maemo.org - Talk
Page 2 of 3 1 2 3
Show 40 post(s) from this thread on one page

maemo.org - Talk (https://talk.maemo.org/index.php)
-   Maemo 5 / Fremantle (https://talk.maemo.org/forumdisplay.php?f=40)
-   -   Possible malware or compromised package.. (https://talk.maemo.org/showthread.php?t=87836)

michaaa62 2012-11-13 07:31
Re: Possible malware or compromised package..
 
Did you try to check the basic setup of the linux system, like users set up in /etc/shadow (is there shadow~ as a backup?) , groups and their permissions, cronjobs for specific users and system users?
Did you try to get chkrootkit from debian repo installed?

reinob 2012-11-13 08:50
Re: Possible malware or compromised package..
 
Quote:
Originally Posted by michaaa62 (Post 1293663)
Did you try to check the basic setup of the linux system, like users set up in /etc/shadow (is there shadow~ as a backup?) , groups and their permissions, cronjobs for specific users and system users?
Maemo ain't got no /etc/shadow :)

erendorn 2012-11-13 09:46
Re: Possible malware or compromised package..
 
can you log the dbus commands used to send sms? (if the program is using that interface)

zitstif 2012-11-13 17:02
Re: Possible malware or compromised package..
 
It's beginning to look like it might have been smscon. When I looked at smscon's logs, it stated something like, "WARNING: running in stolen mode". It would then send SMS messages to +0123456789 periodically. Also ever since removing smscon I haven't had any outgoing sms messages to egypt or romania (YET).

However, I will keep you updated because it might not be smscon.

sixwheeledbeast 2012-11-13 18:44
Re: Possible malware or compromised package..
 
Quote:
Originally Posted by zitstif (Post 1293870)
It's beginning to look like it might have been smscon. When I looked at smscon's logs, it stated something like, "WARNING: running in stolen mode". It would then send SMS messages to +0123456789 periodically. Also ever since removing smscon I haven't had any outgoing sms messages to egypt or romania (YET).

However, I will keep you updated because it might not be smscon.
You may want to ask in the SMSCON thread and also read the smscon wiki page.
I have been using SMSCON with no issues for sometime.

The +0123456789 number you speak of in the logs maybe incorrect, IIRC some of the smscon.log personal data is stripped for security reasons.

peterleinchen 2012-11-13 20:26
Re: Possible malware or compromised package..
 
The +0123456789 is of course a dummy (not a valid country code), so there may be any number behind.
Keep us updated ...

demolition 2012-11-13 21:44
Re: Possible malware or compromised package..
 
One solution that's worth trying, if you've got an old/other phone about is to get a PAYG sim and the minimum credit. Then use this PAYG number as the smscon "emergency contact". If you try the number of someone you know, warm him/her first: if you wake up at 3 o'clock in the night and check your phone for the time, he/she will get an sms!

smscon is not malware but, yes, it will send messages to the predefined number whenever the phone does something.

zitstif 2012-11-14 03:27
Re: Possible malware or compromised package..
 
No sms messages out to egypt or romania so far. :p

For the record I didn't configure smscon either, I just installed it.

I had it installed a year or two ago without having this problem. So I wonder if the maintainers/developers updated it?

zitstif 2012-11-19 06:07
Re: Possible malware or compromised package..
 
So far.. no more outgoing messages to Egypt or Romania.. I think it may have been smscon.

cantruchd 2012-11-19 06:43
Re: Possible malware or compromised package..
 
Have you tried asking in the smscon thread?


All times are GMT. The time now is 17:40.
Page 2 of 3 1 2 3
Show 40 post(s) from this thread on one page

vBulletin® Version 3.8.8