What does this look like to you folks?

SJ Wright sjwright68@charter.net
Fri Oct 1 09:49:00 GMT 2010


SJ Wright wrote:
> Gregg Levine wrote:
>> On Mon, Sep 27, 2010 at 11:26 PM, SJ Wright <sjwright68@charter.net> 
>> wrote:
>>  
>>> SJ Wright wrote:
>>>    
>>>> First, a little background:
>>>>
>>>> In quite a few previous edits of my .bash_aliases file, I've used 
>>>> the same
>>>> alias to cd to a particular folder. Tonight I typed it in and got the
>>>> following as a return:
>>>>      
>>>>> [/cygdrive/c/blu/newest]
>>>>> mintty-cygwin>>smith
>>>>> + laugh
>>>>> + pwd
>>>>> /cygdrive/c/blu/newest
>>>>> + cd /cygdrive/c/taiga/
>>>>> + pwd
>>>>> /cygdrive/c/taiga
>>>>> + cd /cygdrive/c/taiga
>>>>> [/cygdrive/c/blu/newest]
>>>>>         
>>>> When I went to view .bash_aliases in nano, the alias 'smith' 
>>>> (changed at
>>>> my prerogative for discussion on this list) was missing. As far as 
>>>> I know,
>>>> it was there as recently as 5 AM today; I believe I used it around 
>>>> noon
>>>> today (27 September) as well.
>>>>
>>>> Should I be worried? I've never heard of Cygwin being a target for  
>>>> --the
>>>> precise term escapes me at the moment so I'll say-- this kind of 
>>>> intrusion,
>>>> if that's what it is.  As for potential "routes in," I have sshd 
>>>> running on
>>>> cygrunsrv but nothing else. Time to change my login password, maybe?
>>>>
>>>> Steve W.
>>>>
>>>> -- 
>>>>
>>>>       
>>> Of course, I edited the path for the alias back into .bash_aliases 
>>> (didn't
>>> want to give up the convenience, after all) but was prudent enough 
>>> to use
>>> another word than "smith" for it. {Think first Duke of Marlborough.}
>>>
>>> SJW
>>>
>>>     
>>
>> Hello!
>> Well I ran Google on that term, and came up with the Wikipedia page.
>> ((Which I won't cite here.)) But don't you mean Mr Churchill the PM
>> actually? (He also was entitled to use that entry into the peerage.)
>>
>> You may not have anything to worry about, however I am not a security
>> expert as far as Cygwin goes, I'm more of a user on it, and even on
>> Linux.
>>
>> I do suggest you change your passwords for both that system and for 
>> the SSH one.
>>
>> If that's not possible then make it impossible for the system to be
>> reached that way online via SSH.
>> -----
>> Gregg C Levine gregg.drwho8@gmail.com
>> "This signature fought the Time Wars, time and again."
>>
>> -- 
>> Problem reports:       http://cygwin.com/problems.html
>> FAQ:                   http://cygwin.com/faq/
>> Documentation:         http://cygwin.com/docs.html
>> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>
>>
>>   
> Anyone else care to chime in/advise/suggest something?
>
> Presently I'm doing a context search of my Cygwin folder for the word 
> "laugh" (the outstanding non-command word or phrase used in the 
> harmless hack). I've already scanned, by eye, grep and two 
> developer-type text editors, my dotfiles and the default ones in 
> /etc/defaults/ -- though frankly this last seems a little too obvious 
> a route for anyone who's going to drop a 'sleeper' script that fouls 
> up a shell alias to take.
>
> Ever notice how hackers and "script kiddies" tend to make targets of 
> things people already are complaining about? Windows, numerous 
> websites, and this, the latest maintenance upgrade of Cygwin. (But 
> then, this is just an observation -- the only proof I have is in what 
> happened to the change-directory alias known as "smith" in my 
> .bash_aliases file, since modified.)
>
> SJ Wright
>
>
> -- 
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>
>
I just discovered what was going on. Someone had cloned the two bash 
aliases I most often use as scripts in a folder of the same name in my 
root Cygwin folder. Both of them had content similar to this:
> set -x
> function laugh(){
>
> pwd
> cd /cygdrive/c/taiga/
>
> pwd
> cd "$PWD"
> }
> laugh
(The above is "smith" in the main /scripts folder and "smith.sh" in the 
sub-folder in which I keep edits.)
With a change to my ssh and system password, it's likely it will be a 
while before this sort of thing happens again. I plan in the meantime to 
srm these files and attempt to better secure the /scripts folder, its 
local access as well.

Steve W.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list