Page 1 of 2 12 LastLast
Results 1 to 20 of 21

Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.


Thread: Is my iPhone infected with a virus/malware? It seems to be SYN flooding networks

  1. #1
    Default Is my iPhone infected with a virus/malware? It seems to be SYN flooding networks
    My iPhone may be infected with some sort of malware, as my phone seems to be SYN flooding several networks.

    Symptoms observed & history:
    -1-2 months ago, my battery life dropped sharply. By end of work Iíd often only have 20-30% left Ė less than half of what I used to get.
    -My phone is often warm when itís in sleep mode.
    -A few days ago, I updated the firmware but did not restore my data and settings. Issue was resolved for several days Ė I concluded that there was some setting/program gone awry. Then the problem came back.
    -Last night I decided to use tcpdump on my firewall and see what my phone is doing. See logs Ė it looks to me like Iím part of a botnet. Iím sending 1 SYN packet (port 22/SSH) per second to 163.151.162.0/24.
    -I shut down the phone and restarted it. Checked tcpdump, no flooding going out. But several minutes later, it started again, this time to a different subnet (25.2.129.0/24).
    -I recently noticed that my signal strength meter shows only 0 or 1 bars now, although actual signal strength is fine. Even if it shows 0 bars, I can still connect and have good signal.
    -I definitely forgot to change the root password after I reinstalled everything a few nights ago. But on my original install, that would have been changed.
    -Iím on an iPhone4, now up to 4.3.3 w/JB.

    Unfortunately, Iím not sure how trace this back to a process, and my phone doesnít have ps installed. My technical abilities have taken me this far, Iím hoping support from this community will help me go farther, although Iím tempted to reinstall again tonight. I must also say that I spoke to several other iPhone users a month or two ago who also said theyíd seen a sharp drop in battery life.

    Notes on the logs:
    -Both logs show 1 SYN packet per second to a specific /24. The last octet of the destination IP address slowly increases, so while this log shows 81-88, a few minutes later it might be in the 120s.
    -This is definitely unusual behaviour.
    -I didnít see any replies to these SYN packets.
    -My iPhone's IP is 10.10.10.117.

    Log #1 (prior to reboot):
    00:33:11.695979 IP 10.10.10.117.52123 > 163.151.162.84.ssh: Flags [S], seq 1164338448, win 65535, options [mss 1460,sackOK,eol], length 0
    00:33:13.106592 IP 10.10.10.117.52136 > 163.151.162.87.ssh: Flags [S], seq 1076099513, win 65535, options [mss 1460,nop,wscale 2,nop,nop,TS val 727895348 ecr 0,sackOK,eol], length 0
    00:33:13.508193 IP 10.10.10.117.52116 > 163.151.162.81.ssh: Flags [S], seq 2236162508, win 65535, options [mss 1460,sackOK,eol], length 0
    00:33:15.219428 IP 10.10.10.117.52133 > 163.151.162.86.ssh: Flags [S], seq 2318601143, win 65535, options [mss 1460,sackOK,eol], length 0
    00:33:15.784457 IP 10.10.10.117.52137 > 163.151.162.88.ssh: Flags [S], seq 363962743, win 65535, options [mss 1460,nop,wscale 2,nop,nop,TS val 727898023 ecr 0,sackOK,eol], length 0
    00:33:16.823868 IP 10.10.10.117.52137 > 163.151.162.88.ssh: Flags [S], seq 363962743, win 65535, options [mss 1460,nop,wscale 2,nop,nop,TS val 727899058 ecr 0,sackOK,eol], length 0
    00:33:17.125465 IP 10.10.10.117.52136 > 163.151.162.87.ssh: Flags [S], seq 1076099513, win 65535, options [mss 1460,sackOK,eol], length 0
    00:33:17.827923 IP 10.10.10.117.52137 > 163.151.162.88.ssh: Flags [S], seq 363962743, win 65535, options [mss 1460,nop,wscale 2,nop,nop,TS val 727900058 ecr 0,sackOK,eol], length 0
    00:33:18.938087 IP 10.10.10.117.52137 > 163.151.162.88.ssh: Flags [S], seq 363962743, win 65535, options [mss 1460,nop,wscale 2,nop,nop,TS val 727901157 ecr 0,sackOK,eol], length 0

    Log #2 (after reboot):
    00:49:45.888888 IP 10.10.10.117.49260 > 25.2.129.74.ssh: Flags [S], seq 3592393110, win 65535, options [mss 1460,sackOK,eol], length 0
    00:49:47.706034 IP 10.10.10.117.49263 > 25.2.129.77.ssh: Flags [S], seq 4131313704, win 65535, options [mss 1460,nop,wscale 2,nop,nop,TS val 247468537 ecr 0,sackOK,eol], length 0
    00:49:48.008998 IP 10.10.10.117.49257 > 25.2.129.71.ssh: Flags [S], seq 2870491007, win 65535, options [mss 1460,sackOK,eol], length 0
    00:49:49.625283 IP 10.10.10.117.49262 > 25.2.129.76.ssh: Flags [S], seq 4288418570, win 65535, options [mss 1460,sackOK,eol], length 0
    00:49:50.381068 IP 10.10.10.117.49264 > 25.2.129.78.ssh: Flags [S], seq 2736486187, win 65535, options [mss 1460,nop,wscale 2,nop,nop,TS val 247471205 ecr 0,sackOK,eol], length 0
    00:49:51.442607 IP 10.10.10.117.49264 > 25.2.129.78.ssh: Flags [S], seq 2736486187, win 65535, options [mss 1460,nop,wscale 2,nop,nop,TS val 247472253 ecr 0,sackOK,eol], length 0
    00:49:51.745343 IP 10.10.10.117.49263 > 25.2.129.77.ssh: Flags [S], seq 4131313704, win 65535, options [mss 1460,sackOK,eol], length 0
    00:49:52.449405 IP 10.10.10.117.49264 > 25.2.129.78.ssh: Flags [S], seq 2736486187, win 65535, options [mss 1460,nop,wscale 2,nop,nop,TS val 247473263 ecr 0,sackOK,eol], length 0
    00:49:53.455138 IP 10.10.10.117.49264 > 25.2.129.78.ssh: Flags [S], seq 2736486187, win 65535, options [mss 1460,nop,wscale 2,nop,nop,TS val 247474263 ecr 0,sackOK,eol], length 0
    00:49:54.460174 IP 10.10.10.117.49264 > 25.2.129.78.ssh: Flags [S], seq 2736486187, win 65535, options [mss 1460,nop,wscale 2,nop,nop,TS val 247475263 ecr 0,sackOK,eol], length 0
    00:49:55.468090 IP 10.10.10.117.49264 > 25.2.129.78.ssh: Flags [S], seq 2736486187, win 65535, options [mss 1460,nop,wscale 2,nop,nop,TS val 247476265 ecr 0,sackOK,eol], length 0
    00:49:55.674546 IP 10.10.10.117.49261 > 25.2.129.75.ssh: Flags [S], seq 297006610, win 65535, options [mss 1460,sackOK,eol], length 0

  2. #2
    Livin the iPhone Life
    Join Date
    May 2008
    Posts
    8,021
    Thanks
    102
    Thanked 789 Times in 731 Posts

    Install Top (via Cydia) and monitor from an ssh shell. Not positive, but it may depend on and automatically install ps.

  3. #3
    Default Not a Syn Flood - a continuous hacking program?
    You know, this is rather slow for a SYN flood. That second block (25.2.x.x) looks like it belongs to my carrier, Rogers.

    Could it be that this isn't a Syn flood - this is my phone trying to log on to other iPhones on Rogers that have OpenSSH installed and have the default root password set?

    If that's the case, this isn't just malware, this is something that's trying to spread.

    I'm hoping I'm jumping to conclusions too early. Someone tell me I'm way off on this one.

  4. #4
    Livin the iPhone Life
    Join Date
    May 2008
    Posts
    8,021
    Thanks
    102
    Thanked 789 Times in 731 Posts

    Before I jumped to conclusions and started digging into tcp packets, I would look for unusual process activity.

  5. #5
    Having a problem getting Top or PS. It looks like they're contained in package "adv-cmds", but I added repos "http://apt.saurik.com", "apt.saurik.com/cydia", and "apt.saurik.com/cyida-3.7" and no luck. Any idea where I can get these tools?

  6. #6
    Livin the iPhone Life
    Join Date
    May 2008
    Posts
    8,021
    Thanks
    102
    Thanked 789 Times in 731 Posts

    These are default repos which do not require adding. It's very odd you don't have them !!?!?!!

    Are you using warez or cracked apps, and/or adding repos that offer them?

    If Cydia is messed up, reinstall it using Redsnow. Only check Install Cydia.

    Note: MMi does not allow discussion of warez or cracked apps nor support the problems that arise.

  7. #7
    Quote Originally Posted by Mes View Post
    These are default repos which do not require adding. It's very odd you don't have them !!?!?!!
    Ok, found out why I don't have them. Looks like Cydia will only allow you to see Top and Adv-Cmds if your Cydia settings are set to "Hacker" or "Developer" (under Manage -> Settings). I was set to "User", so evidently I don't want any unix utils

    Anyway, I can see the packets are going out right now, so I ran top. I noticed an odddly named process near the top called "poc-bbot". Researched it, and it sounds like something bad. Killed the proc and the packets stop. That little ***** of a process has been killing my battery gently for a long time. I'm off to do a complete reinstall and make sure I immediately change my root password.

    Thanks a lot for the help!

  8. #8
    Livin the iPhone Life
    Join Date
    May 2008
    Posts
    8,021
    Thanks
    102
    Thanked 789 Times in 731 Posts

    Good job. Most processes on the iPhone are easy to identify as standard / normal processes..

    A very good idea to change the password and reinstall/restore everything. One rarely knows what else was changed. Rule of thumb: Be careful installing anything. Make sure you know the program (and dependent programs if any), understand what it is supposed to do, and trust the repository.

  9. #9
    What's Jailbreak?
    Join Date
    Jan 2009
    Location
    Kansas
    Posts
    20
    Thanks
    0
    Thanked 2 Times in 1 Post
    Quote Originally Posted by Mes View Post
    Good job. Most processes on the iPhone are easy to identify as standard / normal processes..

    A very good idea to change the password and reinstall/restore everything. One rarely knows what else was changed. Rule of thumb: Be careful installing anything. Make sure you know the program (and dependent programs if any), understand what it is supposed to do, and trust the repository.
    Quick question... I believe I may have the same problems listed above...I downloaded top and adv-cmds. How do I view the process? I have terminal and I also have SSH'd into my iPhone. I have absolutely NO idea what to do here...please help

  10. #10
    Livin the iPhone Life
    Join Date
    May 2008
    Posts
    8,021
    Thanks
    102
    Thanked 789 Times in 731 Posts

    Quote Originally Posted by Faux Affliction View Post
    Quick question... I believe I may have the same problems listed above...I downloaded top and adv-cmds. How do I view the process? I have terminal and I also have SSH'd into my iPhone. I have absolutely NO idea what to do here...please help
    Maybe 100 different ways.
    Here's one: From a computer, log into the idevice with ssh. From that ssh window, execute top.

  11. #11
    What's Jailbreak?
    Join Date
    Jan 2009
    Location
    Kansas
    Posts
    20
    Thanks
    0
    Thanked 2 Times in 1 Post
    where is top located on my phone? var/mobile???

  12. #12
    Livin the iPhone Life
    Join Date
    May 2008
    Posts
    8,021
    Thanks
    102
    Thanked 789 Times in 731 Posts

    Top is a command line utility available by selecting Developer from Cydia / Manage / Settings.

  13. #13
    What's Jailbreak?
    Join Date
    Jan 2009
    Location
    Kansas
    Posts
    20
    Thanks
    0
    Thanked 2 Times in 1 Post
    Yeah I have that. I also have adv-cmds? and Terminal. My question is how do I execute Top? VIa ssh or terminal.

  14. #14
    Livin the iPhone Life
    Join Date
    May 2008
    Posts
    8,021
    Thanks
    102
    Thanked 789 Times in 731 Posts

    Either. It's in the default path. Did you try just typing top from anywhere?

    Go to Cydia / Manage / Packages / Top. Select it, scroll down and select Filesystem Content. The file additions and their locations will show.

  15. #15
    What's Jailbreak?
    Join Date
    Jan 2009
    Location
    Kansas
    Posts
    20
    Thanks
    0
    Thanked 2 Times in 1 Post
    Ok I found top but I can't open it or anything. I was under the impression that it was watching my process's running and I could view/kill them. I'm sshing into my phone at usr/bin/top but I can't open it. Basically my question is...How can I go about seeing the process's it is supposedly watching?

  16. #16
    Livin the iPhone Life
    Join Date
    May 2008
    Posts
    8,021
    Thanks
    102
    Thanked 789 Times in 731 Posts

    I think you're missing the usage of top.

    Top runs ONLY when you execute it. Every 1 second, it displays the top 20 (or so) running processes.

    To execute top, open a Mobile Terminal (or a SSH session via computer) aka: ssh [email protected]
    Enter the password, a command prompt will appear '#'. Now execute top and watch the activity.

    Ctrl-C or exiting / closing the ssh session terminates top.

  17. #17
    What's Jailbreak?
    Join Date
    Jan 2009
    Location
    Kansas
    Posts
    20
    Thanks
    0
    Thanked 2 Times in 1 Post
    Ok yea thanks I ran terminal on my phone and typed top and started seeing the process's. How do I kill them? It says I have 44 running, 2 stuck? Also I use winscp but can I gain access to my phone with CMD? Thanks for all your help man

  18. #18
    Livin the iPhone Life
    Join Date
    May 2008
    Posts
    8,021
    Thanks
    102
    Thanked 789 Times in 731 Posts

    I'ld like to help you, but now you're scaring me. You're playing around with something with very little knowledge of what you're doing, or the consequences thereof. It's going to get you in trouble .... big trouble.

    Let me say this: If you don't know how to kill something, then you don't know what your killing. The quickest way to cause even more problems. Please don't do this.

    If you're having problems, fix it the easy way. Restore and re-jb.

  19. #19
    What's Jailbreak?
    Join Date
    Jan 2009
    Location
    Kansas
    Posts
    20
    Thanks
    0
    Thanked 2 Times in 1 Post
    Thank you for being polite in calling me stupid I can be a bit retarded at times. I did figure it out btw So thank you for your help I appreciate it

  20. #20
    Livin the iPhone Life
    Join Date
    May 2008
    Posts
    8,021
    Thanks
    102
    Thanked 789 Times in 731 Posts

    I didn't mean to imply stupidity and we're all a bit retarded at times (haha). Sorry if that's what you got. Everybody starts with zero and learns.

    If you have a 'run-away' process, it may be possible to kill it, it may be possible to remove the offending files, or how and why they start, but it's not easy to know if anything else was changed or modified.

    When my computer is infected, it get's rebuilt, If my phone ever gets infected, the same will occur. Cleaning a problem is not easy to diagnose. It's soooooo simple to restore, it makes sense to do it. It guarantees the problems are really gone.

    Cheers

Page 1 of 2 12 LastLast
Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •