What does this look like to you folks?
SJ Wright
sjwright68@charter.net
Fri Oct 1 09:49:00 GMT 2010
SJ Wright wrote:
> Gregg Levine wrote:
>> On Mon, Sep 27, 2010 at 11:26 PM, SJ Wright <sjwright68@charter.net>
>> wrote:
>>
>>> SJ Wright wrote:
>>>
>>>> First, a little background:
>>>>
>>>> In quite a few previous edits of my .bash_aliases file, I've used
>>>> the same
>>>> alias to cd to a particular folder. Tonight I typed it in and got the
>>>> following as a return:
>>>>
>>>>> [/cygdrive/c/blu/newest]
>>>>> mintty-cygwin>>smith
>>>>> + laugh
>>>>> + pwd
>>>>> /cygdrive/c/blu/newest
>>>>> + cd /cygdrive/c/taiga/
>>>>> + pwd
>>>>> /cygdrive/c/taiga
>>>>> + cd /cygdrive/c/taiga
>>>>> [/cygdrive/c/blu/newest]
>>>>>
>>>> When I went to view .bash_aliases in nano, the alias 'smith'
>>>> (changed at
>>>> my prerogative for discussion on this list) was missing. As far as
>>>> I know,
>>>> it was there as recently as 5 AM today; I believe I used it around
>>>> noon
>>>> today (27 September) as well.
>>>>
>>>> Should I be worried? I've never heard of Cygwin being a target for
>>>> --the
>>>> precise term escapes me at the moment so I'll say-- this kind of
>>>> intrusion,
>>>> if that's what it is. As for potential "routes in," I have sshd
>>>> running on
>>>> cygrunsrv but nothing else. Time to change my login password, maybe?
>>>>
>>>> Steve W.
>>>>
>>>> --
>>>>
>>>>
>>> Of course, I edited the path for the alias back into .bash_aliases
>>> (didn't
>>> want to give up the convenience, after all) but was prudent enough
>>> to use
>>> another word than "smith" for it. {Think first Duke of Marlborough.}
>>>
>>> SJW
>>>
>>>
>>
>> Hello!
>> Well I ran Google on that term, and came up with the Wikipedia page.
>> ((Which I won't cite here.)) But don't you mean Mr Churchill the PM
>> actually? (He also was entitled to use that entry into the peerage.)
>>
>> You may not have anything to worry about, however I am not a security
>> expert as far as Cygwin goes, I'm more of a user on it, and even on
>> Linux.
>>
>> I do suggest you change your passwords for both that system and for
>> the SSH one.
>>
>> If that's not possible then make it impossible for the system to be
>> reached that way online via SSH.
>> -----
>> Gregg C Levine gregg.drwho8@gmail.com
>> "This signature fought the Time Wars, time and again."
>>
>> --
>> Problem reports: http://cygwin.com/problems.html
>> FAQ: http://cygwin.com/faq/
>> Documentation: http://cygwin.com/docs.html
>> Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
>>
>>
>>
> Anyone else care to chime in/advise/suggest something?
>
> Presently I'm doing a context search of my Cygwin folder for the word
> "laugh" (the outstanding non-command word or phrase used in the
> harmless hack). I've already scanned, by eye, grep and two
> developer-type text editors, my dotfiles and the default ones in
> /etc/defaults/ -- though frankly this last seems a little too obvious
> a route for anyone who's going to drop a 'sleeper' script that fouls
> up a shell alias to take.
>
> Ever notice how hackers and "script kiddies" tend to make targets of
> things people already are complaining about? Windows, numerous
> websites, and this, the latest maintenance upgrade of Cygwin. (But
> then, this is just an observation -- the only proof I have is in what
> happened to the change-directory alias known as "smith" in my
> .bash_aliases file, since modified.)
>
> SJ Wright
>
>
> --
> Problem reports: http://cygwin.com/problems.html
> FAQ: http://cygwin.com/faq/
> Documentation: http://cygwin.com/docs.html
> Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
>
>
I just discovered what was going on. Someone had cloned the two bash
aliases I most often use as scripts in a folder of the same name in my
root Cygwin folder. Both of them had content similar to this:
> set -x
> function laugh(){
>
> pwd
> cd /cygdrive/c/taiga/
>
> pwd
> cd "$PWD"
> }
> laugh
(The above is "smith" in the main /scripts folder and "smith.sh" in the
sub-folder in which I keep edits.)
With a change to my ssh and system password, it's likely it will be a
while before this sort of thing happens again. I plan in the meantime to
srm these files and attempt to better secure the /scripts folder, its
local access as well.
Steve W.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
More information about the Cygwin
mailing list