|
Possible malware or compromised package..
So I have removed cherry and I have installed notmynoia, however it appears that my n900 is still sending premium rate sms messages to egypt and romania:
11/10/12 10:45 PM SMOINT ROMANIA (S) 0000000000l 11/10/12 10:45 PM SMOINT EGYPT (S) 0000000000l 11/10/12 09:56 PM SMOINT EGYPT (S) 0000000000l 11/10/12 09:56 PM SMOINT EGYPT (S) 0000000000l 11/10/12 07:27 PM SMOINT EGYPT (S) 0000000000l 11/10/12 07:27 PM SMOINT EGYPT (S) 0000000000l Does anyone have a good method for hunting down the application that is doing this? What tools would one suggest? lsof? Is there a stealthy way I can monitor my outgoing sms messages? Because it appears that none of these text messages are being logged.. Any words of wisdom I would greatly appreciate. Also here is my current process list: ps -A PID USER VSZ STAT COMMAND 1 root 2076 S /sbin/init 2 root 0 SW [kthreadd] 3 root 0 SW [ksoftirqd/0] 4 root 0 SW [events/0] 5 root 0 SW [khelper] 6 root 0 SW [kblockd/0] 7 root 0 SW [cqueue] 8 root 0 SW [twl4030-irqchip] 9 root 0 SW [twl4030-irq] 10 root 0 SW [omap2_mcspi] 11 root 0 SW [ksuspend_usbd] 12 root 0 SW [khubd] 13 root 0 SW [pdflush] 14 root 0 SW [pdflush] 15 root 0 SW [kswapd0] 16 root 0 SW [aio/0] 26 root 0 SW [ubi_bgt0d] 27 root 0 SW [kondemand/0] 28 root 0 SW [ubifs_bgt0_0] 107 root 1664 S /sbin/udevd --daemon 281 root 0 SW [vibra] 460 root 0 SW [bluetooth] 502 root 0 SW [nokia-av] 503 root 0 SW [kmmcd] 533 root 0 SW [mboxd/0] 562 root 0 DW [wl12xx] 588 root 0 SW [mmcqd] 609 root 0 SW [mmcqd] 695 root 1776 S < /sbin/dsme -p /usr/lib/dsme/libstartup.so 703 root 3848 S /usr/sbin/sshd -D 709 root 8216 S /sbin/dsme-server -p /usr/lib/dsme/libstartup.so 721 root 0 SW [file-storage-ga] 730 root 3376 S /usr/sbin/bme_RX-51 743 messageb 3436 S < /usr/bin/dbus-daemon --system --nofork 751 root 3376 S /usr/libexec/n900-fmrx-enabler --nodaemon 753 root 2428 S /usr/sbin/sscd -f 757 root 4716 S /usr/sbin/alsaped -p 4 -f /usr/share/policy/etc/current/alsaped.conf 773 root 15220 S /usr/sbin/omap3camd -d /dev/video0 -f /tmp/omap3camd0-installed 780 pulse 82968 S < /usr/bin/pulseaudio --system --high-priority 785 haldaemo 4564 S /usr/sbin/hald --verbose=no --daemon=no --use-syslog 787 root 8108 S /usr/sbin/ohmd --no-daemon 790 root 3396 S /usr/sbin/csd -m -p call -p gprs -p info -p net -p sim -p simpb -p sms -p ss 794 root 3424 S /usr/sbin/sms-manager 800 root 3476 S /usr/sbin/sysinfod --system 805 root 5572 S < /sbin/mce --force-syslog 809 root 3328 S hald-runner 810 root 3636 S /usr/sbin/wappushd -b 812 root 3988 S /usr/lib/gconf2/gconfd-2 828 root 0 SW [sgx_perf] 832 root 1528 S /usr/sbin/dsp-manager 840 haldaemo 3496 S {hald-addon-omap} hald-addon-gpio: listening on /sys/devices/platform/gpio-switch/slide/state /sys/devices/platform/gpio-switch/sleep_ind/state /sy 843 root 14976 S /usr/sbin/omap3camd -d /dev/video1 849 haldaemo 3088 S {hald-addon-usb-} hald-addon-usb-cable: listening on /sys/devices/platform/musb_hdrc/usb1/../mode 854 root 0 SW [kjournald] 862 root 3420 S /usr/lib/hal/hald-addon-generic-backlight 863 root 0 SW [SGXOSTimer/0] 864 root 0 SW [sgx_misr] 875 root 22480 S < /usr/bin/Xorg -logfile /tmp/Xorg.0.log -logverbose 1 -nolisten tcp -noreset -s 0 -core 878 root 3424 S {hald-addon-inpu} hald-addon-input: Listening on /dev/input/event3 /dev/input/event1 /dev/input/event0 /dev/input/event2 895 haldaemo 3088 S {hald-addon-mmc} hald-addon-mmc: listening on /sys/class/mmc_host/mmc0/cover_switch 899 root 3628 S /usr/bin/clockd 908 root 3416 S /usr/lib/hal/hald-addon-als 909 root 3480 S /usr/lib/hal/hald-addon-bme 911 root 3436 S /usr/lib/hal/hald-addon-cpufreq 923 root 25200 S /usr/bin/signond 942 root 3412 S /usr/sbin/bluetoothd -n 965 user 2832 S dbus-launch --exit-with-session 969 user 3012 S < /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session 983 user 42932 S /usr/bin/maemo-xinput-sounds 990 user 3344 S /usr/bin/profiled 993 user 3324 S /usr/bin/ohm-session-agent 999 root 0 SW< [krfcommd] 1025 user 23080 S /usr/bin/maemo-launcher --send-app-died --booster gtk,cpp --quiet --daemon 1026 user 3848 S /usr/sbin/alarmd 1030 user 12672 S /usr/lib/sapwood/sapwood-server 1032 user 27512 S /usr/bin/systemui 1057 root 1972 S /usr/bin/iphbd 1059 user 6016 S /usr/lib/gvfs/gvfsd 1073 user 6512 S /usr/lib/gvfs/gvfs-hal-volume-monitor 1090 user 5540 S /usr/bin/mission-control 1096 user 23452 S < /usr/bin/hildon-sv-notification-daemon 1101 user 4692 S /usr/lib/telepathy/telepathy-ring 1140 user 3936 S /usr/bin/hildon-status-menu 1142 user 98.6m S /usr/bin/hildon-status-menu 1143 user 3936 S /usr/bin/camera-ui 1144 user 55180 S /usr/bin/camera-ui 1146 user 3936 S /usr/bin/hildon-home 1148 user 3936 S /usr/bin/hildon-desktop 1150 user 30656 S /usr/bin/hildon-home 1151 user 71044 S /usr/bin/hildon-desktop 1154 user 8368 S /usr/libexec/gnome-vfs-daemon 1166 user 23224 S /usr/lib/evolution-data-server/e-addressbook-factory 1180 root 4136 S /usr/sbin/wlancond 1182 root 7932 S /usr/bin/location-proxy --no-detach 1183 root 20812 S < /usr/bin/tonegend -s ansi -b 100 -r 20 -D module-stream-restore.id=x-maemo-key-pressed -I media.role=phone,module-stream-restore.id=sink-input-by-m 1186 root 2624 S /usr/bin/app-detect -p 1 1190 nobody 2160 S /usr/sbin/dnsmasq -k -i lo -a 127.0.0.1 -z 1211 root 13200 S python /opt/smscon/smscon_daemon 1246 user 4616 S /usr/bin/clipboard-manager 1247 root 4544 S /usr/sbin/icd2 -l2 1248 user 31784 S N /usr/lib/tracker/trackerd 1255 root 5616 S /usr/sbin/hulda 1257 user 3936 S /usr/bin/osso-connectivity-ui-conndlgs 1264 user 28392 S /usr/bin/osso-connectivity-ui-conndlgs 1265 root 5616 S /usr/sbin/hulda 1266 user 17584 S /usr/bin/hildon-input-method 1272 user 3212 S /usr/lib/obex/obexd --nodaemon --opp --ftp --pcsuite --symlinks --tty /dev/ttyGS0 --root .obex-root --root-setup /usr/bin/obex-root-setup --capabil 1273 user 42672 S /usr/sbin/browserd -d 1288 user 39240 S < /usr/bin/mafw-dbus-wrapper mafw-gst-renderer 1292 user 7920 S /usr/bin/mafw-dbus-wrapper mafw-iradio-source 1303 user 16916 S /usr/bin/mafw-dbus-wrapper mafw-tracker-source 1308 user 9260 S /usr/bin/mafw-dbus-wrapper mafw-upnp-source 1310 user 1524 S /usr/sbin/temp-reaper 1328 user 4852 S /usr/sbin/maesync_controller 1339 root 8236 S /usr/sbin/ke-recv 1340 user 18232 S /usr/bin/syncd 1348 user 24512 S /usr/bin/osso-abook-home-applet 1390 user 14116 S /usr/libexec/hildon-thumbnailerd 1472 user 3936 S /usr/bin/osso-addressbook 1473 user 27472 S /usr/bin/osso-addressbook 1476 user 3936 S /usr/bin/rtcom-call-ui 1482 user 29944 S /usr/bin/rtcom-call-ui 1484 user 3936 S /usr/bin/rtcom-messaging-ui 1485 user 28236 S /usr/bin/rtcom-messaging-ui 1486 user 70260 S /usr/sbin/browserd -s 1486 -n RTComMessagingServer 1489 user 3936 S /usr/bin/browser 1490 user 29292 S /usr/bin/browser 1492 user 3936 S /usr/bin/image-viewer 1493 user 35144 S /usr/bin/image-viewer 1496 user 3936 S /usr/bin/Calendar 1497 user 28260 S /usr/bin/Calendar 1508 user 3936 S /usr/bin/modest 1509 user 45912 S /usr/bin/modest 1641 user 64308 S /usr/sbin/browserd -s 1641 -n browserui 1738 user 3936 S /usr/bin/osso-xterm 1739 user 30200 S /usr/bin/osso-xterm 1740 user 2792 S gnome-pty-helper 1741 user 2912 S -sh 1743 root 2836 S {gainroot} /bin/sh /usr/sbin/gainroot 1744 root 4772 S /bin/bash 1748 user 9864 S N /usr/lib/tracker/tracker-indexer 1755 root 15964 S /usr/bin/eapd 1759 root 1628 S /sbin/udhcpc -i wlan0 -s /etc/udhcpc/libicd_network_ipv4.script -H Nokia-N900 -f -R 15 1826 root 6456 S {sshd} sshd: root@pts/1 1828 root 2912 S -sh To discover how my phone is sending out SMS messages to Egypt and Romania, I simply log in to my t-mobile account and check my usage. (If you're curious I'm located in the United States.) Here is my dpkg --list output: http://pastebin.com/ZLamwuGx I most likely installed something that may have been compromised through my program that I've been working on since June of this year: http://pastebin.com/Nwtf9fVW (lines: 262, 285, 1135,1165) Of course other programs are downloaded through git/wget/svn but (maybe I'm a fool for thinking so) I think these programs are safe. The program is a shell script that automates 'weaponizing' the n900 to save myself and other individuals time from manually installing all these packages. In some of the code there are spots where I use the -y and --force-yes flags with apt-get install. I thought about the risks of doing so but I had never had any issues with my n900 doing anything out of the ordinary since using these options until now. Here are the repos that this program adds too: deb http://repository.maemo.org/extras-testing/ fremantle free non-free deb http://repository.maemo.org/extras-devel/ fremantle free non-free deb http://my-maemo.com/repository/ fremantle user deb https://downloads.maemo.nokia.com/fremantle/ovi/ ./ deb http://repository.maemo.org fremantle/tools free non-free deb-src http://repository.maemo.org fremantle/tools free non-free I would appreciate any words of wisdom or any tips! :) |
Re: Possible malware or compromised package..
That's some information that you didn't post initially!
If you've developed the linked script which installs who-knows-fvcking-what from a bunch of repositories then I don't know why you are surprised your N900 is sending premium SMS! That's like the least that could be happening. Your N900 could controlling a f*cking botnet! Do yourself a favor. Reflash your N900 *completely* and then install your stuff one by one. Just in case before you do that verify the settings of smscon (a tool *you* chose to install, so you should know what it does). I don't know if this thread will lead anywhere, but for all I care, at the moment, *you* are the malware who has compromised your N900 (no offence intended, it's just like that!). Cheers and best of luck! |
Re: Possible malware or compromised package..
Thanks for your reply..
That was my next thought was to go through and install each program one by one. But does anyone know of any packages/tools that have been compromised that the community should be aware of? I think this is important to let the maemo/n900 community know to save others the hassle. |
Re: Possible malware or compromised package..
Quote:
If you want some specific advise beyond reflashing, try to purge smscon and see if that stops the SMS'ing. |
Re: Possible malware or compromised package..
Quote:
|
Re: Possible malware or compromised package..
I will try removing smscon and see if this mends the issue. :) I will let you all know what happens.
|
Re: Possible malware or compromised package..
In your t-mobile account, do you have any way to see the numbers thoses SMS get sent to? Maybe try strings/grepping for them in /usr and/or /opt and/or elsewhere.
|
Re: Possible malware or compromised package..
11/10/12 10:45 PM SMOINT ROMANIA
(S) 0000000000l 11/10/12 10:45 PM SMOINT EGYPT (S) 0000000000l 11/10/12 09:56 PM SMOINT EGYPT (S) 0000000000l 11/10/12 09:56 PM SMOINT EGYPT (S) 0000000000l 11/10/12 07:27 PM SMOINT EGYPT (S) 0000000000l 11/10/12 07:27 PM SMOINT EGYPT (S) 0000000000l The "0000000000l" are the phone numbers according to my t-mobile account. I believe this number is associated with interfacing between sms and email. (I could be wrong though). This is why I initially thought that this might have been the MyNokia registration program doing this. |
Re: Possible malware or compromised package..
If you are using t-mobile, you can choose to block paid sms right ?(from their website, you can turn off and on the settings).
I did that before for my t-mobile. |
Re: Possible malware or compromised package..
Thank you the suggestion but I want to get to the root of this. :-)
|
Re: Possible malware or compromised package..
Did you try to check the basic setup of the linux system, like users set up in /etc/shadow (is there shadow~ as a backup?) , groups and their permissions, cronjobs for specific users and system users?
Did you try to get chkrootkit from debian repo installed? |
Re: Possible malware or compromised package..
Quote:
|
Re: Possible malware or compromised package..
can you log the dbus commands used to send sms? (if the program is using that interface)
|
Re: Possible malware or compromised package..
It's beginning to look like it might have been smscon. When I looked at smscon's logs, it stated something like, "WARNING: running in stolen mode". It would then send SMS messages to +0123456789 periodically. Also ever since removing smscon I haven't had any outgoing sms messages to egypt or romania (YET).
However, I will keep you updated because it might not be smscon. |
Re: Possible malware or compromised package..
Quote:
I have been using SMSCON with no issues for sometime. The +0123456789 number you speak of in the logs maybe incorrect, IIRC some of the smscon.log personal data is stripped for security reasons. |
Re: Possible malware or compromised package..
The +0123456789 is of course a dummy (not a valid country code), so there may be any number behind.
Keep us updated ... |
Re: Possible malware or compromised package..
One solution that's worth trying, if you've got an old/other phone about is to get a PAYG sim and the minimum credit. Then use this PAYG number as the smscon "emergency contact". If you try the number of someone you know, warm him/her first: if you wake up at 3 o'clock in the night and check your phone for the time, he/she will get an sms!
smscon is not malware but, yes, it will send messages to the predefined number whenever the phone does something. |
Re: Possible malware or compromised package..
No sms messages out to egypt or romania so far. :p
For the record I didn't configure smscon either, I just installed it. I had it installed a year or two ago without having this problem. So I wonder if the maintainers/developers updated it? |
Re: Possible malware or compromised package..
So far.. no more outgoing messages to Egypt or Romania.. I think it may have been smscon.
|
Re: Possible malware or compromised package..
Have you tried asking in the smscon thread?
|
Re: Possible malware or compromised package..
Not yet, but I will when I get a chance. :)
|
| All times are GMT. The time now is 17:54. |
vBulletin® Version 3.8.8