Author Topic: WARNING - WinUAE backdoor! (Read 4765 times)

scholle · « **on:** March 31, 2005, 07:22:16 AM »

Dear Friends of the Amiga!

Tonight I found some sort of proof that this machine,
currently runnig UAE was corrupted by some sort of backdoor
program. As we all know, for AmigaOS there is no really
good firewall software, OS3.9 has no memory protection,
so...

I'm still learning to configure my Personal Firewall
(Sygate) correctly for the Windows 2000 side, I guess
the machine was wide open until now.

What I found first was a strange behaviour for SFSSalv.

SFSCheck (SmartFileSystem 1.236) reported a bad partition:

Lass jucken> sfscheck hd1

Partition start offset : 0x00000000:445d5e00 End offset : 0x00000003:45b30400
Surfaces : 7 Blocks/Track : 255
Bytes/Block : 512 Sectors/Block : 1
Total blocks : 25209555
Device interface : NSD (64-bit)

Checking RootBlocks
...okay
Checking AdminSpaceContainers at block 2
...okay
Checking NodeContainers at block 7
ObjectContainer at block 27543 doesn't contain node 95797
...damaged

I thought it would be best to save all data to
a free partition. SFSSalv is installed in C:,
but when I try to run it, I always get a
"Unknown command" error. This is true for
SFSSalv 0.17 and SFSSalv0.16, no matter where
they reside. I also found a very old version
somewhere, but it didn't work properly.

I tried to find the problem with SnoopDOS,
but nothing. Strange thing was that whenever
I ran VirusZ, it presented me a suspicious
CPU interrupt vector, level 6 pointing to
to a destination outside the system area.

After a while I found a file with the
the string "sync" of zero bytes length
in SYS:
It was obvious that it didn't belong
there, so I deleted it. Then I began
to fix the security holes on the Windows
side. At this point I was not sure where
the problem came from, but at the end of
a night fuddling and restarting another
strange occurance in SYS: caught my eye.
It is a binary called uae_rcli, the size
is 8956 bytes. I'm presume it can be
used to open a remote connection to a
UAE-System, but I'm not good at coding
myself. However, a fast look with a HEX-Editor
is always worth it, right? So here's
some of the ASCII data that was contained
in it:

Usage: [-h|?] [-debug] [-nofifo] []

fifo:uae_rcli/wmke -> Starting fifo-handler
run nil: l:fifo-handler -> Reopen fifo
-> Spawning shell
run execute fifo:uae_rcli/rsk echo "-> Remote cli running"
-> No fifo found
endcli endshell quit -> Exiting

If someone wants to take a further look
at this thingy, I'm willing to send it
to a trustworthy person for further analysis.

The display of the altered CPU vector
has vanished, but I don't know wether
this is due to my actions or due to
some advancement of data residing on
the HD. We will see...
I just hope this system will survive long
enough to be taken to OS4.0 somewhen. :-)

Take care!

scholle · « **Reply #1 on:** March 31, 2005, 11:08:40 AM »

I'm quite sure that the host system is compromised, too.

But it's harder to fix, because changes to the system are not
so "visible" as in AmigaOS, at least to me.

uae_rcli may be part of the original UAE, but I've never installed it to my system for sure. So it must have come from outside.

The Sygate FW constantly shows strange traffic from constantly changing IPs with a faked domainname/WWW-Adress, but all owned by AKAMAI.

The problem is with sending the file is, I don't trust my ISPs DNS & Mail server; I've lost several important emails for unknown reasons. But I'll give it a try, thx!

Best regards,

Scholle

scholle · « **Reply #2 on:** April 04, 2005, 09:21:24 PM »

This was really worth it; AdAware alone found 15 entries. Bad, bad Alexa! ;-)

Many thx!

Scholle

scholle · « **Reply #3 on:** April 05, 2005, 11:17:33 PM »

Thanks, I've used most of the other recommended tools as well, maybe my choice of English words is not thus correct.
However, the problem with SFSSalv not working is the same as before...

Best regards,

Scholle

scholle · « **Reply #4 on:** April 09, 2005, 06:12:50 PM »

It would have been nice if it was that easy. :-)

But I tried PROTECT C:SFSSalv -e, and the error
"File is not executable" occurred. So it is there
but does not want to be started.

Appended is a full Snoopdos.log, for me it does not
help much...

SnoopDos-Log started am Samstag, 09-Apr-05 um 17:58:38

Prozess Name Aktion Ziel Name Optionen Res.
------------ ------ --------- -------- ----
SnoopDos aktiviert um 17:59:04
[2] Workbench #DISK_INFO 4029124 CD0 OK
[2] Workbench #DISK_INFO 4029138 ENV OK
[2] Workbench #DISK_INFO 402914C RAM OK
[2] Workbench #DISK_INFO 4029160 HD0 OK
[2] Workbench #DISK_INFO 4029174 DF0 OK
[2] Workbench #DISK_INFO 4029188 HD1 OK
[2] Workbench #DISK_INFO 402919C HD2 OK
[2] Workbench #DISK_INFO 40291B0 DF1 OK
[2] Workbench #INFO 4149506, 406A222 HD1 OK
[2] Workbench #INFO 4129E9C, 406A222 HD0 OK
[2] Workbench #DISK_INFO 4029124 CD0 OK
[2] Workbench #DISK_INFO 4029138 ENV OK
[2] Workbench #DISK_INFO 402914C RAM OK
[2] Workbench #DISK_INFO 4029160 HD0 OK
[2] Workbench #DISK_INFO 4029174 DF0 OK
[2] Workbench #DISK_INFO 4029188 HD1 OK
[2] Workbench #DISK_INFO 402919C HD2 OK
[2] Workbench #DISK_INFO 40291B0 DF1 OK
[2] Workbench #INFO 4149506, 406A222 HD1 OK
[2] Workbench #INFO 4129E9C, 406A222 HD0 OK
[4] Shell Process FindVar sfssalv Alias Fehl
[4] Shell Process *Lock HD0:WBStartup/sfssalv Read OK
[4] Shell Process #LOC_OBJECT 412B224, 412B17B, FFFFFFFE HD0 OK
[4] Shell Process #COPY_DIR 412B224 HD0 OK
[4] Shell Process #EXAM_OBJEC 4156B16, 412B0F8 HD0 OK
[4] Shell Process #PARENT 4156B16 HD0 OK
[4] Shell Process #FREE_LOCK 4156B16 HD0 OK
[4] Shell Process #EXAM_OBJEC 4156C0A, 412B0F8 HD0 OK
[4] Shell Process #PARENT 4156C0A HD0 OK
[4] Shell Process #FREE_LOCK 4156C0A HD0 OK
[4] Shell Process Lock HD0:WBStartup/sfssalv Read Fehl
[4] Shell Process *Lock RAM:sfssalv Read Fehl
[4] Shell Process #LOC_OBJECT 4030715, 412B17B, FFFFFFFE RAM Fehl
[4] Shell Process #COPY_DIR 4030715 RAM OK
[4] Shell Process #EXAM_OBJEC 4030B6F, 412B0F8 RAM OK
[4] Shell Process #PARENT 4030B6F RAM Fehl
[4] Shell Process #FREE_LOCK 4030B6F RAM OK
[4] Shell Process Lock RAM:sfssalv Read Fehl
[4] Shell Process *Lock HD0:C/sfssalv Read Fehl
[4] Shell Process #LOC_OBJECT 412AD52, 412B17B, FFFFFFFE HD0 Fehl
[4] Shell Process #EXAM_OBJEC 4156B16, 412B250 HD0 OK
[4] Shell Process #FREE_LOCK 4156B16 HD0 OK
[4] Shell Process *Open HD0:C/sfssalv Read OK
[4] Shell Process #FINDINPUT 4156B17, 412AD52, 4129D55 HD0 OK
[4] Shell Process #READ 1055B028, 1059C240, 400 HD0 OK
[4] Shell Process #READ 1055B028, 1059CEC4, 5978 HD0 OK
[4] Shell Process #READ 1055B028, 1059C240, 400 HD0 OK
[4] Shell Process #READ 1055B028, 105A2B7C, 2C0 HD0 OK
[4] Shell Process #READ 1055B028, 1059C240, 400 HD0 OK
[4] Shell Process #READ 1055B028, 1059C240, 400 HD0 OK
[4] Shell Process #END 1055B028 HD0 OK
[4] Shell Process *Lock HD0:C/sfssalv Read OK
[4] Shell Process #LOC_OBJECT 412AD52, 412B184, FFFFFFFE HD0 OK
[4] Shell Process #PARENT 4156B16 HD0 OK
[4] Shell Process #FREE_LOCK 4156B16 HD0 OK
[4] sfssalv *Lock PROGDIR: Read OK
[4] sfssalv #LOC_OBJECT 4156C0A, 416CF67, FFFFFFFE HD0 OK
[4] sfssalv *Open HD0:C/sfssalv Read OK
[4] sfssalv #FINDINPUT 4156C3D, 4156B16, 4129D55 HD0 OK
[4] sfssalv #FREE_LOCK 4156B16 HD0 OK
[4] sfssalv #READ 10599AA0, 105B3F78, 8000 HD0 OK
[4] sfssalv #READ 10599AA0, 105B3F78, 8000 HD0 OK
[4] sfssalv #END 10599AA0 HD0 OK
[4] sfssalv RunCommand 8192 Fehl
[4] sfssalv #FREE_LOCK 4156C0A HD0 Fehl
[4] Shell Process GetVar echo Local Fehl
[4] Shell Process GetVar oldredirect Local Fehl
[4] Shell Process GetVar keepdoublequotes Local Fehl
SnoopDos eingefroren um 17:59:13

Schliesse SnoopDos-Log um 17:59:28

Any ideas?

I've also noticed that I can run processes in the background
in UNIX/Linux style, i.e. using & instead of RUN . My original OS3.1 does not mention that. Hm.

Best regards,

Scholle

Author Topic: WARNING - WinUAE backdoor! (Read 4765 times)

scholle

WARNING - WinUAE backdoor!

scholle

Re: WARNING - WinUAE backdoor!

scholle

Re: WARNING - WinUAE backdoor!

scholle

Re: WARNING - WinUAE backdoor!

scholle

Re: WARNING - WinUAE backdoor!