I have noticed once in a while that as I view my processes via SysInternals' ProcessExplorerNT that an sshd.exe keeps opening and then shutting down repeatedly, and so fast that the previous one is still marked as closing (highlighted in red) when the new one is starting (highlighted in green).
I am running WinXP Pro with cygwin installed and SSH access on port 22 (or the default port if I am remembering 22 incorrectly) so I can log into my main machine from my smaller one on the network as well as from work.
My only guesses as to what is happening are:
- There is a bug in cygwin or the sshd.exe program or something (less likely sshd.exe itself since it probably wouldn't be opening a new instance of itself, but bugs aren't really logical, are they?)
- I am under attack from someone trying to compromise my machine and using a brute force attempt to guess my password
Whenever I see this, I forceably shutdown the entire cygwin system with a "Kill Process Tree" on the cgrunsrv.exe program using ProcessExplorer and it stops. I have to re-boot to get SSH access again, and it doesn't seem to start happening again until some random time later. (Rebooting requires re-connect to my ISP so a new IP address, which supports the attack theory...?)
Has anyone seen behavior like this? And if it is an attack, is there any way to get the IP address of who is trying to connect since the start/stop seems to be so quick? Or would it even matter if I did?
I expect I will probably need to just firewall off access to port 22 completely from outside my network to stop the attacks, but I am hoping that maybe it is something else and someone has come across it. Google searches have failed me utterly, though I have learned a lot about how to configure cygwin and SSH.