Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com To: cygwin AT cygwin DOT com From: =?ISO-8859-1?Q?Ren=E9_Berber?= Subject: Re: Someone was banging on my sshd despite NAT Date: Thu, 22 Sep 2005 19:14:30 -0500 Lines: 32 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) In-Reply-To: OpenPGP: url=ldap://keyserver.pgp.com X-IsSubscribed: yes Henry S. Thompson wrote: > This evening I noticed my network load was sky-high even though I > wasn't doing anything. Turns out IP address 62.65.180.243 was banging > on port 22, causing a new sshd process every few seconds. Bizarre > thing is that the machine in question, running cygwin on top of XP > SP2, is on a local net which is only NATed out to the internet via my > broadband modem and ISP. >=20 > A) How could this happen at all? > B) Anyone else heard of/seen anything like this? A very common event. > I'm asking on this list because as far as my tired brain can tell, > this must be a complicated Windows+cygwin exploit. . . There is no such exploit. Your question is how did they get to your firewalled PC, the answer is that= you must have port forwarding enabled on your firewall and port 22 is one of the forwarded ports. Check your modem and Windows firewall, both are allowing = this to happen... well, if you have sshd running you probably configured Windows= XP firewall to allow that connection, so you should only check your modem. HTH --=20 Ren=E9 Berber -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/