X-Recipient: archive-cygwin AT delorie DOT com X-SWARE-Spam-Status: No, hits=-1.6 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE,T_RP_MATCHES_RCVD X-Spam-Check-By: sourceware.org X-Authority-Analysis: v=1.0 c=1 a=GpPa8r_G1w8A:10 a=8nJEP1OIZ-IA:10 a=hOpmn2quAAAA:8 a=pGLkceISAAAA:8 a=w_pzkKWiAAAA:8 a=7aE4WFJhUsXnnIR3ZSkA:9 a=FkJF3OvUbjonghICEekA:7 a=9VEnE_7cemlH1L3CIVA4sOtfkCgA:4 a=wPNLvfGTeEIA:10 a=buB1NfXUTBUA:10 a=IfQ-iFkkCvMA:10 a=hUswqBWy9Q8A:10 a=MSl-tDqOz04A:10 Message-ID: <4CA5AEAD.5000406@charter.net> Date: Fri, 01 Oct 2010 05:49:33 -0400 From: SJ Wright User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.24) Gecko/20100228 Thunderbird/2.0.0.24 Mnenhy/0.7.6.666 MIME-Version: 1.0 To: cygwin AT cygwin DOT com Subject: Re: What does this look like to you folks? References: <4CA15E8B DOT 5070602 AT charter DOT net> <4CA16051 DOT 904 AT charter DOT net> <4CA5AAEF DOT 4020107 AT charter DOT net> In-Reply-To: <4CA5AAEF.4020107@charter.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com SJ Wright wrote: > Gregg Levine wrote: >> On Mon, Sep 27, 2010 at 11:26 PM, SJ Wright >> wrote: >> >>> SJ Wright wrote: >>> >>>> First, a little background: >>>> >>>> In quite a few previous edits of my .bash_aliases file, I've used >>>> the same >>>> alias to cd to a particular folder. Tonight I typed it in and got the >>>> following as a return: >>>> >>>>> [/cygdrive/c/blu/newest] >>>>> mintty-cygwin>>smith >>>>> + laugh >>>>> + pwd >>>>> /cygdrive/c/blu/newest >>>>> + cd /cygdrive/c/taiga/ >>>>> + pwd >>>>> /cygdrive/c/taiga >>>>> + cd /cygdrive/c/taiga >>>>> [/cygdrive/c/blu/newest] >>>>> >>>> When I went to view .bash_aliases in nano, the alias 'smith' >>>> (changed at >>>> my prerogative for discussion on this list) was missing. As far as >>>> I know, >>>> it was there as recently as 5 AM today; I believe I used it around >>>> noon >>>> today (27 September) as well. >>>> >>>> Should I be worried? I've never heard of Cygwin being a target for >>>> --the >>>> precise term escapes me at the moment so I'll say-- this kind of >>>> intrusion, >>>> if that's what it is. As for potential "routes in," I have sshd >>>> running on >>>> cygrunsrv but nothing else. Time to change my login password, maybe? >>>> >>>> Steve W. >>>> >>>> -- >>>> >>>> >>> Of course, I edited the path for the alias back into .bash_aliases >>> (didn't >>> want to give up the convenience, after all) but was prudent enough >>> to use >>> another word than "smith" for it. {Think first Duke of Marlborough.} >>> >>> SJW >>> >>> >> >> Hello! >> Well I ran Google on that term, and came up with the Wikipedia page. >> ((Which I won't cite here.)) But don't you mean Mr Churchill the PM >> actually? (He also was entitled to use that entry into the peerage.) >> >> You may not have anything to worry about, however I am not a security >> expert as far as Cygwin goes, I'm more of a user on it, and even on >> Linux. >> >> I do suggest you change your passwords for both that system and for >> the SSH one. >> >> If that's not possible then make it impossible for the system to be >> reached that way online via SSH. >> ----- >> Gregg C Levine gregg DOT drwho8 AT gmail DOT com >> "This signature fought the Time Wars, time and again." >> >> -- >> Problem reports: http://cygwin.com/problems.html >> FAQ: http://cygwin.com/faq/ >> Documentation: http://cygwin.com/docs.html >> Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple >> >> >> > Anyone else care to chime in/advise/suggest something? > > Presently I'm doing a context search of my Cygwin folder for the word > "laugh" (the outstanding non-command word or phrase used in the > harmless hack). I've already scanned, by eye, grep and two > developer-type text editors, my dotfiles and the default ones in > /etc/defaults/ -- though frankly this last seems a little too obvious > a route for anyone who's going to drop a 'sleeper' script that fouls > up a shell alias to take. > > Ever notice how hackers and "script kiddies" tend to make targets of > things people already are complaining about? Windows, numerous > websites, and this, the latest maintenance upgrade of Cygwin. (But > then, this is just an observation -- the only proof I have is in what > happened to the change-directory alias known as "smith" in my > .bash_aliases file, since modified.) > > SJ Wright > > > -- > Problem reports: http://cygwin.com/problems.html > FAQ: http://cygwin.com/faq/ > Documentation: http://cygwin.com/docs.html > Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple > > I just discovered what was going on. Someone had cloned the two bash aliases I most often use as scripts in a folder of the same name in my root Cygwin folder. Both of them had content similar to this: > set -x > function laugh(){ > > pwd > cd /cygdrive/c/taiga/ > > pwd > cd "$PWD" > } > laugh (The above is "smith" in the main /scripts folder and "smith.sh" in the sub-folder in which I keep edits.) With a change to my ssh and system password, it's likely it will be a while before this sort of thing happens again. I plan in the meantime to srm these files and attempt to better secure the /scripts folder, its local access as well. Steve W. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple