Re: sshd.exe infected with IDP.Generic?
Thanks for response Marco and Brian. I guess I'll chalk up to coincidence the "rm *" that I didn't knowingly type (it was in the typeahead buffer when less finally finished and I had been "randomly" hitting keys to get it to end) followed shortly thereafter by avast moving sshd.exe to quarantine. I suppose the command could have mysteriously come from some history since I do use the rm command regularly ;-) Hmm, use -I? I lost almost nothing since the admin acct in cygwin's /home is only used for ssh to local and there are backups to look at. As far as getting things back to normal... Asking avast to "put it back" failed. I did "extract" it, but owner/permissions seem screwed up. $ ls -l sshd.exe rwxr-x+ 1 Administrators SYSTEM 721939 Feb 18 09:05 sshd.exe I put it back, with u+rx, ran cygwin's setup and it's package had been updated recently, sshd was updated, and things seem back to normal. First I had virus scanned the entire system, took all day, it did find something in an archived copy of a system I had 10 years ago. -ernie PS virustotal is cool https://www.virustotal.com/gui/file/8cba0094cf589c9b39c6814ae11e7fc32e0d9988e280004b6a18ca7e2014c71d/detection On 7/10/2020 12:01 PM, Ernie Rael wrote: On Win7. To get an elevated shell, I typically do "$ ssh xxx@yyy". And not very often. Below is an excerpt of something potentially horrible that just happened. Note the rm * I exited the shell. I did the "ssh..." again (yeah I'm crazy), in a different bash window. And this time avast reported that it stashed sshd.exe into the virus chest. I'm not sure who/what the culprit is, or what's going on. But it does look like there was (is?) some kind of infection somewhere on my system. I had used ftp earlier to put a file to a remote, but...? I didn't realize that netstat was a windows command (not that I wouldn't have used it). I've got the sshd.exe file. It has a date of Feb 18. So * Can I check if the bits in sshd.exe are as expected? * Any suggestions on cleaning up and/or restoring sanity? (I'm running a full virus scan right now, should be amusing...) * How can I get sshd.exe back? Is there a cygwin command to check that the packages are all as they should be? -ernie === EXCERPT == $ ssh xxx@yyy Last login: Mon May 18 21:37:37 2020 from 192.168.0.11 , __ .L_ | | .gQQQ__ | | ADMIN ~ $ netstat -b -a | less # worked but had to ^Z/kill to get out ADMIN ~ $ ADMIN ~ $ ADMIN ~ $ rm * rm: cannot remove 'play': Is a directory rm: cannot remove 'system': Is a directory ADMIN erra@spirit ~ $ ADMIN ~/play $ netstat -b -a | less # let netstat complete normally, got out of less ok ADMIN ~/play $ client_loop: send disconnect: Connection reset by peer -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] Updated: mpfr-4.1.0-1
The MPFR Library The MPFR library is a C library for multiple-precision floating-point computations with exact rounding (also called correct rounding). It is based on the GMP multiple-precision library. The main goal of MPFR is to provide a library for multiple-precision floating-point computation which is both efficient and has a well-defined semantics. It copies the good ideas from the ANSI/IEEE-754 standard for double-precision floating-point arithmetic (53-bit mantissa). https://www.mpfr.org/mpfr-4.1.0/ This is an upstream bugfix / patch rollup release, updating the Cygwin library to version 4.1.0 patchlevel 0 while keeping binary compatibility. -- *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO *** If you want to unsubscribe from the cygwin-announce mailing list, look at the "List-Unsubscribe: " tag in the email header of this message. Send email to the address specified there. It will be in the format: cygwin-announce-unsubscribe-you=yourdomain@cygwin.com If you need more information on unsubscribing, start reading here: http://sourceware.org/lists.html#unsubscribe-simple Please read *all* of the information on unsubscribing that is available starting at this URL. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] Updated: Perl distributions
The following Perl distributions have been updated to their latest version on CPAN: x86/x86_64 -- perl-Astro-FITS-CFITSIO-1.14-1 perl-JSON-Parse-0.57-1 perl-Socket-2.030-1 noarch -- perl-DateTime-Locale-1.26-1 perl-File-Slurp-.32-1 perl-HTTP-Message-6.25-1 perl-JSON-PP-4.05-1 perl-Module-Signature-0.87-1 perl-Test-Compile-2.4.1-1 perl-Test2-Plugin-NoWarnings-0.09-1 perl-Text-Template-1.59-1 -- *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO *** If you want to unsubscribe from the cygwin-announce mailing list, look at the "List-Unsubscribe: " tag in the email header of this message. Send email to the address specified there. It will be in the format: cygwin-announce-unsubscribe-you=yourdomain@cygwin.com If you need more information on unsubscribing, start reading here: http://sourceware.org/lists.html#unsubscribe-simple Please read *all* of the information on unsubscribing that is available starting at this URL. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] Updated: openblas-0.3.10-1
New releases 0.3.10-1 of openblas (source) libopenblas (dinamic library) are available in the Cygwin distribution : CHANGES Last upstream release bugfix and performance improvment https://github.com/xianyi/OpenBLAS/releases OpenBLAS will now provide enough buffer space for at least 50 threads by default. DESCRIPTION OpenBLAS is an optimized BLAS library based on GotoBLAS2 1.13 BSD version and further extended. OpenBLAS is licensed under the 3-clause BSD license. HOMEPAGE http://www.openblas.net/ CYGWIN NOTES 1) As BLAS it is around 5-10 times faster than Netlib reference, included in the liblapack0 package. 2) No devel package is provided as liblapack-devel already provide the needed headers and import. Openblas is fully compatible with Netlib BLAS. 3) libopenblas consist of a single file /usr/bin/cygblas-0.dll that will precede in PATH the liblapack0 /usr/lib/lapack/cygblas-0.dll and used instead. Removing libopenblas will restore the usage of Netlib BLAS 4) CPU architecture covered up to now 64 bit ATOM BARCELONA BOBCAT BULLDOZER CORE2 DUNNINGTON EXCAVATOR HASWELL NANO NEHALEM OPTERON OPTERON_SSE3 PENRYN PILEDRIVER PRESCOTT SANDYBRIDGE STEAMROLLER ZEN 32 bit ATHLON ATOM BANIAS BARCELONA BOBCAT COPPERMINE CORE2 DUNNINGTON KATMAI NANO NEHALEM NORTHWOOD OPTERON OPTERON_SSE3 PENRYN PRESCOTT Regards Marco Atzeri If you have questions or comments, please send them to the cygwin mailing list at: cygwin (at) cygwin (dot) com . -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
Re: sshd.exe infected with IDP.Generic?
On 2020-07-11 08:47, Ernie Rael wrote: > I guess I'll chalk up to coincidence the "rm *" that I didn't knowingly type > (it > was in the typeahead buffer when less finally finished and I had been > "randomly" > hitting keys to get it to end) followed shortly thereafter by avast moving > sshd.exe to quarantine. I suppose the command could have mysteriously come > from > some history since I do use the rm command regularly ;-) Hmm, use -I? I lost > almost nothing since the admin acct in cygwin's /home is only used for ssh to > local and there are backups to look at. > > As far as getting things back to normal... > > Asking avast to "put it back" failed. I did "extract" it, but > owner/permissions > seem screwed up. >> $ ls -l sshd.exe >> rwxr-x+ 1 Administrators SYSTEM 721939 Feb 18 09:05 sshd.exe > I put it back, with u+rx, ran cygwin's setup and it's package had been updated > recently, sshd was updated, and things seem back to normal. First I had virus > scanned the entire system, took all day, it did find something in an archived > copy of a system I had 10 years ago. To extract anything from your downloaded packages directory, you can use an elevated admin shell command like: $ tar -xv -C / -f /*tp*%3a%2f%2f*cygwin*%2f/x86*/release/openssh/openssh-8.3p1-1.tar.xz usr/sbin/sshd.exe to extract the relative path under the Cygwin root (important, why I jam -c / before -f to avoid forgetting it!) - that way I don't have to mv it from under my current directory if I forget to add it at the end. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. [Data in IEC units and prefixes, physical quantities in SI.] -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
