Thread: cygwin sshd weird behavior

  1. #1
    verbose cat
    Join Date
    Jun 2003
    Posts
    209

    cygwin sshd weird behavior

    I have noticed once in a while that as I view my processes via SysInternals' ProcessExplorerNT that an sshd.exe keeps opening and then shutting down repeatedly, and so fast that the previous one is still marked as closing (highlighted in red) when the new one is starting (highlighted in green).

    I am running WinXP Pro with cygwin installed and SSH access on port 22 (or the default port if I am remembering 22 incorrectly) so I can log into my main machine from my smaller one on the network as well as from work.

    My only guesses as to what is happening are:

    - There is a bug in cygwin or the sshd.exe program or something (less likely sshd.exe itself since it probably wouldn't be opening a new instance of itself, but bugs aren't really logical, are they?)

    - I am under attack from someone trying to compromise my machine and using a brute force attempt to guess my password

    Whenever I see this, I forceably shutdown the entire cygwin system with a "Kill Process Tree" on the cgrunsrv.exe program using ProcessExplorer and it stops. I have to re-boot to get SSH access again, and it doesn't seem to start happening again until some random time later. (Rebooting requires re-connect to my ISP so a new IP address, which supports the attack theory...?)

    Has anyone seen behavior like this? And if it is an attack, is there any way to get the IP address of who is trying to connect since the start/stop seems to be so quick? Or would it even matter if I did?

    I expect I will probably need to just firewall off access to port 22 completely from outside my network to stop the attacks, but I am hoping that maybe it is something else and someone has come across it. Google searches have failed me utterly, though I have learned a lot about how to configure cygwin and SSH.
    abachler: "A great programmer never stops optimizing a piece of code until it consists of nothing but preprocessor directives and comments "

  2. #2
    (?<!re)tired Mario F.'s Avatar
    Join Date
    May 2006
    Location
    Ireland
    Posts
    8,446
    Hmm... for sshd.exe to be started and closed repeatedly from an outside source, your security would have to be compromised from somewhere else that would allow the attacker execute rights on the sshd.exe in your machine. This simply cannot be done from within the shell.

    Other than the usual virus scan and possibly a scan with BOClean, if you are using a personal firewall that allows the creation of rules on an application/IP basis, you can inspect your current firewall rules for anything suspicious and set to "Ask" any access to sshd.exe internal or not. Next attempt will allow you to view how sshd.exe is being accessed and determine if this is an attack.

    Does windows own task manager show this happening under the processes tab? You can easily check this by ordering the list by PID. There used to exist some problems between cygwin sshd.exe and PE that would even lead to crashes (try to inspect handles or dlls for the sshd.exe process under PE).

    I'm however more inclined towards some bug you've found. For two main reasons; sshd.exe was always prolific in ingenuous bugs and an attack (be it from a trojan, keylogger,...) is usually more sophisticated and inconspicuous.
    Originally Posted by brewbuck:
    Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.

  3. #3
    verbose cat
    Join Date
    Jun 2003
    Posts
    209
    Thanks Mario.
    I didn't want to just assume it was a bug, but it certainly could be. I'll see about updating to the latest version of the programs and see if it happens again.

    I have run Spybot, Adaware, an AVG Full Scan (still using 7.x) and a couple of online web-scanners with no hits. I installed the BOClean and have it running alongside AVG but it hasn't reported anything.

    As to an attack being more sophisticated and inconspicuous, you never know. A brute force attack like that might not even be coming from the original malicious party's computer. If they compromise enough machines and turn them into zombies, it could be my next-door neighbor's computer trying to break into mine. What would the cracker care if my neighbor gets in trouble?

    As for looking at the filehandles/threads/reg keys/etc with PE, there is no way. The program is starting and exiting almost instantly (at least, the 1 second update delay makes it seem that way) so right clicking certainly can bring up a menu, but by the time the menu appears, the application is closed and the next one is started already.

    I also have Windows firewall blocking connections to sshd.exe from outside of my network now. If it happens again before I can get things updated, I'll know it is definitely a bug and see about reporting it.
    abachler: "A great programmer never stops optimizing a piece of code until it consists of nothing but preprocessor directives and comments "

  4. #4
    (?<!re)tired Mario F.'s Avatar
    Join Date
    May 2006
    Location
    Ireland
    Posts
    8,446
    Quote Originally Posted by jEssYcAt View Post
    I installed the BOClean and have it running alongside AVG but it hasn't reported anything.
    Mind you BOClean has no resident scanner. You need to do the scans yourself.

    Meanwhile, best of luck.
    Originally Posted by brewbuck:
    Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.

  5. #5
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    39,656
    Consider running http://www.wireshark.org/ to get a complete trace of all the packets when you notice it happening.
    Then isolate and forward the sshd related packets to your ISP.
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.

  6. #6
    Cat without Hat CornedBee's Avatar
    Join Date
    Apr 2003
    Posts
    8,895
    My sshd logs show an attempt to log in every few seconds. Just like my firewall shows attempts to connect to random ports twice per second or so. Nowadays, every computer on the web is under constant attack from zombies. These attempts use common usernames (especially root) and common passwords, so as long as your passwords are secure, there's nothing to worry about.

    Sshd spawns a process for every incoming connection. Does the master sshd run stable?
    All the buzzt!
    CornedBee

    "There is not now, nor has there ever been, nor will there ever be, any programming language in which it is the least bit difficult to write bad code."
    - Flon's Law

  7. #7
    verbose cat
    Join Date
    Jun 2003
    Posts
    209
    Yeah, there is always an sshd.exe running, and my attempts to log in never fail (unless I input the wrong password). My password is also a random collection of letters and numbers so I doubt I need to worry about even a brute force attack working unless they manage to keep at it for a long time.
    abachler: "A great programmer never stops optimizing a piece of code until it consists of nothing but preprocessor directives and comments "

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Problems with compiling code in cygwin
    By firyace in forum C++ Programming
    Replies: 4
    Last Post: 06-01-2007, 08:16 AM
  2. Weird cin behavior
    By Link_26 in forum C++ Programming
    Replies: 4
    Last Post: 06-25-2006, 09:25 PM
  3. really weird behavior, 16 bit asm w/masm
    By BobMcGee123 in forum A Brief History of Cprogramming.com
    Replies: 7
    Last Post: 12-01-2005, 06:45 PM
  4. Weird computer behavior
    By ober in forum Tech Board
    Replies: 14
    Last Post: 03-08-2005, 12:26 PM
  5. Weird Excel behavior
    By Govtcheez in forum Tech Board
    Replies: 1
    Last Post: 12-03-2004, 01:53 PM