X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:message-id:date:mime-version
	:content-type:content-transfer-encoding; q=dns; s=default; b=lMB
	W/SscP+6kIKv7UDsOSU0Yp6Zu/EBP7nTLF/cLr4I9KaHvVOMcZ9BncxYmLIfCXUA
	lIzofhXJC64egqJGfxRyjCQfI6ps4ZB6kkg9AAfDHDTPRhxYU/tlppK8Hzdh/ksz
	NPExBPFC+6fmekBkmWAgPa12W0Ytwm67Ccq+GI5U=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:message-id:date:mime-version
	:content-type:content-transfer-encoding; s=default; bh=X8+dTAKz4
	sug5miGd4oIHYWL1TA=; b=BS1M3tjYloZSsngKALJ6m/ivi1QLL6J90moY8gSq7
	YEbMsOJW2CugAYp1jCtM6mdk3TuTQ1Vjpm4cZECap9m2S5+afQBxawgwMkFryQqD
	qm6Z3TE86XGavA9UmeqyT8kyOY2RgY8bDh8ETzmRF01d2nlqdLRC9LytENyrLm0H
	WA=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-3.7 required=5.0 tests=AWL,BAYES_05,GIT_PATCH_1,KAM_SHORT autolearn=ham version=3.3.1 spammy=permanently, H*r:4.89, Image, alerts
X-HELO: se2j-iad1.servconfig.com
To: cygwin AT cygwin DOT com
From: LMH <lmh_users-groups AT molconn DOT com>
Subject: another question about cygwin bash trying to make connections
Message-ID: <3af7d373-de36-cb8d-04ad-04ccda05667b@molconn.com>
Date: Tue, 7 Jan 2020 15:58:55 -0500
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-OutGoing-Spam-Status: No, score=-1.0
X-SpamExperts-Domain: ecbiz204.inmotionhosting.com
X-SpamExperts-Username: 198.46.81.33
Authentication-Results: servconfig.com; auth=pass smtp.auth=198 DOT 46 DOT 81 DOT 33 AT ecbiz204 DOT inmotionhosting DOT com
X-SpamExperts-Outgoing-Class: ham
X-SpamExperts-Outgoing-Evidence: Combined (0.24)
X-Recommended-Action: accept
X-Report-Abuse-To: spam AT se1-lax1 DOT servconfig DOT com
X-IsSubscribed: yes

Hello,

Every single time run bash in a terminal, I get the following firewall alerts,

C:\cygwin\bin\bash.exe
An attempt to communicate a foreign process has been detected.
Target PID: 1616
Image Name: svchost.exe

C:\cygwin\bin\bash.exe
A potential threat to network traffic interception or injection has been detected.

This is when running a script that invokes bash with the shebang. The same thing
happens if I just run bash with no arguments. On every run of bash, bash tries to IPC
with svchost.exe. The second alert for network traffic injection suggests that
bash.exe is attempting to use svchost to make a network connection. This is common
enough since svchost.exe has unfiltered network connection permission on most systems
(stupid in my opinion).

I have looked in all of the versions of .bashrc and .bash_profile and don't see
anything there that looks relevant. I presume that bash is trying to do something
like check to see if it needs to be updated. In that case, I have never understood
why bash.exe needs to try to connect through another process instead of just making
the connection itself. If this is something else, well, who knows.

The attempted IPC is entirely unnecessary as blocking both alerts has no effect
whatsoever.

How should I go about trying to run this down? I can just create the rule to
permanently block the IPC and network traffic injection, but I would prefer to stop
the connection attempt from what is triggering it. That would allow me to see new
alerts if it happens again.

This is the version of bash,

GNU bash, version 4.3.42(4)-release (i686-pc-cygwin)

it would be very helpful as a first step if I could find a verified digital signature
for this version of bash. The index here,

https://ftp.gnu.org/gnu/bash/

gives an archive of bash with a signature for each tar.gz but not the signature for
each version of the extracted binary.

Thanks,

LMH

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple