Edited: Never mind the MinGW or .bash_history, I can see that is unlikely. Somebody attacking me and those bytes ending up in the frequently used file .bash_history by accident is not that unlikely however. Is there anything legit that would look like this? The only thing I could think of apart from a NOP sled with canaries would be parts of a picture, but the fragment does not look like anything in an image editor. It also seems unlikely that somebody would paint a picture with mostly a #909090 gray
I do programming but nothing security related, and don't run any servers on my computer. I'm thinking the .bash_history might have been corrupted by the system when I had to do a CHKDSK /F a few days ago. But simply having had those exploit-looking bytes anywhere on my computer makes me nervous.
I use MinGW for compiling unixy stuff under Windows and to have unixy shell commands available. I often grep .bash_history to remember what parameters for various commands I have previously used. (Don't ask why I don't use the built in bash functions for this, just a habit)
I recently found in my ~/.bash_history a long run of binary bytes which consists mostly of 0x90 - NOP. In this are shorter runs of other binary bytes which assembles into mostly valid instructions.
A recurring run is 82 20 f8 7d 2c 61 0a de 90 90 90 [then 90... repeated]
Online Disassembler says
82 (bad)
20f8 and al,bh
7d2c jge $+2c
61 (bad)
0ade or bl,dh
90 nop
90 nop
90 nop
90 nop
90 nop
90... nop... repeated
Could this be part of a buffer overrun attack, with the NOP sled? Don't know much about this kind of stuff, and can't see how these particular instructions could do anything or how they would be executed. But I also can't see how they ended up in my .bash_history or what else would produce data like this. I have reason to believe that only part of the data was "captured" by .bash_history so more obvious malicious code might have been left out and only the potential NOP sled remained.
They are repeated over and over with ~850 NOPs in between.
What do you guys think? If this is not the right forum, do you have any suggestions on where I should be posting?