So I have removed cherry and I have installed notmynoia, however it appears that my n900 is still sending premium rate sms messages to egypt and romania:

11/10/12 10:45 PM SMOINT ROMANIA
(S)
0000000000l
11/10/12 10:45 PM SMOINT EGYPT
(S)
0000000000l
11/10/12 09:56 PM SMOINT EGYPT
(S)
0000000000l
11/10/12 09:56 PM SMOINT EGYPT
(S)
0000000000l
11/10/12 07:27 PM SMOINT EGYPT
(S)
0000000000l
11/10/12 07:27 PM SMOINT EGYPT
(S)
0000000000l

Does anyone have a good method for hunting down the application that is doing this?

What tools would one suggest? lsof? Is there a stealthy way I can monitor my outgoing sms messages? Because it appears that none of these text messages are being logged..

Any words of wisdom I would greatly appreciate.

Also here is my current process list:

ps -A
PID USER VSZ STAT COMMAND
1 root 2076 S /sbin/init
2 root 0 SW [kthreadd]
3 root 0 SW [ksoftirqd/0]
4 root 0 SW [events/0]
5 root 0 SW [khelper]
6 root 0 SW [kblockd/0]
7 root 0 SW [cqueue]
8 root 0 SW [twl4030-irqchip]
9 root 0 SW [twl4030-irq]
10 root 0 SW [omap2_mcspi]
11 root 0 SW [ksuspend_usbd]
12 root 0 SW [khubd]
13 root 0 SW [pdflush]
14 root 0 SW [pdflush]
15 root 0 SW [kswapd0]
16 root 0 SW [aio/0]
26 root 0 SW [ubi_bgt0d]
27 root 0 SW [kondemand/0]
28 root 0 SW [ubifs_bgt0_0]
107 root 1664 S /sbin/udevd --daemon
281 root 0 SW [vibra]
460 root 0 SW [bluetooth]
502 root 0 SW [nokia-av]
503 root 0 SW [kmmcd]
533 root 0 SW [mboxd/0]
562 root 0 DW [wl12xx]
588 root 0 SW [mmcqd]
609 root 0 SW [mmcqd]
695 root 1776 S < /sbin/dsme -p /usr/lib/dsme/libstartup.so
703 root 3848 S /usr/sbin/sshd -D
709 root 8216 S /sbin/dsme-server -p /usr/lib/dsme/libstartup.so
721 root 0 SW [file-storage-ga]
730 root 3376 S /usr/sbin/bme_RX-51
743 messageb 3436 S < /usr/bin/dbus-daemon --system --nofork
751 root 3376 S /usr/libexec/n900-fmrx-enabler --nodaemon
753 root 2428 S /usr/sbin/sscd -f
757 root 4716 S /usr/sbin/alsaped -p 4 -f /usr/share/policy/etc/current/alsaped.conf
773 root 15220 S /usr/sbin/omap3camd -d /dev/video0 -f /tmp/omap3camd0-installed
780 pulse 82968 S < /usr/bin/pulseaudio --system --high-priority
785 haldaemo 4564 S /usr/sbin/hald --verbose=no --daemon=no --use-syslog
787 root 8108 S /usr/sbin/ohmd --no-daemon
790 root 3396 S /usr/sbin/csd -m -p call -p gprs -p info -p net -p sim -p simpb -p sms -p ss
794 root 3424 S /usr/sbin/sms-manager
800 root 3476 S /usr/sbin/sysinfod --system
805 root 5572 S < /sbin/mce --force-syslog
809 root 3328 S hald-runner
810 root 3636 S /usr/sbin/wappushd -b
812 root 3988 S /usr/lib/gconf2/gconfd-2
828 root 0 SW [sgx_perf]
832 root 1528 S /usr/sbin/dsp-manager
840 haldaemo 3496 S {hald-addon-omap} hald-addon-gpio: listening on /sys/devices/platform/gpio-switch/slide/state /sys/devices/platform/gpio-switch/sleep_ind/state /sy
843 root 14976 S /usr/sbin/omap3camd -d /dev/video1
849 haldaemo 3088 S {hald-addon-usb-} hald-addon-usb-cable: listening on /sys/devices/platform/musb_hdrc/usb1/../mode
854 root 0 SW [kjournald]
862 root 3420 S /usr/lib/hal/hald-addon-generic-backlight
863 root 0 SW [SGXOSTimer/0]
864 root 0 SW [sgx_misr]
875 root 22480 S < /usr/bin/Xorg -logfile /tmp/Xorg.0.log -logverbose 1 -nolisten tcp -noreset -s 0 -core
878 root 3424 S {hald-addon-inpu} hald-addon-input: Listening on /dev/input/event3 /dev/input/event1 /dev/input/event0 /dev/input/event2
895 haldaemo 3088 S {hald-addon-mmc} hald-addon-mmc: listening on /sys/class/mmc_host/mmc0/cover_switch
899 root 3628 S /usr/bin/clockd
908 root 3416 S /usr/lib/hal/hald-addon-als
909 root 3480 S /usr/lib/hal/hald-addon-bme
911 root 3436 S /usr/lib/hal/hald-addon-cpufreq
923 root 25200 S /usr/bin/signond
942 root 3412 S /usr/sbin/bluetoothd -n
965 user 2832 S dbus-launch --exit-with-session
969 user 3012 S < /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
983 user 42932 S /usr/bin/maemo-xinput-sounds
990 user 3344 S /usr/bin/profiled
993 user 3324 S /usr/bin/ohm-session-agent
999 root 0 SW< [krfcommd]
1025 user 23080 S /usr/bin/maemo-launcher --send-app-died --booster gtk,cpp --quiet --daemon
1026 user 3848 S /usr/sbin/alarmd
1030 user 12672 S /usr/lib/sapwood/sapwood-server
1032 user 27512 S /usr/bin/systemui
1057 root 1972 S /usr/bin/iphbd
1059 user 6016 S /usr/lib/gvfs/gvfsd
1073 user 6512 S /usr/lib/gvfs/gvfs-hal-volume-monitor
1090 user 5540 S /usr/bin/mission-control
1096 user 23452 S < /usr/bin/hildon-sv-notification-daemon
1101 user 4692 S /usr/lib/telepathy/telepathy-ring
1140 user 3936 S /usr/bin/hildon-status-menu
1142 user 98.6m S /usr/bin/hildon-status-menu
1143 user 3936 S /usr/bin/camera-ui
1144 user 55180 S /usr/bin/camera-ui
1146 user 3936 S /usr/bin/hildon-home
1148 user 3936 S /usr/bin/hildon-desktop
1150 user 30656 S /usr/bin/hildon-home
1151 user 71044 S /usr/bin/hildon-desktop
1154 user 8368 S /usr/libexec/gnome-vfs-daemon
1166 user 23224 S /usr/lib/evolution-data-server/e-addressbook-factory
1180 root 4136 S /usr/sbin/wlancond
1182 root 7932 S /usr/bin/location-proxy --no-detach
1183 root 20812 S < /usr/bin/tonegend -s ansi -b 100 -r 20 -D module-stream-restore.id=x-maemo-key-pressed -I media.role=phone,module-stream-restore.id=sink-input-by-m
1186 root 2624 S /usr/bin/app-detect -p 1
1190 nobody 2160 S /usr/sbin/dnsmasq -k -i lo -a 127.0.0.1 -z
1211 root 13200 S python /opt/smscon/smscon_daemon
1246 user 4616 S /usr/bin/clipboard-manager
1247 root 4544 S /usr/sbin/icd2 -l2
1248 user 31784 S N /usr/lib/tracker/trackerd
1255 root 5616 S /usr/sbin/hulda
1257 user 3936 S /usr/bin/osso-connectivity-ui-conndlgs
1264 user 28392 S /usr/bin/osso-connectivity-ui-conndlgs
1265 root 5616 S /usr/sbin/hulda
1266 user 17584 S /usr/bin/hildon-input-method
1272 user 3212 S /usr/lib/obex/obexd --nodaemon --opp --ftp --pcsuite --symlinks --tty /dev/ttyGS0 --root .obex-root --root-setup /usr/bin/obex-root-setup --capabil
1273 user 42672 S /usr/sbin/browserd -d
1288 user 39240 S < /usr/bin/mafw-dbus-wrapper mafw-gst-renderer
1292 user 7920 S /usr/bin/mafw-dbus-wrapper mafw-iradio-source
1303 user 16916 S /usr/bin/mafw-dbus-wrapper mafw-tracker-source
1308 user 9260 S /usr/bin/mafw-dbus-wrapper mafw-upnp-source
1310 user 1524 S /usr/sbin/temp-reaper
1328 user 4852 S /usr/sbin/maesync_controller
1339 root 8236 S /usr/sbin/ke-recv
1340 user 18232 S /usr/bin/syncd
1348 user 24512 S /usr/bin/osso-abook-home-applet
1390 user 14116 S /usr/libexec/hildon-thumbnailerd
1472 user 3936 S /usr/bin/osso-addressbook
1473 user 27472 S /usr/bin/osso-addressbook
1476 user 3936 S /usr/bin/rtcom-call-ui
1482 user 29944 S /usr/bin/rtcom-call-ui
1484 user 3936 S /usr/bin/rtcom-messaging-ui
1485 user 28236 S /usr/bin/rtcom-messaging-ui
1486 user 70260 S /usr/sbin/browserd -s 1486 -n RTComMessagingServer
1489 user 3936 S /usr/bin/browser
1490 user 29292 S /usr/bin/browser
1492 user 3936 S /usr/bin/image-viewer
1493 user 35144 S /usr/bin/image-viewer
1496 user 3936 S /usr/bin/Calendar
1497 user 28260 S /usr/bin/Calendar
1508 user 3936 S /usr/bin/modest
1509 user 45912 S /usr/bin/modest
1641 user 64308 S /usr/sbin/browserd -s 1641 -n browserui
1738 user 3936 S /usr/bin/osso-xterm
1739 user 30200 S /usr/bin/osso-xterm
1740 user 2792 S gnome-pty-helper
1741 user 2912 S -sh
1743 root 2836 S {gainroot} /bin/sh /usr/sbin/gainroot
1744 root 4772 S /bin/bash
1748 user 9864 S N /usr/lib/tracker/tracker-indexer
1755 root 15964 S /usr/bin/eapd
1759 root 1628 S /sbin/udhcpc -i wlan0 -s /etc/udhcpc/libicd_network_ipv4.script -H Nokia-N900 -f -R 15
1826 root 6456 S {sshd} sshd: root@pts/1
1828 root 2912 S -sh

To discover how my phone is sending out SMS messages to Egypt and Romania, I simply log in to my t-mobile account and check my usage. (If you're curious I'm located in the United States.)

Here is my dpkg --list output:

http://pastebin.com/ZLamwuGx

I most likely installed something that may have been compromised through my program that I've been working on since June of this year:

http://pastebin.com/Nwtf9fVW

(lines: 262, 285, 1135,1165)

Of course other programs are downloaded through git/wget/svn but (maybe I'm a fool for thinking so) I think these programs are safe.

The program is a shell script that automates 'weaponizing' the n900 to save myself and other individuals time from manually installing all these packages. In some of the code there are spots where I use the -y and --force-yes flags with apt-get install. I thought about the risks of doing so but I had never had any issues with my n900 doing anything out of the ordinary since using these options until now.

Here are the repos that this program adds too:

deb http://repository.maemo.org/extras-testing/ fremantle free non-free

deb http://repository.maemo.org/extras-devel/ fremantle free non-free

deb http://my-maemo.com/repository/ fremantle user

deb https://downloads.maemo.nokia.com/fremantle/ovi/ ./

deb http://repository.maemo.org fremantle/tools free non-free

deb-src http://repository.maemo.org fremantle/tools free non-free

I would appreciate any words of wisdom or any tips!

That's some information that you didn't post initially!

If you've developed the linked script which installs who-knows-fvcking-what from a bunch of repositories then I don't know why you are surprised your N900 is sending premium SMS!

That's like the least that could be happening. Your N900 could controlling a f*cking botnet!

Do yourself a favor. Reflash your N900 *completely* and then install your stuff one by one. Just in case before you do that verify the settings of smscon (a tool *you* chose to install, so you should know what it does).

I don't know if this thread will lead anywhere, but for all I care, at the moment, *you* are the malware who has compromised your N900 (no offence intended, it's just like that!).

Cheers and best of luck!

Thanks for your reply..

That was my next thought was to go through and install each program one by one.

But does anyone know of any packages/tools that have been compromised that the community should be aware of? I think this is important to let the maemo/n900 community know to save others the hassle.

I am by no means a long-time member or expert, but your case seems to be the first one. It's very hard to see which programs you may be running at one time or another. Your script installs also stuff directly without using the package manager (download .tar.gz and unpack somewhere), so your dpkg -l list unfortunately doesn't give the whole picture of what you may be running or what you may have run at some point.

If you want some specific advise beyond reflashing, try to purge smscon and see if that stops the SMS'ing.

Possible in devel repo, but unlikely.

I will try removing smscon and see if this mends the issue. I will let you all know what happens.

In your t-mobile account, do you have any way to see the numbers thoses SMS get sent to? Maybe try strings/grepping for them in /usr and/or /opt and/or elsewhere.

11/10/12 10:45 PM SMOINT ROMANIA
(S)
0000000000l
11/10/12 10:45 PM SMOINT EGYPT
(S)
0000000000l
11/10/12 09:56 PM SMOINT EGYPT
(S)
0000000000l
11/10/12 09:56 PM SMOINT EGYPT
(S)
0000000000l
11/10/12 07:27 PM SMOINT EGYPT
(S)
0000000000l
11/10/12 07:27 PM SMOINT EGYPT
(S)
0000000000l

The "0000000000l" are the phone numbers according to my t-mobile account. I believe this number is associated with interfacing between sms and email. (I could be wrong though). This is why I initially thought that this might have been the MyNokia registration program doing this.

If you are using t-mobile, you can choose to block paid sms right ?(from their website, you can turn off and on the settings).

I did that before for my t-mobile.

Thank you the suggestion but I want to get to the root of this. :-)