X-Recipient: archive-cygwin@delorie.com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 621473858401
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1674397964;
	bh=W7JQBsx6DhnAjA1MJ5M04SEd8T8pBRs3jYAvHhKGwCM=;
	h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:From;
	b=O3tU0DMzkUuB2EKYm9LK2g0KQeLxvPe0EDEJDPxWfz0Sf+H7S5pPFz6ywE2DrbD2R
	 FsXe+lpPvuWC+mS1ACKVXRXXiDzXaXUuBR6jV9hTGnyHZnU8Asy5iWMnxq4Mn14DwQ
	 2jd7U0wo7uo10VzW5HUyDgF+iMfMK/HPh3cFXUBk=
X-Original-To: cygwin@cygwin.com
Delivered-To: cygwin@cygwin.com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 833163858D32
Message-ID: <ae73845c-b970-37ab-f429-65b15cf8540c@tu-dortmund.de>
Date: Sun, 22 Jan 2023 15:32:27 +0100
MIME-Version: 1.0
To: cygwin@cygwin.com
Subject: observation: masses of requests to LDAP
X-Spam-Status: No, score=3.2 required=5.0 tests=BAYES_40, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_BARRACUDACENTRAL,
 RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_PASS, SPF_PASS,
 TXREP autolearn=no autolearn_force=no version=3.4.6
X-Spam-Level: ***
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: cygwin@cygwin.com
X-Mailman-Version: 2.1.29
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-request@cygwin.com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=subscribe>
From: Tobias Wendorff via Cygwin <cygwin@cygwin.com>
Reply-To: Tobias Wendorff <tobias.wendorff@tu-dortmund.de>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: "Cygwin" <cygwin-bounces+archive-cygwin=delorie.com@cygwin.com>

Hi there,

our IT department has informed me that masses of requests are being sent 
from my computer to our two LDAP servers on port 389. After a detailed 
investigation, the problem could be clearly traced back to "cygwin".

Firewall logs show that about any tool, even base tools "sort" or 
"less", initiates a request to port 389 on our LDAP servers.

Sorry, I am _not_ going to release "cygcheck.out" to public, since it 
contains sensitive information about the domain and its groups and 
memberships.

Even after reinstalling cygwin from another server, the problem still 
appears. Could it be that this is part of an attack?

Best regards,
Tobias

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple