A month or so ago I noticed that my Galaxy S4 running 4.4.2 (not rooted) started to "beacon" to an address in China. I know this because I VPN through my house when on cellular, and well, wifi at home, and I monitor my router logs. It happens at seemingly random times during the day, usually when I'm not using the phone. I captured the packets, and this is what I found:
1. My phone makes a request to 115.29.12.63 with various parameters. 08:34:54.945442 IP s4-vpn.50668 > 115.29.12.63.http: Flags [P.], seq 1:244, ack 1, win 13880, length 243 E...d.@[email protected]. ...s..?...P.r.,..o.P.68.=..POST /mbstph.php HTTP/1.1 Content-Length: 44 Content-Type: application/x-www-form-urlencoded Host: api.3366app.com Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) v=6&m=Google+Play&re=US&hl=en&p=tool.scanner 2. The response is as follows: 08:34:55.265633 IP 115.29.12.63.http > s4-vpn.50668: Flags [P.], seq 1:348, ack 244, win 11256, length 347 E ..$a@.*...s..? ....P....o..r..P.+.(...HTTP/1.1 200 OK Server: nginx/1.4.4 Date: Fri, 17 Oct 2014 12:35:19 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding X-Powered-By: PHP/5.2.17p1 83 <?xml version="1.0" encoding="utf-8"?><ret><plist htime="12" ptime="12" ftime="30" tj="http://112.124.36.135/tj.php";></plist></ret> 0 3. Notice that the connections are all "keep alive", so they can be held open as long as they want. After it gets this packet, it then connects to that address above (112.124.36.135) to the tj.php script. This returns: <!DOCTYPE html> <html lang="zh-cn"> <head> <meta charset="utf-8"> </head> <body> <img src="http://hm.baidu.com/hm.gif?si=db20b016f2e012e4cd60ef500703ada1&et=0&nv=1&st=3&su=&v=wap-0-0.2&rnd=1192770211"; width="0" height="0" /> </body> </html> 4. This return what it wants you to think is an image, but the parameters indicate to me (I could be wrong) that it's an index into a database of some sort (the hash up front) and then various parameters, including a seed for something (rnd)? Not sure... if you then follow THAT link you get back a 1x1 GIF, hexdump: 0000000 4947 3846 6139 0001 0001 0180 0000 0000 0000010 ffff 21ff 04f9 0001 0100 2c00 0000 0000 0000020 0001 0001 0200 4c02 0001 003b 000002b This has me concerned as the "blob" that is returned could be anything. It could be a mal-formed GIF with another binary in it that can arbitrarily be run by whatever called this in the first place. If there is anybody out there that could shed some light on this, I could greatly appreciate it. Whois for 112.124.36.135: inetnum: 112.124.0.0 - 112.127.255.255 netname: ALISOFT descr: Aliyun Computing Co., LTD descr: 5F, Builing D, the West Lake International Plaza of S&T descr: No.391 Wen'er Road, Hangzhou, Zhejiang, China, 310099 country: CN admin-c: ZM1015-AP tech-c: ZM877-AP tech-c: ZM876-AP tech-c: ZM875-AP mnt-by: MAINT-CNNIC-AP mnt-irt: IRT-CNNIC-CN status: ALLOCATED PORTABLE changed: [email protected] 20140730 source: APNIC irt: IRT-CNNIC-CN address: Beijing, China e-mail: [email protected] abuse-mailbox: [email protected] admin-c: IP50-AP tech-c: IP50-AP auth: # Filtered remarks: Please note that CNNIC is not an ISP and is not remarks: empowered to investigate complaints of network abuse. remarks: Please contact the tech-c or admin-c of the network. mnt-by: MAINT-CNNIC-AP changed: [email protected] 20110428 source: APNIC person: Li Jia address: NO.969 West Wen Yi Road, Yu Hang District, Hangzhou country: CN phone: +86-0571-85022088 e-mail: [email protected] nic-hdl: ZM1015-AP mnt-by: MAINT-CNNIC-AP changed: [email protected] 20130730 source: APNIC person: Guoxin Gao address: 5F, Builing D, the West Lake International Plaza of S&T address: No.391 Wen'er Road, Hangzhou City address: Zhejiang, China, 310099 country: CN phone: +86-0571-85022600 fax-no: +86-0571-85022600 e-mail: [email protected] nic-hdl: ZM875-AP mnt-by: MAINT-CNNIC-AP changed: [email protected] 20130705 source: APNIC person: security trouble e-mail: [email protected] address: 5th,floor,Building D,the West Lake International Plaza of S&T,391#Wen’er Road address: Hangzhou, Zhejiang, China phone: +86-0571-85022600 country: CN mnt-by: MAINT-CNNIC-AP nic-hdl: ZM876-AP changed: [email protected] 20130708 source: APNIC person: Guowei Pan address: 5F, Builing D, the West Lake International Plaza of S&T address: No.391 Wen'er Road, Hangzhou City address: Zhejiang, China, 310099 country: CN phone: +86-0571-85022088-30763 fax-no: +86-0571-85022600 e-mail: [email protected] nic-hdl: ZM877-AP mnt-by: MAINT-CNNIC-AP changed: [email protected] 20130709 source: APNIC % This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS4) Whois for 115.29.12.63: % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '115.28.0.0 - 115.29.255.255' inetnum: 115.28.0.0 - 115.29.255.255 netname: ALISOFT descr: Aliyun Computing Co., LTD descr: 5F, Builing D, the West Lake International Plaza of S&T descr: No.391 Wen'er Road, Hangzhou, Zhejiang, China, 310099 country: CN admin-c: ZM1015-AP tech-c: ZM877-AP tech-c: ZM876-AP tech-c: ZM875-AP mnt-by: MAINT-CNNIC-AP mnt-irt: IRT-CNNIC-CN status: ALLOCATED PORTABLE changed: [email protected] 20140730 source: APNIC irt: IRT-CNNIC-CN address: Beijing, China e-mail: [email protected] abuse-mailbox: [email protected] admin-c: IP50-AP tech-c: IP50-AP auth: # Filtered remarks: Please note that CNNIC is not an ISP and is not remarks: empowered to investigate complaints of network abuse. remarks: Please contact the tech-c or admin-c of the network. mnt-by: MAINT-CNNIC-AP changed: [email protected] 20110428 source: APNIC person: Li Jia address: NO.969 West Wen Yi Road, Yu Hang District, Hangzhou country: CN phone: +86-0571-85022088 e-mail: [email protected] nic-hdl: ZM1015-AP mnt-by: MAINT-CNNIC-AP changed: [email protected] 20130730 source: APNIC person: Guoxin Gao address: 5F, Builing D, the West Lake International Plaza of S&T address: No.391 Wen'er Road, Hangzhou City address: Zhejiang, China, 310099 country: CN phone: +86-0571-85022600 fax-no: +86-0571-85022600 e-mail: [email protected] nic-hdl: ZM875-AP mnt-by: MAINT-CNNIC-AP changed: [email protected] 20130705 source: APNIC person: security trouble e-mail: [email protected] address: 5th,floor,Building D,the West Lake International Plaza of S&T,391#Wen’er Road address: Hangzhou, Zhejiang, China phone: +86-0571-85022600 country: CN mnt-by: MAINT-CNNIC-AP nic-hdl: ZM876-AP changed: [email protected] 20130708 source: APNIC person: Guowei Pan address: 5F, Builing D, the West Lake International Plaza of S&T address: No.391 Wen'er Road, Hangzhou City address: Zhejiang, China, 310099 country: CN phone: +86-0571-85022088-30763 fax-no: +86-0571-85022600 e-mail: [email protected] nic-hdl: ZM877-AP mnt-by: MAINT-CNNIC-AP changed: [email protected] 20130709 source: APNIC % This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS1) TCP Dump of the entire transaction: 08:34:42.359851 IP 10.8.8.6.50668 > 115.29.12.63.80: Flags [S], seq 2624770603, win 13880, options [mss 1352,sackOK,TS val 7255719 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c 648c 4000 4006 44c6 0a08 0806 E..<d.@[email protected]..... 0x0010: 731d 0c3f c5ec 0050 9c72 d22b 0000 0000 s..?...P.r.+.... 0x0020: a002 3638 94da 0000 0204 0548 0402 080a ..68.......H.... 0x0030: 006e b6a7 0000 0000 0103 0306 .n.......... 08:34:43.419106 IP 10.8.8.6.50668 > 115.29.12.63.80: Flags [S], seq 2624770603, win 13880, options [mss 1352,sackOK,TS val 7255819 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c 648d 4000 4006 44c5 0a08 0806 E..<d.@[email protected]..... 0x0010: 731d 0c3f c5ec 0050 9c72 d22b 0000 0000 s..?...P.r.+.... 0x0020: a002 3638 9476 0000 0204 0548 0402 080a ..68.v.....H.... 0x0030: 006e b70b 0000 0000 0103 0306 .n.......... 08:34:54.554837 IP 10.8.8.6.50668 > 115.29.12.63.80: Flags [S], seq 2624770603, win 13880, options [mss 1352,sackOK,TS val 7256019 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c 648e 4000 4006 44c4 0a08 0806 E..<d.@[email protected]..... 0x0010: 731d 0c3f c5ec 0050 9c72 d22b 0000 0000 s..?...P.r.+.... 0x0020: a002 3638 93ae 0000 0204 0548 0402 080a ..68.......H.... 0x0030: 006e b7d3 0000 0000 0103 0306 .n.......... 08:34:54.875318 IP 115.29.12.63.80 > 10.8.8.6.50668: Flags [S.], seq 4093734838, ack 2624770604, win 14600, options [mss 1460], length 0 0x0000: 4520 002c 0000 4000 2a06 bf42 731d 0c3f E..,..@.*..Bs..? 0x0010: 0a08 0806 0050 c5ec f401 6fb6 9c72 d22c .....P....o..r., 0x0020: 6012 3908 3510 0000 0204 05b4 `.9.5....... 08:34:54.933987 IP 10.8.8.6.50668 > 115.29.12.63.80: Flags [.], ack 1, win 13880, length 0 0x0000: 4500 0028 648f 4000 4006 44d7 0a08 0806 E..(d.@[email protected]..... 0x0010: 731d 0c3f c5ec 0050 9c72 d22c f401 6fb7 s..?...P.r.,..o. 0x0020: 5010 3638 4f9d 0000 P.68O... 08:34:54.945442 IP 10.8.8.6.50668 > 115.29.12.63.80: Flags [P.], seq 1:244, ack 1, win 13880, length 243 0x0000: 4500 011b 6490 4000 4006 43e3 0a08 0806 E...d.@[email protected]..... 0x0010: 731d 0c3f c5ec 0050 9c72 d22c f401 6fb7 s..?...P.r.,..o. 0x0020: 5018 3638 e53d 0000 504f 5354 202f 6d62 P.68.=..POST./mb 0x0030: 7374 7068 2e70 6870 2048 5454 502f 312e stph.php.HTTP/1. 0x0040: 310d 0a43 6f6e 7465 6e74 2d4c 656e 6774 1..Content-Lengt 0x0050: 683a 2034 340d 0a43 6f6e 7465 6e74 2d54 h:.44..Content-T 0x0060: 7970 653a 2061 7070 6c69 6361 7469 6f6e ype:.application 0x0070: 2f78 2d77 7777 2d66 6f72 6d2d 7572 6c65 /x-www-form-urle 0x0080: 6e63 6f64 6564 0d0a 486f 7374 3a20 6170 ncoded..Host:.ap 0x0090: 692e 3333 3636 6170 702e 636f 6d0d 0a43 i.3366app.com..C 0x00a0: 6f6e 6e65 6374 696f 6e3a 204b 6565 702d onnection:.Keep- 0x00b0: 416c 6976 650d 0a55 7365 722d 4167 656e Alive..User-Agen 0x00c0: 743a 2041 7061 6368 652d 4874 7470 436c t:.Apache-HttpCl 0x00d0: 6965 6e74 2f55 4e41 5641 494c 4142 4c45 ient/UNAVAILABLE 0x00e0: 2028 6a61 7661 2031 2e34 290d 0a0d 0a76 .(java.1.4)....v 0x00f0: 3d36 266d 3d47 6f6f 676c 652b 506c 6179 =6&m=Google+Play 0x0100: 2672 653d 5553 2668 6c3d 656e 2670 3d74 &re=US&hl=en&p=t 0x0110: 6f6f 6c2e 7363 616e 6e65 72 ool.scanner 08:34:55.264723 IP 115.29.12.63.80 > 10.8.8.6.50668: Flags [.], ack 244, win 11256, length 0 0x0000: 4520 0028 2460 4000 2a06 9ae6 731d 0c3f E..($`@.*...s..? 0x0010: 0a08 0806 0050 c5ec f401 6fb7 9c72 d31f .....P....o..r.. 0x0020: 5010 2bf8 58ea 0000 P.+.X... 08:34:55.265633 IP 115.29.12.63.80 > 10.8.8.6.50668: Flags [P.], seq 1:348, ack 244, win 11256, length 347 0x0000: 4520 0183 2461 4000 2a06 998a 731d 0c3f E...$a@.*...s..? 0x0010: 0a08 0806 0050 c5ec f401 6fb7 9c72 d31f .....P....o..r.. 0x0020: 5018 2bf8 28b5 0000 4854 5450 2f31 2e31 P.+.(...HTTP/1.1 0x0030: 2032 3030 204f 4b0d 0a53 6572 7665 723a .200.OK..Server: 0x0040: 206e 6769 6e78 2f31 2e34 2e34 0d0a 4461 .nginx/1.4.4..Da 0x0050: 7465 3a20 4672 692c 2031 3720 4f63 7420 te:.Fri,.17.Oct. 0x0060: 3230 3134 2031 323a 3335 3a31 3920 474d 2014.12:35:19.GM 0x0070: 540d 0a43 6f6e 7465 6e74 2d54 7970 653a T..Content-Type: 0x0080: 2074 6578 742f 6874 6d6c 0d0a 5472 616e .text/html..Tran 0x0090: 7366 6572 2d45 6e63 6f64 696e 673a 2063 sfer-Encoding:.c 0x00a0: 6875 6e6b 6564 0d0a 436f 6e6e 6563 7469 hunked..Connecti 0x00b0: 6f6e 3a20 6b65 6570 2d61 6c69 7665 0d0a on:.keep-alive.. 0x00c0: 5661 7279 3a20 4163 6365 7074 2d45 6e63 Vary:.Accept-Enc 0x00d0: 6f64 696e 670d 0a58 2d50 6f77 6572 6564 oding..X-Powered 0x00e0: 2d42 793a 2050 4850 2f35 2e32 2e31 3770 -By:.PHP/5.2.17p 0x00f0: 310d 0a0d 0a38 330d 0a3c 3f78 6d6c 2076 1....83..<?xml.v 0x0100: 6572 7369 6f6e 3d22 312e 3022 2065 6e63 ersion="1.0".enc 0x0110: 6f64 696e 673d 2275 7466 2d38 223f 3e3c oding="utf-8"?>< 0x0120: 7265 743e 3c70 6c69 7374 2068 7469 6d65 ret><plist.htime 0x0130: 3d22 3132 2220 7074 696d 653d 2231 3222 ="12".ptime="12" 0x0140: 2066 7469 6d65 3d22 3330 2220 746a 3d22 .ftime="30".tj=" 0x0150: 6874 7470 3a2f 2f31 3132 2e31 3234 2e33 http://112.124.3 0x0160: 362e 3133 352f 746a 2e70 6870 223e 3c2f 6.135/tj.php"></ 0x0170: 706c 6973 743e 3c2f 7265 743e 0d0a 300d plist></ret>..0. 0x0180: 0a0d 0a ... 08:34:55.334282 IP 10.8.8.6.50668 > 115.29.12.63.80: Flags [.], ack 348, win 14472, length 0 0x0000: 4500 0028 6491 4000 4006 44d5 0a08 0806 E..(d.@[email protected]..... 0x0010: 731d 0c3f c5ec 0050 9c72 d31f f401 7112 s..?...P.r....q. 0x0020: 5010 3888 4aff 0000 P.8.J... 08:35:55.265590 IP 115.29.12.63.80 > 10.8.8.6.50668: Flags [F.], seq 348, ack 244, win 11256, length 0 0x0000: 4520 0028 2462 4000 2a06 9ae4 731d 0c3f E..($b@.*...s..? 0x0010: 0a08 0806 0050 c5ec f401 7112 9c72 d31f .....P....q..r.. 0x0020: 5011 2bf8 578e 0000 P.+.W... 08:35:55.565920 IP 10.8.8.6.50668 > 115.29.12.63.80: Flags [.], ack 349, win 14472, length 0 0x0000: 4500 0028 6492 4000 4006 44d4 0a08 0806 E..(d.@[email protected]..... 0x0010: 731d 0c3f c5ec 0050 9c72 d31f f401 7113 s..?...P.r....q. 0x0020: 5010 3888 4afe 0000 P.8.J... 08:35:56.422814 IP 115.29.12.63.80 > 10.8.8.6.50668: Flags [F.], seq 348, ack 244, win 11256, length 0 0x0000: 4520 0028 2463 4000 2a06 9ae3 731d 0c3f E..($c@.*...s..? 0x0010: 0a08 0806 0050 c5ec f401 7112 9c72 d31f .....P....q..r.. 0x0020: 5011 2bf8 578e 0000 P.+.W... 08:35:56.486184 IP 10.8.8.6.50668 > 115.29.12.63.80: Flags [.], ack 349, win 14472, length 0 0x0000: 4500 0028 6493 4000 4006 44d3 0a08 0806 E..(d.@[email protected]..... 0x0010: 731d 0c3f c5ec 0050 9c72 d31f f401 7113 s..?...P.r....q. 0x0020: 5010 3888 4afe 0000 P.8.J... -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
![http://hm.baidu.com/hm.gif?si=db20b016f2e012e4cd60ef500703ada1&et=0&nv=1&st=3&su=&v=wap-0-0.2&rnd=1192770211"](http://hm.baidu.com/hm.gif?si=db20b016f2e012e4cd60ef500703ada1&et=0&nv=1&st=3&su=&v=wap-0-0.2&rnd=1192770211"){kind=link}