X-Recipient: archive-cygwin AT delorie DOT com X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 7CF393844044 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=SystematicSw.ab.ca Authentication-Results: sourceware.org; spf=none smtp.mailfrom=brian DOT inglis AT systematicsw DOT ab DOT ca X-Authority-Analysis: v=2.3 cv=ePaIcEh1 c=1 sm=1 tr=0 a=kiZT5GMN3KAWqtYcXc+/4Q==:117 a=kiZT5GMN3KAWqtYcXc+/4Q==:17 a=IkcTkHD0fZMA:10 a=kCJs_k7SAAAA:8 a=JZeu4sPTHj9YQVegERsA:9 a=QEXdDO2ut3YA:10 a=O_VvhT6p5l8eO1peqfxq:22 Subject: Re: sshd.exe infected with IDP.Generic? To: cygwin AT cygwin DOT com References: <14cda058-251c-21f2-e153-edf37ef9ef91 AT raelity DOT com> From: Brian Inglis Autocrypt: addr=Brian DOT Inglis AT SystematicSw DOT ab DOT ca; prefer-encrypt=mutual; keydata= mDMEXopx8xYJKwYBBAHaRw8BAQdAnCK0qv/xwUCCZQoA9BHRYpstERrspfT0NkUWQVuoePa0 LkJyaWFuIEluZ2xpcyA8QnJpYW4uSW5nbGlzQFN5c3RlbWF0aWNTdy5hYi5jYT6IlgQTFggA PhYhBMM5/lbU970GBS2bZB62lxu92I8YBQJeinHzAhsDBQkJZgGABQsJCAcCBhUKCQgLAgQW AgMBAh4BAheAAAoJEB62lxu92I8Y0ioBAI8xrggNxziAVmr+Xm6nnyjoujMqWcq3oEhlYGAO WacZAQDFtdDx2koSVSoOmfaOyRTbIWSf9/Cjai29060fsmdsDLg4BF6KcfMSCisGAQQBl1UB BQEBB0Awv8kHI2PaEgViDqzbnoe8B9KMHoBZLS92HdC7ZPh8HQMBCAeIfgQYFggAJhYhBMM5 /lbU970GBS2bZB62lxu92I8YBQJeinHzAhsMBQkJZgGAAAoJEB62lxu92I8YZwUBAJw/74rF IyaSsGI7ewCdCy88Lce/kdwX7zGwid+f8NZ3AQC/ezTFFi5obXnyMxZJN464nPXiggtT9gN5 RSyTY8X+AQ== Organization: Systematic Software Message-ID: Date: Fri, 10 Jul 2020 14:37:19 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Language: en-CA X-CMAE-Envelope: MS4wfDJhY5YA8+aVp4odhl6gUxsaN7ULEZQK9ilBAPXrlVYRmnLO0Oc46Y7kY9PZAn4GD1wPWv7X6tsH8UM1cFw0A+9UU+4ssaPYL0q80aoJ7AFZ9tDg3yPW TfWax6+5fPOC/Dcc4yQO/NCuBSoD9Ydbh32jQGAL/yW18Jtj6vfN7IcPz673mOPI9V+8ZeRLYqjLuNX7+aPLg4NRuerwrp7EjCQ= X-Spam-Status: No, score=-9.2 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_BL, RCVD_IN_MSPIKE_L3, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: cygwin AT cygwin DOT com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: cygwin-bounces AT cygwin DOT com Sender: "Cygwin" On 2020-07-10 13:59, Marco Atzeri via Cygwin wrote: > On 10.07.2020 21:01, Ernie Rael wrote: >> On Win7. To get an elevated shell, I typically do "$ ssh xxx AT yyy". And not >> very often. >> Below is an excerpt of something potentially horrible that just happened. >> Note the >> rm * >> I exited the shell. I did the "ssh..." again (yeah I'm crazy), in a different >> bash window. And this time avast reported that it stashed sshd.exe into the >> virus chest. > check on a online virus scan. > I will bet in a false positive IDP.Generic is just a generic *warning* from an identity detection protection scanner that a flakey AV detects privileged software contains some instructions or does something that it recognizes as similar to some identity theft malware. $ sha256sum /usr/sbin/sshd.exe e666018d4a22b5424385d3752b0a2718a3525e68cf1b448d4f7037bfa40c77eb */usr/sbin/sshd.exe https://www.virustotal.com/gui/file/e666018d4a22b5424385d3752b0a2718a3525e68cf1b448d4f7037bfa40c77eb/detection -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. [Data in IEC units and prefixes, physical quantities in SI.] -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple