Author Topic: WARNING - WinUAE backdoor! (Read 4752 times)

scholle · « **Reply #14 from previous page:** April 09, 2005, 06:12:50 PM »

It would have been nice if it was that easy. :-)

But I tried PROTECT C:SFSSalv -e, and the error
"File is not executable" occurred. So it is there
but does not want to be started.

Appended is a full Snoopdos.log, for me it does not
help much...

SnoopDos-Log started am Samstag, 09-Apr-05 um 17:58:38

Prozess Name Aktion Ziel Name Optionen Res.
------------ ------ --------- -------- ----
SnoopDos aktiviert um 17:59:04
[2] Workbench #DISK_INFO 4029124 CD0 OK
[2] Workbench #DISK_INFO 4029138 ENV OK
[2] Workbench #DISK_INFO 402914C RAM OK
[2] Workbench #DISK_INFO 4029160 HD0 OK
[2] Workbench #DISK_INFO 4029174 DF0 OK
[2] Workbench #DISK_INFO 4029188 HD1 OK
[2] Workbench #DISK_INFO 402919C HD2 OK
[2] Workbench #DISK_INFO 40291B0 DF1 OK
[2] Workbench #INFO 4149506, 406A222 HD1 OK
[2] Workbench #INFO 4129E9C, 406A222 HD0 OK
[2] Workbench #DISK_INFO 4029124 CD0 OK
[2] Workbench #DISK_INFO 4029138 ENV OK
[2] Workbench #DISK_INFO 402914C RAM OK
[2] Workbench #DISK_INFO 4029160 HD0 OK
[2] Workbench #DISK_INFO 4029174 DF0 OK
[2] Workbench #DISK_INFO 4029188 HD1 OK
[2] Workbench #DISK_INFO 402919C HD2 OK
[2] Workbench #DISK_INFO 40291B0 DF1 OK
[2] Workbench #INFO 4149506, 406A222 HD1 OK
[2] Workbench #INFO 4129E9C, 406A222 HD0 OK
[4] Shell Process FindVar sfssalv Alias Fehl
[4] Shell Process *Lock HD0:WBStartup/sfssalv Read OK
[4] Shell Process #LOC_OBJECT 412B224, 412B17B, FFFFFFFE HD0 OK
[4] Shell Process #COPY_DIR 412B224 HD0 OK
[4] Shell Process #EXAM_OBJEC 4156B16, 412B0F8 HD0 OK
[4] Shell Process #PARENT 4156B16 HD0 OK
[4] Shell Process #FREE_LOCK 4156B16 HD0 OK
[4] Shell Process #EXAM_OBJEC 4156C0A, 412B0F8 HD0 OK
[4] Shell Process #PARENT 4156C0A HD0 OK
[4] Shell Process #FREE_LOCK 4156C0A HD0 OK
[4] Shell Process Lock HD0:WBStartup/sfssalv Read Fehl
[4] Shell Process *Lock RAM:sfssalv Read Fehl
[4] Shell Process #LOC_OBJECT 4030715, 412B17B, FFFFFFFE RAM Fehl
[4] Shell Process #COPY_DIR 4030715 RAM OK
[4] Shell Process #EXAM_OBJEC 4030B6F, 412B0F8 RAM OK
[4] Shell Process #PARENT 4030B6F RAM Fehl
[4] Shell Process #FREE_LOCK 4030B6F RAM OK
[4] Shell Process Lock RAM:sfssalv Read Fehl
[4] Shell Process *Lock HD0:C/sfssalv Read Fehl
[4] Shell Process #LOC_OBJECT 412AD52, 412B17B, FFFFFFFE HD0 Fehl
[4] Shell Process #EXAM_OBJEC 4156B16, 412B250 HD0 OK
[4] Shell Process #FREE_LOCK 4156B16 HD0 OK
[4] Shell Process *Open HD0:C/sfssalv Read OK
[4] Shell Process #FINDINPUT 4156B17, 412AD52, 4129D55 HD0 OK
[4] Shell Process #READ 1055B028, 1059C240, 400 HD0 OK
[4] Shell Process #READ 1055B028, 1059CEC4, 5978 HD0 OK
[4] Shell Process #READ 1055B028, 1059C240, 400 HD0 OK
[4] Shell Process #READ 1055B028, 105A2B7C, 2C0 HD0 OK
[4] Shell Process #READ 1055B028, 1059C240, 400 HD0 OK
[4] Shell Process #READ 1055B028, 1059C240, 400 HD0 OK
[4] Shell Process #END 1055B028 HD0 OK
[4] Shell Process *Lock HD0:C/sfssalv Read OK
[4] Shell Process #LOC_OBJECT 412AD52, 412B184, FFFFFFFE HD0 OK
[4] Shell Process #PARENT 4156B16 HD0 OK
[4] Shell Process #FREE_LOCK 4156B16 HD0 OK
[4] sfssalv *Lock PROGDIR: Read OK
[4] sfssalv #LOC_OBJECT 4156C0A, 416CF67, FFFFFFFE HD0 OK
[4] sfssalv *Open HD0:C/sfssalv Read OK
[4] sfssalv #FINDINPUT 4156C3D, 4156B16, 4129D55 HD0 OK
[4] sfssalv #FREE_LOCK 4156B16 HD0 OK
[4] sfssalv #READ 10599AA0, 105B3F78, 8000 HD0 OK
[4] sfssalv #READ 10599AA0, 105B3F78, 8000 HD0 OK
[4] sfssalv #END 10599AA0 HD0 OK
[4] sfssalv RunCommand 8192 Fehl
[4] sfssalv #FREE_LOCK 4156C0A HD0 Fehl
[4] Shell Process GetVar echo Local Fehl
[4] Shell Process GetVar oldredirect Local Fehl
[4] Shell Process GetVar keepdoublequotes Local Fehl
SnoopDos eingefroren um 17:59:13

Schliesse SnoopDos-Log um 17:59:28

Any ideas?

I've also noticed that I can run processes in the background
in UNIX/Linux style, i.e. using & instead of RUN . My original OS3.1 does not mention that. Hm.

Best regards,

Scholle

Piru · « **Reply #15 on:** April 09, 2005, 06:44:25 PM »

Quote

I've also noticed that I can run processes in the background in UNIX/Linux style, i.e. using & instead of RUN . My original OS3.1 does not mention that.

That's probably because your OS 3.1 manual doesn't cover AmigaOS 3.9 shell features.

Anyway, looking at that snoopdos log. Where is dos/LoadSeg debug?

It does read the file in LoadSeg it seems

Quote

4] Shell Process #FINDINPUT 4156B17, 412AD52, 4129D55 HD0 OK
[4] Shell Process #READ 1055B028, 1059C240, 400 HD0 OK
[4] Shell Process #READ 1055B028, 1059CEC4, 5978 HD0 OK
[4] Shell Process #READ 1055B028, 1059C240, 400 HD0 OK
[4] Shell Process #READ 1055B028, 105A2B7C, 2C0 HD0 OK
[4] Shell Process #READ 1055B028, 1059C240, 400 HD0 OK
[4] Shell Process #READ 1055B028, 1059C240, 400 HD0 OK
[4] Shell Process #END 1055B028 HD0 OK

That's LoadSeg reading the executable. But... does it return proper seglist? For that we need dos/LoadSeg enabled in snoopdos.

It could be the executable is corrupt and thus LoadSeg fails to load it.

[EDIT] actually... It does load it ok.

Quote

[4] sfssalv *Lock PROGDIR: Read OK
[4] sfssalv #LOC_OBJECT 4156C0A, 416CF67, FFFFFFFE HD0 OK
[4] sfssalv *Open HD0:C/sfssalv Read OK
[4] sfssalv #FINDINPUT 4156C3D, 4156B16, 4129D55 HD0 OK
[4] sfssalv #FREE_LOCK 4156B16 HD0 OK
[4] sfssalv #READ 10599AA0, 105B3F78, 8000 HD0 OK
[4] sfssalv #READ 10599AA0, 105B3F78, 8000 HD0 OK
[4] sfssalv #END 10599AA0 HD0 OK
[4] sfssalv RunCommand 8192 Fehl
[4] sfssalv #FREE_LOCK 4156C0A HD0 Fehl

However, it fails miserably when executing...

boing · « **Reply #16 on:** April 27, 2005, 09:04:07 AM »

>But I tried PROTECT C:SFSSalv -e,

He said PROTECT C:SFSSalv +e

+e not -e

Author Topic: WARNING - WinUAE backdoor! (Read 4752 times)

scholle

Re: WARNING - WinUAE backdoor!

Piru

Re: WARNING - WinUAE backdoor!

boing

Re: WARNING - WinUAE backdoor!