win7. To get an elevated shell, I typically do "$ ssh xxx AT yyy". And 
> not very often.
>
> Below is an excerpt of something potentially horrible that just happened.
>
> Note the
>
>    rm *
>
> I exited the shell. I did the "ssh..." again (yeah I'm crazy), in a 
> different bash window. And this time avast reported that it stashed 
> sshd.exe into the virus chest.
>
> I'm not sure who/what the culprit is, or what's going on. But it does 
> look like there was (is?) some kind of infection somewhere on my 
> system. I had used ftp earlier to put a file to a remote, but...?
>
> I didn't realize that netstat was a windows command (not that I 
> wouldn't have used it).
>
> I've got the sshd.exe file. It has a date of Feb 18. So
>
>  * Can I check if the bits in sshd.exe are as expected?
>  * Any suggestions on cleaning up and/or restoring sanity? (I'm running
>    a full virus scan right now, should be amusing...)
>  * How can I get sshd.exe back? Is there a cygwin command to check that
>    the packages are all as they should be?
>
> -ernie
>
> =============== EXCERPT ==========================
>
>>
>> $ ssh xxx AT yyy
>> Last login: Mon May 18 21:37:37 2020 from 192.168.0.11
>>       ____________________, ______________________________________
>>    .QQQQQQQQQQQQQQQQQQQQQQQQL_ |                                      |
>>  .gQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ__ 
>> |                                      |
>>  ........
>>
>> ADMIN ~
>> $ netstat -b -a | less
>>
>>
>> ######################### worked but had to ^Z/kill to get out
>>
>> ADMIN ~
>> $
>>
>> ADMIN ~
>> $
>>
>> ADMIN ~
>> $ rm *
>> rm: cannot remove 'play': Is a directory
>> rm: cannot remove 'system': Is a directory
>>
>> ADMIN erra AT spirit ~
>> $
>>
>>
>> ADMIN ~/play
>> $ netstat -b -a | less
>>
>> ######################### let netstat complete normally, got out of 
>> less ok
>>
>>
>> ADMIN ~/play
>> $ client_loop: send disconnect: Connection reset by peer
>
> -- 
> Problem reports: https://cygwin.com/problems.html
> FAQ: https://cygwin.com/faq/
> Documentation: https://cygwin.com/docs.html
> Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple


--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -