[Q] IPSec on ICS w/ pfSense - Nexus S Q&A, Help & Troubleshooting

Has anyone gotten IPSec (either L2TP/IPSec w/ PSK or IPSec Xauth PSK) to work on ICS (4.0.3) with pfSense 2.0.1? I'm looking for clues. It's not working for me.
The closest I've gotten this to work is by setting level 1 to aggressive/DES/MD5 and level 2 to ESP/AES(auto)/MD5.
Not sure if this is part of the problem though:
racoon: INFO: login failed for user "XXXXXXXX"
racoon: DEBUG: Attribute XAUTH_USER_PASSWORD, len 15
racoon: DEBUG: Attribute XAUTH_USER_NAME, len 8
racoon: DEBUG: Short attribute XAUTH_TYPE = 0
but the passwd is 14 chars long.
Has anyone gotten ICS to link up with pfSense 2.0.1?

Related

Windows Mobile 6.1 (AT&T Fuze) + L2TP/IPSEC + Linux KAME/racoon/ipsec-tools

I am attempting to get the default Windows Mobile 6.1 VPN client on the AT&T Fuze to connect to my Linux server which runs racoon. I am using certificates for authentication. I searched this forum and Google, but I cannot find much on Windows Mobile 6.1 and the built-in IPSec client.
I can see the VPN connection request hit my racoon server. Here are some of the messages I see when the request comes in:
2009-01-08 11:00:05: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
2009-01-08 11:00:05: INFO: received Vendor ID: FRAGMENTATION
2009-01-08 11:00:05: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2009-01-08 11:00:05: DEBUG: received unknown Vendor ID
2009-01-08 11:00:05: DEBUG:
26244d38 eddb61b3 172a36e3 d0cfb819
2009-01-08 11:00:05: DEBUG: total SA len=448
...
2009-01-08 11:00:05: DEBUG: agreed on RSA signatures auth.
2009-01-08 11:00:05: DEBUG: ===
2009-01-08 11:00:05: DEBUG: new cookie:
67ec27a10f8e4e4b
2009-01-08 11:00:05: DEBUG: add payload of len 52, next type 13
2009-01-08 11:00:05: DEBUG: add payload of len 16, next type 0
2009-01-08 11:00:05: DEBUG: 104 bytes from 71.79.187.61[500] to 67.103.105.138[5
00]
2009-01-08 11:00:05: DEBUG: sockname 0.0.0.0[500]
2009-01-08 11:00:05: DEBUG: send packet from 71.79.187.61[500]
2009-01-08 11:00:05: DEBUG: send packet to 67.103.105.138[500]
2009-01-08 11:00:05: DEBUG: src4 71.79.187.61[500]
2009-01-08 11:00:05: DEBUG: dst4 67.103.105.138[500]
2009-01-08 11:00:05: DEBUG: 1 times of 104 bytes message will be sent to 67.103.
105.138[500]
2009-01-08 11:00:05: DEBUG:
92c2f997 b935ecdf 67ec27a1 0f8e4e4b 01100200 00000000 00000068 0d000038
00000001 00000001 0000002c 01010001 00000024 03010000 80010005 80020002
80040002 80030003 800b0001 000c0004 00007080 00000014 afcad713 68a1f1c9
6b8696fc 77570100
2009-01-08 11:00:05: DEBUG: resend phase1 packet 92c2f997b935ecdf:67ec27a10f8e4e
4b
...
2009-01-08 11:00:06: ERROR: ignore information because ISAKMP-SAhas not been established yet.
My issue here is the "ISAKMP-SA has not been established yet" message.
Looking up this message suggests that the Windows Mobile 6.1 client is not selecting the certificate. I can see that the certificate is installed in the device correctly. What I need to be able to do is get some sort of debugging output from this Windows Mobile 6.1 client so I can see what it is doing (or more importantly not doing) so I can correct the issue, if it is correctable.
Under Windows XP, I can use the event viewer to see IPSec events. I can also alter a registry setting to enable more in-depth debugging logs and use those to figure out what is going on. What capabilities are there on the Windows Mobile 6.1 device to determine what it is or is not doing during this process?
If someone can assist me in accessing logging and debugging information on Windows Mobile, I can probably get this working and post a much-requested solution to Windows Mobile 6.1 IPSec using certificates when connecting to non-MS based gear.
Anyone got any suggestions on how to debug this on WM?
IP Schema
Do you 10.x.x.x on your network at all? If so, do you have the high end data connection or just the PDA connect?
The reason I ask this is that I have a similar problem at my work. We use the 10.x.x.x private schema, and so does AT&T. Because of this, the NAT is killing my VPN. I can connect to my home just fine (using 192.168.x.x here), so I know it's an IP address issue.
Supposedly, if you have the business class data plan, you shouldn't be on a private IP which keeps the issue I'm having from happening.

OpenVPN for PocketPC doesn't work - why?

Hallo zusammen,
I try to make a make a OpenVPN-Connection with my HTC-Hemes to my OpenVPN-Server. When I connect a Computer to my Hermes I can establish a VPN-Connection without any problems.
When I try to use the same Client-Config-File on my HTC-Hermes with OpenVPN for PocketPC it doesn't work.
I use the official ROM of WM6 (T-Mobile Germany) on my Hermes
I use this Version of OpenVPN for PocketPC:
http://ovpnppc.ziggurat29.com/ovpnppc-main.htm
I used the cab-File to install it directly on the Hermes
Where is the problem?
What do I have to change?
My OpenVPN-Server config:
# OpenVPN 2.1 Config, Sat Mar 21 10:01:07 CET 2009
proto udp
dev tap
ca /tmp/flash/ca.crt
cert /tmp/flash/box.crt
key /tmp/flash/box.key
dh /tmp/flash/dh.pem
tls-server
tls-auth /tmp/flash/static.key 0
port 1194
push "redirect-gateway"
ifconfig 192.168.201.97 255.255.255.0
push "route-gateway 192.168.201.97"
push "route 192.168.3.0 255.255.255.0"
max-clients 4
tun-mtu 1500
mssfix
verb 3
daemon
cipher BF-CBC
comp-lzo
float
keepalive 10 120
push "route-gateway 192.168.3.101"
Click to expand...
Click to collapse
my Client-Config:
client
dev tap
proto udp
remote tauscher.dyndns.org 1194
nobind
persist-key
persist-tun
ca "\\Programme\\OpenVPN\\config\\ca.cer"
cert "\\Programme\\OpenVPN\\config\\client1.cer"
key "\\Programme\\OpenVPN\\config\\client1.key"
tls-remote Eumex
tls-auth "\\Programme\\OpenVPN\\config\\ovpnstatic.key" 1
auth SHA1
cipher BF-CBC
comp-lzo
verb 4
Click to expand...
Click to collapse
Log of the Client:
http://pastebin.com/f447ce60b
Best wishes
UP

[APP][2.2+] DigiControl/DigiSSHD 0.2 - SSH server with per session control

DigiControl - Lightweight Android agile helper for console applications. It is based on C++ Boost, Scala, AspectJ.
DigiSSHD component for DigiControl, based on Dropbear SSH Server and OpenSSH SFTP Server.
This is alpha stage software
Software
DigiSSHD is a DigiControl component that provide:
Security Shell - remote shell service or command execution
Security Copy - transfer files between android and remote client
Security FTP - transfer files between android and remote client
BTW look for SFTP vs. SCP
It is based on open source software:
Dropbear server (Shell and SCP) available under MIT license
OpenSSH server (SFTP) available under BSD license
DigiControl is agile helper for console applications such as a network services, local utilites and so on. DigiControl have a lot of things under the hood that allow to start/stop/restart Digi components, interact with sessions and permissions and much more. It is mediator between installed components, plugins, android device and you.
It is alpha stage software writen in Scala language. Scala on Android is a bit out of mainstream, so take it easy. Bridge piece is on C++ BOOST.
Large part of the DigiControl source code available at GitHub as DigiLib library under Apache 2.0 license.
Core part of the DigiSSHD source code available at GitHub under GPLv3 license, another one available as DigiLib library under Apache 2.0 license.
FYI There are a lot of threads and hundreds of places with watchdog timer and thousands of places with recovery logic. Also user interface and background service are independent processes.
If application freeze... The longest watchdog timeout is about 5 minutes, the shortest watchdog timeout is 1 second, most of them - not more then 20 seconds. Wait. After unfreeze, upload report to us.
If application block something or show something unexpected, as you think ;-) Upload report to us, then rotate you device. After device rotated, there'll be reinitialization.
If something blows up, it explodes with stack traces, uh, Sssssmmmokie! Restart application after crash, upload report to us.
You may upload report via context menu. The report dialog will be appear automatically if there is a stack trace.
If you have an idea how to improve DigiNNN or a wish to change something, please submit your idea via GitHub tracker. Please, submit technical issues too.
There is only DigiSSHD component available at this time. DigiSSHD is sshd server that provide secure shell, scp and sftp
Please install DigiControl and DigiSSHD simultaneously. This is two parts of the single application.
Interface
There are two ACL types (access control list)
interface ACL that defined what network interface(s) will be used (tab service)
connection ACL that defined (by IP) allow/deny rules to access to phone, and interactive mode (tab session)
You may find current IP at information tab
Port option located at service tab
Code
It may be interesting because it almost written in Scala. Actualy apk build with scala 2.8.2.
Scala 2.9.x and 2.10.0 M2 have some critical bugs in compiller and too fat :-( There are few insignificant java files. Maybe someday it will be replaced with scala code, but I don't want waste time.
Controller native helper written in C++ with BOOST (I don't like C, C#, java and assembler ) It is battery friendly single threaded asynchronous INETD server. This is the only non Scala part.
All application created in XXP style (extreme extreme programming ) - no unit tests, no design, no comments, only the simplest code that easy to read
If you find BUG sure you will ;-) Please open issue on github or click on report in context menu. Report will be uploaded to Google Cloud storage.
Versions
0.2
- Improvements: add notification with service state
- Improvements: remember last active tab
- Bug fixes: remove toolbox/busybox dependency (file objects permission control is less granular now)
- Improvements: add ui for public key authentication
- Bug fixes: remove some startup deadlocks
- Improvements: by default add connection from private networks to permit ACL
- Improvements: by default new components enabled
- Improvements: add contol level background (novice, intermediate, professional)
- Improvements: add sshd profile generation
0.1.05
- Bug fixes: fix sporadic error on component restart
- Bug fixes: fix preferred layout orientation
- Improvements: implement smart shutdown sequence mechanism. No task killer needed. All components and their dependencies (include services and providers) terminated in proper order with respect to idle timeouts
- Improvements: more verbose single user/multi user logic
- Bug fixes: set minimum API level to 9
- Bug fixes: progress dialog deadlock at multiple activity change
- Bug fixes: busy state lock
0.1.04
- Bug fixes: 'port already in use' bug
- Improvements: improve dialog routines
- Improvements: improve log rotation, add gzip compression to initialization sequence
0.1.03
- Improvements: add database retry guard that prevent sporadic errors
- Improvements: add coreutil 'ls', improve groups helper, now SCP working at most of devices without any tuning
- Improvements: add active user name to session entry
- Bug fixes: set minimum API level to 10
- Bug fixes: fix creation of unused /sdcard/Android/data/file empty directory
move the magic button to the top by user request
- Bug fixes: drop Android 2.2 Froyo support hacks
- Bug fixes: remove deadlock in safe dialogs
- Bug fixes: fix possible desynchronization in global shutdown sequence
- Improvements: add welcome dialog and assistant with green sputnik
- Improvements: add option of preferred layout orientation
0.1.02 - critical bugfixes
0.1.01 - 16.05.2012
- Improvements: reduce size, move DigiSSHD to SD card
- Improvements: improve stability, add SCP groups helper
- Bug fixes: SFTP permissions
- Improvements: add activity event log
- Improvements: add session event log
- Improvements: add single user/multi user mode
- Improvements: improve interface, user management
- Bug fixes: fixes tons of bugs
0.0.2 - 03.05.2012 mostly working
0.0.0 - 21.04.2012 something working
Your Help Is Always Welcome
* user interface - unstable
* native helper - mostly stable
* dropbear server - stable
King Regards,
Alexey
Please TURN ON subtitles in video.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
reserved
[ reserved ]
Looks like an impressive app, thanks...
Is there any way to use key-based authentication instead of a password, please?
Wonderful work!
I will fix up public key authentication in next release. I need add few functions.
I hope that new release 0.1.06 will be ready within 2 days.
Thank you for your interest in app. It is really important for me.
cdmackay said:
Looks like an impressive app, thanks...
Is there any way to use key-based authentication instead of a password, please?
Click to expand...
Click to collapse
I have tested key-based authentication - it work both in privileged and unprivileged modes. Sorry for delay ;-)
Thanks for the new version; my comments, for what they're worth:
- Control level background: interesting idea, but I didn't notice it actually showing anything; turned off, nothing seemed different.
- Notification icon; I'd like there to be an icon only when the Control program is actually enabled. As it is, it seems there is no way to disable the icon when things are "OFF"?
- Publickey works well for user android (thanks!). But doesn't seem that there is any way to do per-user public keys, when using multi-user? I don't need this functionality mind you, single-user is enough for me, just mentioning it.
- I would like to be able to disable password access entirely, and use only publickey. That doesn't seem possible at the moment?
- The apps are a little complex; that's not a problem, but I think there could be better documentation, esp on how to do common things. It's possible that this is there already, but docs seem a little spread around...
thanks again...
It worked couple days ago. Today after restoring from TB, it kept on restarting itself. I later noticed that it was trying to bind under an older LAN ip from couple days ago. I unchecked the older ip and add the curent lan ip, but it still restarting itself and shows error. I let it emailed the report to you. I'm on Vibrant CM9 nightly 20120704
I noticed couple things from first try. The OFF button in Digisshd does not change to ON when it was started. I couldn't tell if it already started or not. Don't take this the wrong way, but the gui seems to have lots of features but not intuitive yet. There should be some obvious status/indicator. The many tabs are nice and your project seems powerful sshd, but somehow I'm still lost in figuring it out.
Thank you for feedback. For bind issues - You may remove all bind filters, so it will be looks like
I will check report. I am preparing version 0.3 right now. It will fix some system design issues, also it will be adjusted for level API 15 (fragments, action bar, and so on). I am sure that I achieve target within two days.
UI is really weak point. :silly: Maybe I will build some trigger that hide intermediate and professional level... options VS plain and simple UI - question of balance. I want have all available options.
kobesabi said:
It worked couple days ago. Today after restoring from TB, it kept on restarting itself. I later noticed that it was trying to bind under an older LAN ip from couple days ago. I unchecked the older ip and add the curent lan ip, but it still restarting itself and shows error. I let it emailed the report to you. I'm on Vibrant CM9 nightly 20120704
I noticed couple things from first try. The OFF button in Digisshd does not change to ON when it was started. I couldn't tell if it already started or not. Don't take this the wrong way, but the gui seems to have lots of features but not intuitive yet. There should be some obvious status/indicator. The many tabs are nice and your project seems powerful sshd, but somehow I'm still lost in figuring it out.
Click to expand...
Click to collapse
Request: optional blank DigiControl notification icon?
I'm using DigiSSHD along with DigiControl on two android devices: a myTouch 4G Slide running CM-7.1.0 and a Galaxy Tab 2 10.1 running CM-9.0-RC2. In both cases, it's working very well for me. Thank you for a great couple of utilities!
I have a request: as an option, could you offer a blank DigiControl notification icon, to keep the clutter out of the notification area? I know that the presence of such an icon is necessary in order to ensure that DigiControl doesn't get swapped out or shut down, but if you offered a blank icon, at least we wouldn't _see_ it in the notification area.
For example, the Tasker app offers an optional blank icon for the same purpose.
Thank you very much for considering this request.
.​
Hi. Great app! Thanks for your work on this! Is there a tutorial for how to connect using USB? My phone is a Galaxy Nexus (running Cyanogenmod 9 RC2). As you know, the Galaxy Nexus uses MTP instead of USB Mass Storage. MTP does not work well for me. I would prefer to use SFTP over USB. I believe DigiSSHD allows this, but I need some step by step instructions. So far, I have not figured out how to make it work.
One solution I am thinking of is to use EasyTether. At the moment, my phone is plugged into my Linux box via USB and EasyTether is connected. I can ping the phone on 192.168.117.1. What are the next steps?
If not using Easy Tether, what other ways can I connect via SFTP and USB to my Galaxy Nexus? Thank you for your work on this very important app!
1. open DigiSSHD info tab. Look at interfaces block. USB interface must be there.
2. start DigiSSHD
3. open any terminal on phone, enter netstat -al
example from my phone
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:7777 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:7203 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:32500 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:43866 127.0.0.1:7777 ESTABLISHED
tcp 0 0 10.255.255.247:47225 213.75.57.103:443 ESTABLISHED
tcp 0 0 127.0.0.1:7777 127.0.0.1:43818 ESTABLISHED
tcp 0 0 127.0.0.1:7777 127.0.0.1:33561 ESTABLISHED
tcp 0 0 127.0.0.1:7777 127.0.0.1:43819 ESTABLISHED
tcp 0 0 127.0.0.1:43818 127.0.0.1:7777 ESTABLISHED
tcp 0 0 10.255.255.247:2222 10.255.255.250:47123 ESTABLISHED
tcp 0 0 127.0.0.1:7777 127.0.0.1:43866 ESTABLISHED
tcp 0 0 127.0.0.1:43819 127.0.0.1:7777 ESTABLISHED
tcp6 0 1 ::ffff:10.255.255.247:46121 ::ffff:173.194.32.32:80 CLOSE_WAIT
tcp6 0 0 ::ffff:127.0.0.1:33561 ::ffff:127.0.0.1:7777 ESTABLISHED
tcp6 0 1 ::ffff:10.255.255.247:51556 ::ffff:173.194.32.48:443 CLOSE_WAIT
tcp6 0 1 ::ffff:10.255.255.247:37148 ::ffff:173.194.32.0:443 CLOSE_WAIT
tcp6 0 0 ::ffff:10.255.255.247:35515 ::ffff:173.194.69.188:5228 ESTABLISHED
tcp6 0 1 ::ffff:10.255.255.247:48747 ::ffff:173.194.32.8:443 CLOSE_WAIT
tcp6 0 1 ::ffff:10.255.255.247:43505 ::ffff:173.194.32.18:443 CLOSE_WAIT
Red string indicate that you may connect to tcp port 2222 on any available interface (0.0.0.0)
If something lost send me message via PM, we will troubleshoot your connection
MountainX said:
Hi. Great app! Thanks for your work on this! Is there a tutorial for how to connect using USB? My phone is a Galaxy Nexus (running Cyanogenmod 9 RC2). As you know, the Galaxy Nexus uses MTP instead of USB Mass Storage. MTP does not work well for me. I would prefer to use SFTP over USB. I believe DigiSSHD allows this, but I need some step by step instructions. So far, I have not figured out how to make it work.
One solution I am thinking of is to use EasyTether. At the moment, my phone is plugged into my Linux box via USB and EasyTether is connected. I can ping the phone on 192.168.117.1. What are the next steps?
If not using Easy Tether, what other ways can I connect via SFTP and USB to my Galaxy Nexus? Thank you for your work on this very important app!
Click to expand...
Click to collapse
Ezzzzh said:
1. open DigiSSHD info tab. Look at interfaces block. USB interface must be there.
Click to expand...
Click to collapse
Thanks for your reply. Starting at step 1, no interface block is shown. I only see sections for community, support and legal under the information tab. How should I troubleshoot this?
You open DigiControl, not DigiSSHD. Jump to DigiSSHD
MountainX said:
Thanks for your reply. Starting at step 1, no interface block is shown. I only see sections for community, support and legal under the information tab. How should I troubleshoot this?
Click to expand...
Click to collapse
If you really open DigiSSHD and interface block is absent... Send me report please from option menu. There is a lot of surprises in reality. Maybe Interfaces block is disappeared???
MountainX said:
Thanks for your reply. Starting at step 1, no interface block is shown. I only see sections for community, support and legal under the information tab. How should I troubleshoot this?
Click to expand...
Click to collapse
Ezzzzh said:
1. open DigiSSHD info tab. Look at interfaces block. USB interface must be there.
Click to expand...
Click to collapse
Ezzzzh said:
You open DigiControl, not DigiSSHD. Jump to DigiSSHD
Click to expand...
Click to collapse
Yes, you are right. Now I am looking at the Information Tab of DigiSSHD. I see the Interfaces block.
My phone is plugged into my computer via USB at the moment. There is no USB interface listed. (This is true both with and without EasyTether running.) There are other interfaces listed such as ifb0, ifb1, rmnet0, rmnet1, rmnet2 and sit0. All these have addresses of 0.0.0.0. wlan0 is also listed with an address of 192.168.x.x.
However, when EasyTether is enabled, I can currently ping my phone from my PC via the USB interface:
ping 192.168.117.1
PING 192.168.117.1 (192.168.117.1) 56(84) bytes of data.
64 bytes from 192.168.117.1: icmp_req=1 ttl=128 time=4.32 ms
64 bytes from 192.168.117.1: icmp_req=2 ttl=128 time=4.52 ms
What is the next troubleshooting step? Thanks.
show
ifconfig -a
and
netstat -al
from phone
MountainX said:
Yes, you are right. Now I am looking at the Information Tab of DigiSSHD. I see the Interfaces block.
My phone is plugged into my computer via USB at the moment. There is no USB interface listed. (This is true both with and without EasyTether running.) There are other interfaces listed such as ifb0, ifb1, rmnet0, rmnet1, rmnet2 and sit0. All these have addresses of 0.0.0.0. wlan0 is also listed with an address of 192.168.x.x.
However, when EasyTether is enabled, I can currently ping my phone from my PC via the USB interface:
ping 192.168.117.1
PING 192.168.117.1 (192.168.117.1) 56(84) bytes of data.
64 bytes from 192.168.117.1: icmp_req=1 ttl=128 time=4.32 ms
64 bytes from 192.168.117.1: icmp_req=2 ttl=128 time=4.52 ms
What is the next troubleshooting step? Thanks.
Click to expand...
Click to collapse
Ezzzzh said:
show
ifconfig -a
and
netstat -al
from phone
Click to expand...
Click to collapse
This is with EasyTether CONNECTED!
[email protected]:/ # netstat -al
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:58682 127.0.0.1:33333 ESTABLISHED
tcp6 0 0 :::33333 :::* LISTEN
tcp6 0 1 ::ffff:192.168.1.29:55777 ::ffff:74.125.45.120:80 CLOSE_WAIT
tcp6 0 0 ::ffff:192.168.1.29:37690 ::ffff:74.125.137.188:5228 ESTABLISHED
tcp6 0 1 ::ffff:192.168.1.29:47507 ::ffff:173.194.37.80:443 CLOSE_WAIT
tcp6 0 1 ::ffff:192.168.1.29:42791 ::ffff:173.194.37.81:443 CLOSE_WAIT
tcp6 0 0 ::ffff:192.168.1.29:53132 ::ffff:74.125.45.101:443 ESTABLISHED
tcp6 0 0 ::ffff:127.0.0.1:33333 ::ffff:127.0.0.1:58682 ESTABLISHED
tcp6 0 1 ::ffff:192.168.1.29:34921 ::ffff:74.125.139.138:80 CLOSE_WAIT
tcp6 0 1 ::ffff:192.168.1.29:34199 ::ffff:74.125.45.101:443 CLOSE_WAIT
udp6 0 0 :::44717 :::* CLOSE
[email protected]:/ # ifconfig -a
-a: no such device
[email protected]:/ # ifconfig
[email protected]:/ #
Google search: "android ifconfig syntax" --> no useful results found
---------- Post added at 05:21 PM ---------- Previous post was at 05:17 PM ----------
Ezzzzh said:
show
ifconfig -a
and
netstat -al
from phone
Click to expand...
Click to collapse
Here it is without EasyTether connected:
[email protected]:/ # netstat -al
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp6 0 1 ::ffff:192.168.1.29:55777 ::ffff:74.125.45.120:80 CLOSE_WAIT
tcp6 0 0 ::ffff:192.168.1.29:37690 ::ffff:74.125.137.188:5228 ESTABLISHED
tcp6 0 1 ::ffff:192.168.1.29:47507 ::ffff:173.194.37.80:443 CLOSE_WAIT
tcp6 1 1 ::ffff:192.168.1.29:42791 ::ffff:173.194.37.81:443 LAST_ACK
tcp6 0 0 ::ffff:127.0.0.1:33333 ::ffff:127.0.0.1:58682 TIME_WAIT
tcp6 0 1 ::ffff:192.168.1.29:34921 ::ffff:74.125.139.138:80 CLOSE_WAIT
tcp6 0 0 ::ffff:192.168.1.29:49525 ::ffff:74.125.45.138:443 ESTABLISHED
tcp6 0 0 ::ffff:192.168.1.29:46645 ::ffff:74.125.45.139:443 ESTABLISHED
tcp6 0 1 ::ffff:192.168.1.29:34199 ::ffff:74.125.45.101:443 CLOSE_WAIT
[email protected]:/ #
still no results from ifconfig....
First of all I don't see any 0.0.0.0:2222. Are you start DigiSSHD? Is it show state Active?
Second, Are you sure that 192.168.117.1 is not your local PC interface?
Third, sorry ifconfig arg only working, so use netcfg
MountainX said:
This is with EasyTether CONNECTED!
[email protected]:/ # netstat -al
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:58682 127.0.0.1:33333 ESTABLISHED
tcp6 0 0 :::33333 :::* LISTEN
tcp6 0 1 ::ffff:192.168.1.29:55777 ::ffff:74.125.45.120:80 CLOSE_WAIT
tcp6 0 0 ::ffff:192.168.1.29:37690 ::ffff:74.125.137.188:5228 ESTABLISHED
tcp6 0 1 ::ffff:192.168.1.29:47507 ::ffff:173.194.37.80:443 CLOSE_WAIT
tcp6 0 1 ::ffff:192.168.1.29:42791 ::ffff:173.194.37.81:443 CLOSE_WAIT
tcp6 0 0 ::ffff:192.168.1.29:53132 ::ffff:74.125.45.101:443 ESTABLISHED
tcp6 0 0 ::ffff:127.0.0.1:33333 ::ffff:127.0.0.1:58682 ESTABLISHED
tcp6 0 1 ::ffff:192.168.1.29:34921 ::ffff:74.125.139.138:80 CLOSE_WAIT
tcp6 0 1 ::ffff:192.168.1.29:34199 ::ffff:74.125.45.101:443 CLOSE_WAIT
udp6 0 0 :::44717 :::* CLOSE
[email protected]:/ # ifconfig -a
-a: no such device
[email protected]:/ # ifconfig
[email protected]:/ #
Google search: "android ifconfig syntax" --> no useful results found
---------- Post added at 05:21 PM ---------- Previous post was at 05:17 PM ----------
Here it is without EasyTether connected:
[email protected]:/ # netstat -al
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp6 0 1 ::ffff:192.168.1.29:55777 ::ffff:74.125.45.120:80 CLOSE_WAIT
tcp6 0 0 ::ffff:192.168.1.29:37690 ::ffff:74.125.137.188:5228 ESTABLISHED
tcp6 0 1 ::ffff:192.168.1.29:47507 ::ffff:173.194.37.80:443 CLOSE_WAIT
tcp6 1 1 ::ffff:192.168.1.29:42791 ::ffff:173.194.37.81:443 LAST_ACK
tcp6 0 0 ::ffff:127.0.0.1:33333 ::ffff:127.0.0.1:58682 TIME_WAIT
tcp6 0 1 ::ffff:192.168.1.29:34921 ::ffff:74.125.139.138:80 CLOSE_WAIT
tcp6 0 0 ::ffff:192.168.1.29:49525 ::ffff:74.125.45.138:443 ESTABLISHED
tcp6 0 0 ::ffff:192.168.1.29:46645 ::ffff:74.125.45.139:443 ESTABLISHED
tcp6 0 1 ::ffff:192.168.1.29:34199 ::ffff:74.125.45.101:443 CLOSE_WAIT
[email protected]:/ #
still no results from ifconfig....
Click to expand...
Click to collapse
Ezzzzh said:
First of all I don't see any 0.0.0.0:2222. Are you start DigiSSHD? Is it show state Active?
Click to expand...
Click to collapse
In your initial instructions, you said that step 2 was to "start DigiSSHD". I assumed you meant to turn it "on" so it becomes active in step 2. I was not yet able to satisfy the criteria you listed in step 1, so I didn't do step 2.
However, based on this reply, I have now made DigiSSHD active. Here are the results with it active (and EasyTether disabled):
[email protected]:/ # netstat -al
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN
tcp6 0 1 ::ffff:192.168.1.29:55777 ::ffff:74.125.45.120:80 CLOSE_WAIT
tcp6 0 0 ::ffff:192.168.1.29:37690 ::ffff:74.125.137.188:5228 ESTABLISHED
tcp6 0 1 ::ffff:192.168.1.29:47507 ::ffff:173.194.37.80:443 CLOSE_WAIT
tcp6 0 0 ::ffff:192.168.1.29:56790 ::ffff:173.194.37.84:443 ESTABLISHED
tcp6 0 0 ::ffff:192.168.1.29:38504 ::ffff:74.125.45.138:443 ESTABLISHED
tcp6 0 1 ::ffff:192.168.1.29:34921 ::ffff:74.125.139.138:80 CLOSE_WAIT
tcp6 0 0 ::ffff:192.168.1.29:37816 ::ffff:74.125.45.138:443 ESTABLISHED
tcp6 0 1 ::ffff:192.168.1.29:34199 ::ffff:74.125.45.101:443 CLOSE_WAIT
[email protected]:/ # netcfg
lo UP 127.0.0.1/8 0x00000049 00:00:00:00:00:00
ifb0 DOWN 0.0.0.0/0 0x00000082 8e:11:c8:13:eb:cd
ifb1 DOWN 0.0.0.0/0 0x00000082 46:64:07:e9:bf:b6
sit0 DOWN 0.0.0.0/0 0x00000080 00:00:00:00:00:00
ip6tnl0 DOWN 0.0.0.0/0 0x00000080 00:00:00:00:00:00
rmnet0 DOWN 0.0.0.0/0 0x00001090 00:00:00:00:00:00
rmnet1 DOWN 0.0.0.0/0 0x00001090 00:00:00:00:00:00
rmnet2 DOWN 0.0.0.0/0 0x00001090 00:00:00:00:00:00
wlan0 UP 192.168.1.29/24 0x00001043 a0:0b:ba:cc:88:00
[email protected]:/ #
Ezzzzh said:
First of all I don't see any 0.0.0.0:2222. Are you start DigiSSHD? Is it show state Active?
Click to expand...
Click to collapse
It is there now, once I move to step 2 of your instructions.
Ezzzzh said:
Are you sure that 192.168.117.1 is not your local PC interface?
Click to expand...
Click to collapse
192.168.117.1 is the phone's IP when EasyTether is enabled and connected via USB. (The PC's IP on the easytether0 iface is 192.168.117.2.) I also have a a wlan0 IP address on the phone, but I am trying to connect via USB, of course.
---------- Post added at 05:50 PM ---------- Previous post was at 05:40 PM ----------
This might help too:
[email protected]:~/.ssh$ ssh [email protected] -vvv -p 2222
OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /home/user/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.117.1 [192.168.117.1] port 2222.
debug1: connect to address 192.168.117.1 port 2222: Connection timed out
ssh: connect to host 192.168.117.1 port 2222: Connection timed out
[email protected]:~/.ssh$ ping 192.168.117.1
PING 192.168.117.1 (192.168.117.1) 56(84) bytes of data.
64 bytes from 192.168.117.1: icmp_req=1 ttl=128 time=3.13 ms
64 bytes from 192.168.117.1: icmp_req=2 ttl=128 time=2.99 ms
--- 192.168.117.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 2.994/3.063/3.133/0.088 ms
[email protected]:~/.ssh$ ifconfig
easytether0 Link encap:Ethernet HWaddr YY:YY:YY:YY:YY:YY
inet addr:192.168.117.2 Bcast:192.168.117.255 Mask:255.255.255.0
inet6 addr: fe80::54ff:fe74:6872/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:20 errors:0 dropped:0 overruns:0 frame:0
TX packets:72 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:1664 (1.6 KB) TX bytes:11583 (11.5 KB)
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:192.168.1.55 Bcast:192.168.1.1 Mask:255.255.255.0
inet6 addr: xxxxxxxxxxxxxxxxxxxxxxxxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:35971246 errors:0 dropped:0 overruns:0 frame:0
TX packets:61929545 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10794714666 (10.7 GB) TX bytes:87663599559 (87.6 GB)
Interrupt:17 Memory:fe400000-fe420000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4522645 errors:0 dropped:0 overruns:0 frame:0
TX packets:4522645 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6798287997 (6.7 GB) TX bytes:6798287997 (6.7 GB)

UPDATE: Attention all xda members - EVEN MORE malware discovered on play store!

Good day ladies and gents,
I just downloaded and installed and logged this app from the playstore. Check out the list of permissions it has:
Here it is and the developers reasons for why he needs those things.
Code:
THIS APPLICATION HAS ACCESS TO THE FOLLOWING:
NETWORK COMMUNICATION
FULL NETWORK ACCESS
Allows the app to create network sockets and use custom network protocols. The browser and other applications provide means to send data to the internet, so this permission is not required to send data to the internet.
PHONE CALLS
READ PHONE STATUS AND IDENTITY
Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.
SYSTEM TOOLS
INSTALL SHORTCUTS
Allows an app to add shortcuts without user intervention.
UNINSTALL SHORTCUTS
Allows the app to remove shortcuts without user intervention.
BOOKMARKS AND HISTORY
WRITE WEB BOOKMARKS AND HISTORY
Allows the app to modify the Browser's history or bookmarks stored on your device. This may allow the app to erase or modify Browser data. Note: this permission may note be enforced by third-party browsers or other applications with web browsing capabilities.
READ YOUR WEB BOOKMARKS AND HISTORY
Allows the app to read the history of all URLs that the Browser has visited, and all of the Browser's bookmarks. Note: this permission may not be enforced by third-party browsers or other applications with web browsing capabilities.
Hide
NETWORK COMMUNICATION
VIEW NETWORK CONNECTIONS
Allows the app to view information about network connections such as which networks exist and are connected.
VIEW WI-FI CONNECTIONS
Allows the app to view information about Wi-Fi networking, such as whether Wi-Fi is enabled and name of connected Wi-Fi devices.
SYSTEM TOOLS
READ HOME SETTINGS AND SHORTCUTS
Allows the app to read the settings and shortcuts in Home.
AFFECTS BATTERY
PREVENT DEVICE FROM SLEEPING
Allows the app to prevent the device from going to sleep.
YOUR APPLICATIONS INFORMATION
RUN AT STARTUP
Allows the app to have itself started as soon as the system has finished booting. This can make it take longer to start the device and allow the app to slow down the overall device by always running.
This is one nasty piece of work
- This app checks to make sure it has all the requirements it needs to perform its harm
- The App hides its methods to initiate
- It activities a hidden sms message to send to the maximum allowed recipients
- It hides all notification to the interface
- It attempts to execute
- It checks to make sure any popup windows generated by its actions do NOT display to the end user
- It then goes back and sweeps up after its self
- It checks to make sure it has not been detected (in which case it had....but all the while Logcat was running I couldn't see what was happening so I shut it down) only last week I started development on my own console app for logging ADB to stream both to the console and to a log file. I think I will finish that project off this week now
- It checks that it has not been discovered
- It re-initiates again the same cycle....
Developers Play Store Account.....and YES ALL of their apps are the same (nicely rendered good looking apps too) ALL with the same permissions as well!
https://play.google.com/store/apps/developer?id=HorseMaster+Labs
This app alone has been downloaded 1,000 - 5,000 in the last 30 days!
https://play.google.com/store/apps/details?id=com.lwpp.android.techno&feature=search_result
You will note my review and I have reported this already to the Google Play support team and am about to contact Kapersky and the likes.
After running logcat for no more than a minute I got the followingsee attached its too large to post as plain text)
Those who may have installed this app remove it straight away and contact your service provider
==============================================================================================
Update:
For anyone following.
The zip has all of my analysis contained.
1) The main apk used
2) Typical dex2jar decompile
3) APKTool 1.5.2 (latest) decompile to smali
4) My own personal decompilation process with several iterations of optimisation (been running for the last hour or so) with as pur java output as you can probably get. Much better for analysing these kinds of apps
5) My own stripped version of the apk that still contains the executing code of the apk (has had permissions revoked and heaps of junk removed) if you decompile this app you will see what I mean. I have done a fair bit of the hard work, there is still a fair bit more to be done though.
Download from skydrive here:
http://sdrv.ms/11yRKoW
If someone gets the apk (my modded apk) running and or decodes the methods to readable strings could you please respond in here and share for the rest for the rest of us.
UPDATE:!
Well after I hacked the apk and stripped it back of all the junk that I believed that could be responsible for this nasty stuff, I attempted to compile and re-install. Obviously that didn't work so well. The apk compiled but does not run. More investigation needed at a later date.
HOWEVER, I checked it via logcat. To my surprise there was STILL a lot of nasty stuff going on? seriously WTF?
I decided to download the ESET android version after recognised dev @pulser_g2 made mention of it in this thread detecting the apk and removing it before he could even download it. Avast = sh!t I installed ESET free beta trial version and bam straight waya recognised another nasty living in my system. Good thing that it hadn't been there for too long. It incidentally got restored during a batch install with Titanium after a clean flash the other day.
Second culpret Call & Sms Stats (I never use it anyway).
I used these
http://www.virustotal.com
http://virusscan.jotti.org/en
and low and behold the following...
Call & SMS Stats
Call & SMS Stats - Virus Total
Call & Sms Stats - Jotti's Malware scan
Techno Live Wallpaper
Techno Live Wallpaper - Virus Total
Techno Live Wallpaper - Jotti's Malware scan
I thought I might do a little bit of a write up on the techniques that I use in my analysis whilst I am at it. Firstly this is for greater understanding of what is going on with these apps.
But before I start, I wanted to add that I think the developers of these apps are not the ones at fault. I think they are merely looking out fr their pocket and not for their users with hosting these apps for free and most likely to the decline of people purchasing paid versions of apps. So they embed some plugin (or in this case several) into the application in hopes for better returns, but ignorantly in doing so putting a whole heap of peoples privacy at risk!
These adware companies work of two things 1) Signing people up to premium services 2) Lead generation to their clients that pay them advertising. The developers although unknowing are not helpless and innocent and should be more aware of what they are doing before they commit to doing things like this.
Communication stats or Call & SMS Stats as it is better known has 5 or 6 independent ad add-ons (that was a mouthful) in their app. On top of Googles Admobs, which at the moment is starting to sound like a clean going citizen if it was one. It IS these ad companies that are the nasties. However it is the reputations of the developers them selves that are going to get tarnished.
Ok to continue on here are some steps that I take to analysing apps.
More to come here.....stay tuned
Thanks
James
Thanks for the heads up. If this really is malware, then I feel sorry for the thousands of users who have already been affected.
Sent from my SGH-T999 using Tapatalk 2
Impressive what you have found.
Looks like the Plankton trojan. Contacting Android security team.
My apologies the logcat is now attached. I uploaded it but forgot to attach it before submitting and I needed to go have a snooze I get tired sometimes
shadowcore said:
Impressive what you have found.
Click to expand...
Click to collapse
Shocking would be a more appropriate word. What I don't get is that this developer has put a decent amount of time into the presentation of their apps. They look to be GOOD apps, and I spose that is the more sinister part of this story. Think about the uptake of apps that "look" dodgy and are dodgy vs those apps that "look" legit but are dodgy.
I had perused over this developers offerings like 5 months ago never giving anything a thought until I went to install the app. The thing is Malware is the big catch phase at the moment in Android, and protecting your self against it is most definitely 'flavour of the month', with hot topics around in everyones faces every day at the moment.
My thoughts are, with all the "analysis" of the play store being done (and publicised) by big security companies and the likes.....how the hell does an app like this go on un-noticed and totally undetected?
More over, HOW THE HELL DOES A DEVELOPER GET AWAY WITH ALL OF THEIR APPS SPORTING THE SAME INSANE PERMISSIONS AND LIKELY THE SAME EMBEDDED NASTIES....AND GET AWAY WITH IT FOR SOOOO LONG???? It's a complete joke. I am with @pulser_g2's opinion on this whole subject.
I am also a bit disappointed in myself for not being more attentive earlier having know this developers work existed! I of all people show be constantly looking out for this stuff, but I know how this has slipped through my own cracks. I have become complacent with my focus on the wrong things. I am currently making wallpapers for a friend's multi-national company (supporting some huge commercial brands some of you will definitely know) so it is my job to be "in the know".
I will admit it, I decompile so many freaking apps from the market place. Fine stamp me with hacker label. Tarnish my name what ever. I like to learn how people have done things. What new layouts are on offer (especially with live wallpapers).
So naturally my attention is has been on application size vs functionality, I can say man there are some nice wallpapers getting around that a so damn small for what they are and what they offer.
This was one of the well presented middle of the pack type of wallpaper. This developer has actually come up with a very unique layout and efficient method of display for their live wallpaper, and that is where I come undone. I was not looking for malware I was looking at interface/design/ingenuity/functionality/features.
That's the catch though, because this developers work seems to be of an "acceptable" standard (some of their work looks above standard) then that is likely the reason for their success flying under the radar with their motives are unquestioned.
Re-read the developers statement about the permissions. That is a direct copy and paste from the Google Market, there's no doubt in my mind that this developer was out to sneakily target their victims. Their intent is to go un-noticed, and have apps that have high level of uptake for a long time.
This goes against what many experts have published trying to profile 'what to look for'. Like for instance experts say developers of this nature tend to release all the same types of apps only different themes or flavours. This person has all sorts of apps in their profile. They look diverse. Many things that on the surface subconsciously never raise any flags with me, THAT is how they have gone unnoticed.
How does a wallpaper as this get between 1000-5000 downloads per month and only 2 comments? and what 4 ratings? That means there are some IGNORANT people out their either still running this application or uninstalled it and not connected the dots between cause and effect, so neglect to report it "Geeeze why is my phone bill so massive this month?"
My last point is....none of my virus apps detected anything when I installed this. Thanks for nothing AVAST
I vote for user selected permissions for apps!!!
pulser_g2 said:
Looks like the Plankton trojan. Contacting Android security team.
Click to expand...
Click to collapse
Yeah I have already. That was the first thing I did before posting here.
I think I will be Logcat'ing every app I install from here on. It became blatantly obvious in the logs.
Good find!
The irony is that people keep insisting that the crack sites are the ones with malware, and 'as long as you only buy apps on the play store, you will be fine'. Fact is that ALL the Android malware is found on the Play Store.
Jarmezrocks said:
My last point is....none of my virus apps detected anything when I installed this. Thanks for nothing AVAST
I vote for user selected permissions for apps!!!
Click to expand...
Click to collapse
My desktop AV detected it immediately. (ESET).
Ok I think I should still contact my service provider just to be certain I have not copped some wopping charges. Even in flight mode look what this app does:
Code:
I/GlobalActions( 2464): onServiceStateChanged inAirplaneMode=false mAirplaneState=Off
V/Mms/DownloadManager(26378): Service state changed: Bundle[mParcelledData.dataSize=648]
V/Mms/DownloadManager(26378): roaming ------> false
V/Mms/DownloadManager(26378): auto download without roaming -> true
V/Mms/DownloadManager(26378): auto download during roaming -> false
V/Mms/DownloadManager(26378): mAutoDownload ------> true
D/ContextualPageReceiver( 3003): mContextualPageReceiver: ACTION_SERVICE_STATE_CHANGED isRoaming : false
I/WifiService( 2464): Booster FLAG : 1
I/WifiService( 2464): mBoosterFLAG : 1
I/WifiService( 2464): current booster mode : FullMode
E/PushClient( 5382): [a] MCC is same
V/Mms:transaction(26378): [MmsSystemEventReceiver] Intent received
V/Mms:transaction(26378): [MmsSystemEventReceiver] ANY_DATA_STATE event received: CONNECTED
V/Mms:transaction(26378): [MmsSystemEventReceiver] wakeUpService: start transaction service ...
D/LTE_WIDGET( 2900): TelephonyManager.DATA_CONNECTED:,isConnectedData = true
V/Mms:transaction(26378): [MmsSystemEventReceiver] Intent received
V/Mms:transaction(26378): [MmsSystemEventReceiver] ANY_DATA_STATE event received: CONNECTING
V/Mms:transaction(26378): [TransactionService] onStart: #10
V/Mms:transaction(26378): [TransactionService] networkAvailable=true
V/Mms:transaction(26378): [TransactionService] DatanetworkAvailable=true
D/PhoneApp( 2900): mReceiver: ACTION_ANY_DATA_CONNECTION_STATE_CHANGED
D/PhoneApp( 2900): mReceiver: ACTION_ANY_DATA_CONNECTION_STATE_CHANGED
D/NotificationMgr( 2900): hideDataDisconnectedRoaming()...
D/StatusChecker(25993): onReceive : android.intent.action.SERVICE_STATE
D/StatusChecker(25993): Service state changed : 0
V/TP/MmsSmsProvider( 2900): query,matched:6
D/TP/MmsSmsProvider( 2900): match 6:Elapsed time : 1.472 ms
V/Mms:transaction(26378): [TransactionService] onStart: cursor.count=2
V/Mms:transaction(26378): [TransactionService] launchTransaction: sending message { what=1 when=-1d1h33m24s584ms arg1=10 obj=transactionType: 2 uri: content://mms/177 pushData: null mmscUrl: null proxyAddress: null proxyPort: 0 }
V/Mms:transaction(26378): [TransactionService] Handling incoming message: { what=1 when=0 arg1=10 obj=transactionType: 2 uri: content://mms/177 pushData: null mmscUrl: null proxyAddress: null proxyPort: 0 } = EVENT_TRANSACTION_REQUEST
V/Mms:transaction(26378): [TransactionService] handle EVENT_TRANSACTION_REQUEST event...
V/Mms:transaction(26378): [TransactionService] MmscUrl=null proxy port: null
D/dalvikvm( 2694): GC_CONCURRENT freed 1256K, 31% free 24715K/35719K, paused 3ms+9ms, total 59ms
V/Mms:transaction(26378): [TransactionService] handle EVENT_TRANSACTION_REQUEST: transactionType=2 SEND_TRANSACTION
V/Mms:transaction(26378): [TransactionService] Transaction already pending: 10
V/Mms:transaction(26378): [TransactionService] already pending: call beginMmsConnectivity...
V/Mms:transaction(26378): [TransactionService] beginMmsConnectivity: result=1
V/Mms:transaction(26378): [TransactionService] Started processing of incoming message: { what=1 when=-39ms arg1=10 obj=transactionType: 2 uri: content://mms/177 pushData: null mmscUrl: null proxyAddress: null proxyPort: 0 }
D/MotionEngine( 2464): [@@@ Motion Engine @@@] GetMotionScenarioId 0.009577 0.210690 9.394848 0.035000 -0.005250 -0.066500 51 20
D/MotionEngine( 2464): [@@@ Motion Engine @@@] MOVE Recognition ############ 40
W/SignalStrength( 2694): getGsmLevel=1
W/SignalStrength( 2464): getGsmLevel=1
W/SignalStrength( 2694): getLevel=1 (SignalStrength: 5 0 -120 -160 -120 -1 -1 99 2147483647 2147483647 2147483647 2147483647 gsm|lte 0x1)
W/SignalStrength( 2464): getLevel=1 (SignalStrength: 5 0 -120 -160 -120 -1 -1 99 2147483647 2147483647 2147483647 2147483647 gsm|lte 0x1)
W/SignalStrength( 2464): getDbm 1
W/SignalStrength( 2464): getGsmDbm=-103
W/SignalStrength( 2464): getDbm=-103
W/SignalStrength( 2464): getAsuLevel 1
W/SignalStrength( 2464): getGsmAsuLevel=5
W/SignalStrength( 2464): getAsuLevel=5
D/Tethering( 2464): interfaceLinkStateChanged rmnet_usb1, true
D/Tethering( 2464): interfaceStatusChanged rmnet_usb1, true
D/DHCP ( 2023): ===== DHCP message:
D/DHCP ( 2023): op = BOOTREQUEST (1), htype = 1, hlen = 6, hops = 0
D/DHCP ( 2023): xid = 0xe7e57b05 secs = 0, flags = 0x8000 optlen = 14
D/DHCP ( 2023): ciaddr = 0.0.0.0
D/DHCP ( 2023): yiaddr = 0.0.0.0
D/DHCP ( 2023): siaddr = 0.0.0.0
D/DHCP ( 2023): giaddr = 0.0.0.0
D/DHCP ( 2023): chaddr = { 00 00 00 00 00 00 }
D/DHCP ( 2023): sname = ''
D/DHCP ( 2023): file = ''
D/DHCP ( 2023): op 53 len 1 { 01 } discover
D/DHCP ( 2023): op 55 len 4 { 01 03 06 1c }
D/DHCP ( 2023): ===== DHCP message:
D/DHCP ( 2023): op = BOOTREPLY (2), htype = 1, hlen = 6, hops = 0
D/DHCP ( 2023): xid = 0xe7e57b05 secs = 0, flags = 0x8000 optlen = 42
D/DHCP ( 2023): ciaddr = 0.0.0.0
D/DHCP ( 2023): yiaddr = 10.247.140.186
D/DHCP ( 2023): siaddr = 10.247.140.185
D/DHCP ( 2023): giaddr = 0.0.0.0
D/DHCP ( 2023): chaddr = { 00 00 00 00 00 00 }
D/DHCP ( 2023): sname = ''
D/DHCP ( 2023): file = ''
D/DHCP ( 2023): op 53 len 1 { 02 } offer
D/DHCP ( 2023): op 1 len 4 { ff ff ff fc }
D/DHCP ( 2023): op 3 len 4 { 0a f7 8c b9 }
D/DHCP ( 2023): op 6 len 8 { d3 1d 84 0c c6 8e 00 33 }
D/DHCP ( 2023): op 51 len 4 { 00 00 1c 20 }
D/DHCP ( 2023): op 54 len 4 { 0a f7 8c b9 }
D/DHCP ( 2023): --- dhcp offer (2) ---
D/DHCP ( 2023): ip 10.247.140.186 gw 10.247.140.185 prefixLength 30
D/DHCP ( 2023): dns1: 211.29.132.12
D/DHCP ( 2023): dns2: 198.142.0.51
D/DHCP ( 2023): server 10.247.140.185, lease 7200 seconds
D/DHCP ( 2023): ===== DHCP message:
D/DHCP ( 2023): op = BOOTREQUEST (1), htype = 1, hlen = 6, hops = 0
D/DHCP ( 2023): xid = 0xe8e57b05 secs = 0, flags = 0x8000 optlen = 26
D/DHCP ( 2023): ciaddr = 0.0.0.0
D/DHCP ( 2023): yiaddr = 0.0.0.0
D/DHCP ( 2023): siaddr = 0.0.0.0
D/DHCP ( 2023): giaddr = 0.0.0.0
D/DHCP ( 2023): chaddr = { 00 00 00 00 00 00 }
D/DHCP ( 2023): sname = ''
D/DHCP ( 2023): file = ''
D/DHCP ( 2023): op 53 len 1 { 03 } request
D/DHCP ( 2023): op 55 len 4 { 01 03 06 1c }
D/DHCP ( 2023): op 50 len 4 { 0a f7 8c ba }
D/DHCP ( 2023): op 54 len 4 { 0a f7 8c b9 }
D/DHCP ( 2023): ===== DHCP message:
D/DHCP ( 2023): op = BOOTREPLY (2), htype = 1, hlen = 6, hops = 0
D/DHCP ( 2023): xid = 0xe8e57b05 secs = 0, flags = 0x8000 optlen = 42
D/DHCP ( 2023): ciaddr = 0.0.0.0
D/DHCP ( 2023): yiaddr = 10.247.140.186
D/DHCP ( 2023): siaddr = 10.247.140.185
D/DHCP ( 2023): giaddr = 0.0.0.0
D/DHCP ( 2023): chaddr = { 00 00 00 00 00 00 }
D/DHCP ( 2023): sname = ''
D/DHCP ( 2023): file = ''
D/DHCP ( 2023): op 53 len 1 { 05 } ack
D/DHCP ( 2023): op 1 len 4 { ff ff ff fc }
D/DHCP ( 2023): op 3 len 4 { 0a f7 8c b9 }
D/DHCP ( 2023): op 6 len 8 { d3 1d 84 0c c6 8e 00 33 }
D/DHCP ( 2023): op 54 len 4 { 0a f7 8c b9 }
D/DHCP ( 2023): op 51 len 4 { 00 00 1c 20 }
D/DHCP ( 2023): --- dhcp ack (5) ---
D/DHCP ( 2023): ip 10.247.140.186 gw 10.247.140.185 prefixLength 30
D/DHCP ( 2023): dns1: 211.29.132.12
D/DHCP ( 2023): dns2: 198.142.0.51
D/DHCP ( 2023): server 10.247.140.185, lease 7200 seconds
D/DHCP ( 2023): configuring rmnet_usb1
D/FastDormancy( 2900): startFastDorm - handleConnectedDc
D/PhoneApp( 2900): mReceiver: ACTION_ANY_DATA_CONNECTION_STATE_CHANGED
V/Mms:transaction(26378): [MmsSystemEventReceiver] Intent received
D/NotificationMgr( 2900): hideDataDisconnectedRoaming()...
V/Mms:transaction(26378): [MmsSystemEventReceiver] ANY_DATA_STATE event received: CONNECTED
V/Mms:transaction(26378): [MmsSystemEventReceiver] wakeUpService: start transaction service ...
V/Mms:transaction(26378): [TransactionService] onStart: #11
V/Mms:transaction(26378): [TransactionService] networkAvailable=true
V/Mms:transaction(26378): [TransactionService] DatanetworkAvailable=true
V/TP/MmsSmsProvider( 2900): query,matched:6
D/TP/MmsSmsProvider( 2900): match 6:Elapsed time : 1.132 ms
V/Mms:transaction(26378): [TransactionService] onStart: cursor.count=2
V/Mms:transaction(26378): [TransactionService] launchTransaction: sending message { what=1 when=-1d1h33m26s37ms arg1=11 obj=transactionType: 2 uri: content://mms/177 pushData: null mmscUrl: null proxyAddress: null proxyPort: 0 }
V/Mms:transaction(26378): [TransactionService] Handling incoming message: { what=1 when=-1ms arg1=11 obj=transactionType: 2 uri: content://mms/177 pushData: null mmscUrl: null proxyAddress: null proxyPort: 0 } = EVENT_TRANSACTION_REQUEST
V/Mms:transaction(26378): [TransactionService] handle EVENT_TRANSACTION_REQUEST event...
V/Mms:transaction(26378): [TransactionService] MmscUrl=null proxy port: null
V/Mms:transaction(26378): [TransactionService] handle EVENT_TRANSACTION_REQUEST: transactionType=2 SEND_TRANSACTION
V/Mms:transaction(26378): [TransactionService] Transaction already pending: 11
V/Mms:transaction(26378): [TransactionService] already pending: call beginMmsConnectivity...
V/Mms:transaction(26378): [TransactionService] beginMmsConnectivity: result=0
That's it I am removing avast. I got the ****s with AVG with so many false positives, and their automatic SMS cleaner that labels SMS and moves them to the top of your Mms view with tags that cannot be removed and no way of undoing them. Removed.
AVAST, constantly marking WifiKill as a Trojan app with no means for user to whitelist, and now can't even detect a real Trojan. Pathetic, being removed very shortly.
pulser_g2 said:
My desktop AV detected it immediately. (ESET).
Click to expand...
Click to collapse
What are you using if you don't mind me asking? And the apk, you downloaded it and your desktop computer detected it as a Malware app?
What do you use on your device?
My PC is always clean cause I have Virtual Machines to run any suspect packages I find. I have specific built machines running services that mask that they are a VM, a lot of very smart malware these days run detection for all sorts of things prior to execution. I let known malware run ramped in my VM and then inspect the aftermath. Sometimes the machines are unbootable so I run a secondary image and mount the .VHD to the functional VM and go snooping.
Best I have seen to date is a crazy Virus that utilises Windows extended attributes for parsing commands. Man that was a very well thought out Virus, I kinda do have to give some credit to the hacker who thought up these kinds of things.
For every day use I run Microsoft Security Essentials as backup "plan B" normal web browsing. Browser is sandboxed. Downloads drive is an encrypted virtual volume.
Can we run a duplicate image on our devices (kind of like a 2nd ROM similar to say Siyah Kernel runs) and VM front? I head that you can "log into" a mounted VM image on your phone via VPN and QEMU?
Jarmezrocks said:
That's it I am removing avast. I got the ****s with AVG with so many false positives, and their automatic SMS cleaner that labels SMS and moves them to the top of your Mms view with tags that cannot be removed and no way of undoing them. Removed.
AVAST, constantly marking WifiKill as a Trojan app with no means for user to whitelist, and now can't even detect a real Trojan. Pathetic, being removed very shortly.
What are you using if you don't mind me asking? And the apk, you downloaded it and your desktop computer detected it as a Malware app?
What do you use on your device?
My PC is always clean cause I have Virtual Machines to run any suspect packages I find. I have specific built machines running services that mask that they are a VM, a lot of very smart malware these days run detection for all sorts of things prior to execution. I let known malware run ramped in my VM and then inspect the aftermath. Sometimes the machines are unbootable so I run a secondary image and mount the .VHD to the functional VM and go snooping.
Best I have seen to date is a crazy Virus that utilises Windows extended attributes for parsing commands. Man that was a very well thought out Virus, I kinda do have to give some credit to the hacker who thought up these kinds of things.
For every day use I run Microsoft Security Essentials as backup "plan B" normal web browsing. Browser is sandboxed. Downloads drive is an encrypted virtual volume.
Can we run a duplicate image on our devices (kind of like a 2nd ROM similar to say Siyah Kernel runs) and VM front? I head that you can "log into" a mounted VM image on your phone via VPN and QEMU?
Click to expand...
Click to collapse
I use ESET smart security for my desktop like I said (mostly for the firewall tbh). The AV is very good. Detected this APK file soon as I downloaded it, and stopped it from being saved to the HDD
RE second image, there is some vmware stuff coming out soon, but needs kernel modules compiled in. https://play.google.com/store/apps/details?id=com.vmware.mvp
What do you run on your phone? Or do you run your self? It's much safer to run Jarmezrocks at every installation, however he lacks performance coming out of deepsleep (damn narcolepsy) so attentiveness is not always 100%
I wasn't sure if to upload the package I shot through to you to the forums? I will let you decide on that, but I thought it would be good for others to take a look at end investigate.
Hey! I just got an idea. Your anti-virus + apkdownloader on PC = ultimate virus protection for android.
I have to say that is pretty good going for a PC app to detect the apk and stop it downloading
Jarmezrocks said:
What do you run on your phone? Or do you run your self? It's much safer to run Jarmezrocks at every installation, however he lacks performance coming out of deepsleep (damn narcolepsy) so attentiveness is not always 100%
Click to expand...
Click to collapse
No mobile AV does what I'm after, but I block stuff using a combination of OpenPDroid and XPrivacy (http://forum.xda-developers.com/showthread.php?p=42488236#post42488236)
Jarmezrocks said:
I wasn't sure if to upload the package I shot through to you to the forums? I will let you decide on that, but I thought it would be good for others to take a look at end investigate.
Hey! I just got an idea. Your anti-virus + apkdownloader on PC = ultimate virus protection for android.
I have to say that is pretty good going for a PC app to detect the apk and stop it downloading
Click to expand...
Click to collapse
Up to you - I say go for it, the files are sitting on the market right now... Anyone can get them from there and get infected.
Yes, that's why I do it ESET are not ones to shy away from calling "malicious" if there is fair confidence. I checked it out and it was a heuristic detection match
For anyone following.
The zip has all of my analysis contained.
1) The main apk used
2) Typical dex2jar decompile
3) APKTool 1.5.2 (latest) decompile to smali
4) My own personal decompilation process with several iterations of optimisation (been running for the last hour or so) with as pur java output as you can probably get. Much better for analysing these kinds of apps
5) My own stripped version of the apk that still contains the executing code of the apk (has had permissions revoked and heaps of junk removed) if you decompile this app you will see what I mean. I have done a fair bit of the hard work, there is still a fair bit more to be done though.
Download from skydrive here:
http://sdrv.ms/11yRKoW
If someone gets the apk running and or decodes the methods to readable strings could you please respond in here and share for the rest for the rest of us. Thanks
I will update the OP
Thanks for this!
Shouldn't this be posted in all the forum threads for those who have not read this yet? A link to this thread maybe?
N1M1TZ said:
Thanks for this!
Shouldn't this be posted in all the forum threads for those who have not read this yet? A link to this thread maybe?
Click to expand...
Click to collapse
That's up to the admin /mods I guess. Feel free to click news worthy on the OP and it might make XDA front page. That's one better than posting it individually in each forum.
I didn't news worthy my own post. thought that would come across as being a bit "biggity" of me self promoting. I have extended it as far wide as I can across my social networks though, where I guess it can be taken as being a bit more helpful.
I understand. I better take off the posts I did in 2 different devices under the "General" section. I don't want to get banned from this great site. I believe credit should be given to you though as you took the time and effort for it.
EDIT: Doh, forgot I cannot delete my posts.
ADMIN: Please delete posts. My apologies.
http://forum.xda-developers.com/showthread.php?t=2321131
and here
http://forum.xda-developers.com/showthread.php?t=2321138
Shocking would be a more appropriate word. What I don't get is that this developer has put a decent amount of time into the presentation of their apps. They look to be GOOD apps, and I spose that is the more sinister part of this story. Think about the uptake of apps that "look" dodgy and are dodgy vs those apps that "look" legit but are dodgy
Click to expand...
Click to collapse
Well, that guy went into impressive lengths to mask the malware as a live wallpaper. I think this thread should be a good reminder to everyone not to trust anything from the app store unless confirmed by yourself.
Is there anyway to run a phone with restricted permission and access to data? Like sandboxie for Windows? From now on, I am going to log app behavior and probably not install them directly from the app store.
I am shocked at the organised and calculated criminal energy of these type of people.

[Q] I want to implement a Python client for the States of the Union (SOTU) Protocol

Using Python, I want a client program that uses UDP to talk to a server about states of the union. The client can ask the server for the capital and population of states.
The protocol is specified here --> http://mypage.iu.edu/~gdweber/info/i320/lab/01-sotu/sotu_protocol_v2.2.txt
The client should have a friendly user interface. It should not just "forward" user input to the server and vice versa. I have a server to run the client with but I'm having difficulties putting it all together.
http://mypage.iu.edu/~gdweber/info/i320/lab/01-sotu/sotu_server_v2_1.py
Using " $ python3 sotu_server.py 〈hostname〉 〈port〉 " to run the server
string methods strip() and split() to "parse" the messages.
"\r\n" for the carriage-return, line-feed sequence to terminate a message
from socket import *
import sys
def start_client (host, port):
"""Start running the client, and connect to the server on
the given host and port."""
sock = socket(family=AF_INET, type=SOCK_STREAM)
print("Created socket")
sock.connect((host, port))
print("Connected to server on %s, %d" % (host, port))
try:
while True:
mesg = input("Send a message: ") + "\r\n"
mesg_bytes = mesg.encode()
bytecount = sock.send(mesg_bytes)
print("Message sent (%d of %d bytes)" %
(bytecount, len(mesg_bytes)))
answer = sock.recv(512)
if len(answer) == 0:
print("Server closed connection.")
sock.close()
return
else:
print(answer.decode())
except KeyboardInterrupt:
sock.shutdown(SHUT_RDWR)
sock.close()
print("Closed connection due to keyboard interrupt")
except Exception as e:
sock.close()
print("Caught an exception: %s" % e)
def usage ():
print("Usage: python3 socket_stream_client.py host port")
print("where (host, port) is the address of the server.")
if __name__ == "__main__":
args = sys.argv
if len(args) == 3:
host = args[1]
try:
port = int(args[2])
start_client(host, port)
except ValueError:
print("Sorry, %s is not a valid port number." % args[2])
usage()
sys.exit(1)
else:
usage()
sys.exit(2)

Categories

Resources