X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 621473858401
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1674397964;
	bh=W7JQBsx6DhnAjA1MJ5M04SEd8T8pBRs3jYAvHhKGwCM=;
	h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:From;
	b=O3tU0DMzkUuB2EKYm9LK2g0KQeLxvPe0EDEJDPxWfz0Sf+H7S5pPFz6ywE2DrbD2R
	 FsXe+lpPvuWC+mS1ACKVXRXXiDzXaXUuBR6jV9hTGnyHZnU8Asy5iWMnxq4Mn14DwQ
	 2jd7U0wo7uo10VzW5HUyDgF+iMfMK/HPh3cFXUBk=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 833163858D32
Message-ID: <ae73845c-b970-37ab-f429-65b15cf8540c@tu-dortmund.de>
Date: Sun, 22 Jan 2023 15:32:27 +0100
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: observation: masses of requests to LDAP
X-Spam-Status: No, score=3.2 required=5.0 tests=BAYES_40, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_BARRACUDACENTRAL,
 RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_PASS, SPF_PASS,
 TXREP autolearn=no autolearn_force=no version=3.4.6
X-Spam-Level: ***
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.29
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Tobias Wendorff via Cygwin <cygwin AT cygwin DOT com>
Reply-To: Tobias Wendorff <tobias DOT wendorff AT tu-dortmund DOT de>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>

Hi there,

our IT department has informed me that masses of requests are being sent 
from my computer to our two LDAP servers on port 389. After a detailed 
investigation, the problem could be clearly traced back to "cygwin".

Firewall logs show that about any tool, even base tools "sort" or 
"less", initiates a request to port 389 on our LDAP servers.

Sorry, I am _not_ going to release "cygcheck.out" to public, since it 
contains sensitive information about the domain and its groups and 
memberships.

Even after reinstalling cygwin from another server, the problem still 
appears. Could it be that this is part of an attack?

Best regards,
Tobias

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple