Pardon the reply all - though I figured I'd do so incase anyone else wants the information. The IP in question related to a Chinese analytics package used in (my opinion) junk apps. These domains shuffled information back and forth in regards to analyical data/whether the user has voted etc.; - mbappss.com - 3366app.com - api.3366app.com
The sdk code is located inside of the com/mbapp/smartsystem class path. Do you have either of these applications installed? - https://play.google.com/store/apps/details?id=com.roger.equalizerplay - https://play.google.com/store/apps/details?id=com.musicstation.justion They both contain this SDK. -Tim Strazzere On Fri, Oct 17, 2014 at 2:35 PM, Kristian Erik Hermansen < [email protected]> wrote: > Did you run those URLs through VirusTotal yet? > On Oct 18, 2014 3:56 AM, "Jacob Boomgaarden" <[email protected]> > wrote: > >> Although it might be annoying to list, it would be useful to know what >> apps are installed on your phone to try and narrow some things down too >> (probably can disregard the google apps). >> >> On Friday, October 17, 2014 7:10:36 AM UTC-7, Johnny Midnight wrote: >>> >>> A month or so ago I noticed that my Galaxy S4 running 4.4.2 (not rooted) >>> started to "beacon" to an address in China. I know this because I VPN >>> through my house when on cellular, and well, wifi at home, and I monitor my >>> router logs. It happens at seemingly random times during the day, usually >>> when I'm not using the phone. I captured the packets, and this is what I >>> found: >>> >>> 1. My phone makes a request to 115.29.12.63 with various parameters. >>> >>> 08:34:54.945442 IP s4-vpn.50668 > 115.29.12.63.http: Flags [P.], seq >>> 1:244, ack 1, win 13880, length 243 >>> E...d.@[email protected]. >>> ...s..?...P.r.,..o.P.68.=..POST /mbstph.php HTTP/1.1 >>> Content-Length: 44 >>> Content-Type: application/x-www-form-urlencoded >>> Host: api.3366app.com >>> Connection: Keep-Alive >>> User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) >>> >>> v=6&m=Google+Play&re=US&hl=en&p=tool.scanner >>> >>> 2. The response is as follows: >>> >>> 08:34:55.265633 IP 115.29.12.63.http > s4-vpn.50668: Flags [P.], seq >>> 1:348, ack 244, win 11256, length 347 >>> E ..$a@.*...s..? >>> ....P....o..r..P.+.(...HTTP/1.1 200 OK >>> Server: nginx/1.4.4 >>> Date: Fri, 17 Oct 2014 12:35:19 GMT >>> Content-Type: text/html >>> Transfer-Encoding: chunked >>> Connection: keep-alive >>> Vary: Accept-Encoding >>> X-Powered-By: PHP/5.2.17p1 >>> >>> 83 >>> <?xml version="1.0" encoding="utf-8"?><ret><plist htime="12" ptime="12" >>> ftime="30" tj="http://112.124.36.135/tj.php";></plist></ret> >>> 0 >>> >>> 3. Notice that the connections are all "keep alive", so they can be >>> held open as long as they want. After it gets this packet, it then >>> connects to that address above (112.124.36.135) to the tj.php script. This >>> returns: >>> >>> <!DOCTYPE html> >>> <html lang="zh-cn"> >>> <head> >>> <meta charset="utf-8"> >>> </head> >>> >>> <body> >>> <img src="http://hm.baidu.com/hm.gif?si=db20b016f2e012e4cd60ef500703ad >>> a1&et=0&nv=1&st=3&su=&v=wap-0-0.2&rnd=1192770211" >>> width="0" height="0" /> >>> </body> >>> >>> </html> >>> >>> 4. This return what it wants you to think is an image, but the >>> parameters indicate to me (I could be wrong) that it's an index into a >>> database of some sort (the hash up front) and then various parameters, >>> including a seed for something (rnd)? Not sure... if you then follow THAT >>> link you get back a 1x1 GIF, hexdump: >>> >>> 0000000 4947 3846 6139 0001 0001 0180 0000 0000 >>> 0000010 ffff 21ff 04f9 0001 0100 2c00 0000 0000 >>> 0000020 0001 0001 0200 4c02 0001 003b >>> 000002b >>> >>> >>> This has me concerned as the "blob" that is returned could be anything. >>> It could be a mal-formed GIF with another binary in it that can arbitrarily >>> be run by whatever called this in the first place. >>> >>> If there is anybody out there that could shed some light on this, I >>> could greatly appreciate it. >>> >>> Whois for 112.124.36.135: >>> >>> inetnum: 112.124.0.0 - 112.127.255.255 >>> netname: ALISOFT >>> descr: Aliyun Computing Co., LTD >>> descr: 5F, Builing D, the West Lake International Plaza of S&T >>> descr: No.391 Wen'er Road, Hangzhou, Zhejiang, China, 310099 >>> country: CN >>> admin-c: ZM1015-AP >>> tech-c: ZM877-AP >>> tech-c: ZM876-AP >>> tech-c: ZM875-AP >>> mnt-by: MAINT-CNNIC-AP >>> mnt-irt: IRT-CNNIC-CN >>> status: ALLOCATED PORTABLE >>> changed: [email protected] 20140730 >>> source: APNIC >>> >>> irt: IRT-CNNIC-CN >>> address: Beijing, China >>> e-mail: [email protected] >>> abuse-mailbox: [email protected] >>> admin-c: IP50-AP >>> tech-c: IP50-AP >>> auth: # Filtered >>> remarks: Please note that CNNIC is not an ISP and is not >>> remarks: empowered to investigate complaints of network abuse. >>> remarks: Please contact the tech-c or admin-c of the network. >>> mnt-by: MAINT-CNNIC-AP >>> changed: [email protected] 20110428 >>> source: APNIC >>> >>> person: Li Jia >>> address: NO.969 West Wen Yi Road, Yu Hang District, Hangzhou >>> country: CN >>> phone: +86-0571-85022088 >>> e-mail: [email protected] >>> nic-hdl: ZM1015-AP >>> mnt-by: MAINT-CNNIC-AP >>> changed: [email protected] 20130730 >>> source: APNIC >>> >>> person: Guoxin Gao >>> address: 5F, Builing D, the West Lake International Plaza of S&T >>> address: No.391 Wen'er Road, Hangzhou City >>> address: Zhejiang, China, 310099 >>> country: CN >>> phone: +86-0571-85022600 >>> fax-no: +86-0571-85022600 >>> e-mail: [email protected] >>> nic-hdl: ZM875-AP >>> mnt-by: MAINT-CNNIC-AP >>> changed: [email protected] 20130705 >>> source: APNIC >>> >>> person: security trouble >>> e-mail: [email protected] >>> address: 5th,floor,Building D,the West Lake International Plaza >>> of S&T,391#Wen’er Road >>> address: Hangzhou, Zhejiang, China >>> phone: +86-0571-85022600 >>> country: CN >>> mnt-by: MAINT-CNNIC-AP >>> nic-hdl: ZM876-AP >>> changed: [email protected] 20130708 >>> source: APNIC >>> >>> person: Guowei Pan >>> address: 5F, Builing D, the West Lake International Plaza of S&T >>> address: No.391 Wen'er Road, Hangzhou City >>> address: Zhejiang, China, 310099 >>> country: CN >>> phone: +86-0571-85022088-30763 >>> fax-no: +86-0571-85022600 >>> e-mail: [email protected] >>> nic-hdl: ZM877-AP >>> mnt-by: MAINT-CNNIC-AP >>> changed: [email protected] 20130709 >>> source: APNIC >>> >>> % This query was served by the APNIC Whois Service version >>> 1.69.1-APNICv1r0 (WHOIS4) >>> >>> Whois for 115.29.12.63: >>> % [whois.apnic.net] >>> % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html >>> >>> % Information related to '115.28.0.0 - 115.29.255.255' >>> >>> inetnum: 115.28.0.0 - 115.29.255.255 >>> netname: ALISOFT >>> descr: Aliyun Computing Co., LTD >>> descr: 5F, Builing D, the West Lake International Plaza of S&T >>> descr: No.391 Wen'er Road, Hangzhou, Zhejiang, China, 310099 >>> country: CN >>> admin-c: ZM1015-AP >>> tech-c: ZM877-AP >>> tech-c: ZM876-AP >>> tech-c: ZM875-AP >>> mnt-by: MAINT-CNNIC-AP >>> mnt-irt: IRT-CNNIC-CN >>> status: ALLOCATED PORTABLE >>> changed: [email protected] 20140730 >>> source: APNIC >>> >>> irt: IRT-CNNIC-CN >>> address: Beijing, China >>> e-mail: [email protected] >>> abuse-mailbox: [email protected] >>> admin-c: IP50-AP >>> tech-c: IP50-AP >>> auth: # Filtered >>> remarks: Please note that CNNIC is not an ISP and is not >>> remarks: empowered to investigate complaints of network abuse. >>> remarks: Please contact the tech-c or admin-c of the network. >>> mnt-by: MAINT-CNNIC-AP >>> changed: [email protected] 20110428 >>> source: APNIC >>> >>> person: Li Jia >>> address: NO.969 West Wen Yi Road, Yu Hang District, Hangzhou >>> country: CN >>> phone: +86-0571-85022088 >>> e-mail: [email protected] >>> nic-hdl: ZM1015-AP >>> mnt-by: MAINT-CNNIC-AP >>> changed: [email protected] 20130730 >>> source: APNIC >>> >>> person: Guoxin Gao >>> address: 5F, Builing D, the West Lake International Plaza of S&T >>> address: No.391 Wen'er Road, Hangzhou City >>> address: Zhejiang, China, 310099 >>> country: CN >>> phone: +86-0571-85022600 >>> fax-no: +86-0571-85022600 >>> e-mail: [email protected] >>> nic-hdl: ZM875-AP >>> mnt-by: MAINT-CNNIC-AP >>> changed: [email protected] 20130705 >>> source: APNIC >>> >>> person: security trouble >>> e-mail: [email protected] >>> address: 5th,floor,Building D,the West Lake International Plaza >>> of S&T,391#Wen’er Road >>> address: Hangzhou, Zhejiang, China >>> phone: +86-0571-85022600 >>> country: CN >>> mnt-by: MAINT-CNNIC-AP >>> nic-hdl: ZM876-AP >>> changed: [email protected] 20130708 >>> source: APNIC >>> >>> person: Guowei Pan >>> address: 5F, Builing D, the West Lake International Plaza of S&T >>> address: No.391 Wen'er Road, Hangzhou City >>> address: Zhejiang, China, 310099 >>> country: CN >>> phone: +86-0571-85022088-30763 >>> fax-no: +86-0571-85022600 >>> e-mail: [email protected] >>> nic-hdl: ZM877-AP >>> mnt-by: MAINT-CNNIC-AP >>> changed: [email protected] 20130709 >>> source: APNIC >>> >>> % This query was served by the APNIC Whois Service version >>> 1.69.1-APNICv1r0 (WHOIS1) >>> >>> >>> TCP Dump of the entire transaction: >>> 08:34:42.359851 IP 10.8.8.6.50668 > 115.29.12.63.80: Flags [S], seq >>> 2624770603, win 13880, options [mss 1352,sackOK,TS val 7255719 ecr >>> 0,nop,wscale 6], length 0 >>> 0x0000: 4500 003c 648c 4000 4006 44c6 0a08 0806 E..<d.@[email protected]..... >>> 0x0010: 731d 0c3f c5ec 0050 9c72 d22b 0000 0000 s..?...P.r.+.... >>> 0x0020: a002 3638 94da 0000 0204 0548 0402 080a ..68.......H.... >>> 0x0030: 006e b6a7 0000 0000 0103 0306 .n.......... >>> 08:34:43.419106 IP 10.8.8.6.50668 > 115.29.12.63.80: Flags [S], seq >>> 2624770603, win 13880, options [mss 1352,sackOK,TS val 7255819 ecr >>> 0,nop,wscale 6], length 0 >>> 0x0000: 4500 003c 648d 4000 4006 44c5 0a08 0806 E..<d.@[email protected]..... >>> 0x0010: 731d 0c3f c5ec 0050 9c72 d22b 0000 0000 s..?...P.r.+.... >>> 0x0020: a002 3638 9476 0000 0204 0548 0402 080a ..68.v.....H.... >>> 0x0030: 006e b70b 0000 0000 0103 0306 .n.......... >>> 08:34:54.554837 IP 10.8.8.6.50668 > 115.29.12.63.80: Flags [S], seq >>> 2624770603, win 13880, options [mss 1352,sackOK,TS val 7256019 ecr >>> 0,nop,wscale 6], length 0 >>> 0x0000: 4500 003c 648e 4000 4006 44c4 0a08 0806 E..<d.@[email protected]..... >>> 0x0010: 731d 0c3f c5ec 0050 9c72 d22b 0000 0000 s..?...P.r.+.... >>> 0x0020: a002 3638 93ae 0000 0204 0548 0402 080a ..68.......H.... >>> 0x0030: 006e b7d3 0000 0000 0103 0306 .n.......... >>> 08:34:54.875318 IP 115.29.12.63.80 > 10.8.8.6.50668: Flags [S.], seq >>> 4093734838, ack 2624770604, win 14600, options [mss 1460], length 0 >>> 0x0000: 4520 002c 0000 4000 2a06 bf42 731d 0c3f E..,..@.*..Bs..? >>> 0x0010: 0a08 0806 0050 c5ec f401 6fb6 9c72 d22c .....P....o..r., >>> 0x0020: 6012 3908 3510 0000 0204 05b4 `.9.5....... >>> 08:34:54.933987 IP 10.8.8.6.50668 > 115.29.12.63.80: Flags [.], ack 1, >>> win 13880, length 0 >>> 0x0000: 4500 0028 648f 4000 4006 44d7 0a08 0806 E..(d.@[email protected]..... >>> 0x0010: 731d 0c3f c5ec 0050 9c72 d22c f401 6fb7 s..?...P.r.,..o. >>> 0x0020: 5010 3638 4f9d 0000 P.68O... >>> 08:34:54.945442 IP 10.8.8.6.50668 > 115.29.12.63.80: Flags [P.], seq >>> 1:244, ack 1, win 13880, length 243 >>> 0x0000: 4500 011b 6490 4000 4006 43e3 0a08 0806 E...d.@[email protected]..... >>> 0x0010: 731d 0c3f c5ec 0050 9c72 d22c f401 6fb7 s..?...P.r.,..o. >>> 0x0020: 5018 3638 e53d 0000 504f 5354 202f 6d62 P.68.=..POST./mb >>> 0x0030: 7374 7068 2e70 6870 2048 5454 502f 312e stph.php.HTTP/1. >>> 0x0040: 310d 0a43 6f6e 7465 6e74 2d4c 656e 6774 1..Content-Lengt >>> 0x0050: 683a 2034 340d 0a43 6f6e 7465 6e74 2d54 h:.44..Content-T >>> 0x0060: 7970 653a 2061 7070 6c69 6361 7469 6f6e ype:.application >>> 0x0070: 2f78 2d77 7777 2d66 6f72 6d2d 7572 6c65 /x-www-form-urle >>> 0x0080: 6e63 6f64 6564 0d0a 486f 7374 3a20 6170 ncoded..Host:.ap >>> 0x0090: 692e 3333 3636 6170 702e 636f 6d0d 0a43 i.3366app.com..C >>> 0x00a0: 6f6e 6e65 6374 696f 6e3a 204b 6565 702d onnection:.Keep- >>> 0x00b0: 416c 6976 650d 0a55 7365 722d 4167 656e Alive..User-Agen >>> 0x00c0: 743a 2041 7061 6368 652d 4874 7470 436c t:.Apache-HttpCl >>> 0x00d0: 6965 6e74 2f55 4e41 5641 494c 4142 4c45 ient/UNAVAILABLE >>> 0x00e0: 2028 6a61 7661 2031 2e34 290d 0a0d 0a76 .(java.1.4)....v >>> 0x00f0: 3d36 266d 3d47 6f6f 676c 652b 506c 6179 =6&m=Google+Play >>> 0x0100: 2672 653d 5553 2668 6c3d 656e 2670 3d74 &re=US&hl=en&p=t >>> 0x0110: 6f6f 6c2e 7363 616e 6e65 72 ool.scanner >>> 08:34:55.264723 IP 115.29.12.63.80 > 10.8.8.6.50668: Flags [.], ack 244, >>> win 11256, length 0 >>> 0x0000: 4520 0028 2460 4000 2a06 9ae6 731d 0c3f E..($`@.*...s..? >>> 0x0010: 0a08 0806 0050 c5ec f401 6fb7 9c72 d31f .....P....o..r.. >>> 0x0020: 5010 2bf8 58ea 0000 P.+.X... >>> 08:34:55.265633 IP 115.29.12.63.80 > 10.8.8.6.50668: Flags [P.], seq >>> 1:348, ack 244, win 11256, length 347 >>> 0x0000: 4520 0183 2461 4000 2a06 998a 731d 0c3f E...$a@.*...s..? >>> 0x0010: 0a08 0806 0050 c5ec f401 6fb7 9c72 d31f .....P....o..r.. >>> 0x0020: 5018 2bf8 28b5 0000 4854 5450 2f31 2e31 P.+.(...HTTP/1.1 >>> 0x0030: 2032 3030 204f 4b0d 0a53 6572 7665 723a .200.OK..Server: >>> 0x0040: 206e 6769 6e78 2f31 2e34 2e34 0d0a 4461 .nginx/1.4.4..Da >>> 0x0050: 7465 3a20 4672 692c 2031 3720 4f63 7420 te:.Fri,.17.Oct. >>> 0x0060: 3230 3134 2031 323a 3335 3a31 3920 474d 2014.12:35:19.GM >>> 0x0070: 540d 0a43 6f6e 7465 6e74 2d54 7970 653a T..Content-Type: >>> 0x0080: 2074 6578 742f 6874 6d6c 0d0a 5472 616e .text/html..Tran >>> 0x0090: 7366 6572 2d45 6e63 6f64 696e 673a 2063 sfer-Encoding:.c >>> 0x00a0: 6875 6e6b 6564 0d0a 436f 6e6e 6563 7469 hunked..Connecti >>> 0x00b0: 6f6e 3a20 6b65 6570 2d61 6c69 7665 0d0a on:.keep-alive.. >>> 0x00c0: 5661 7279 3a20 4163 6365 7074 2d45 6e63 Vary:.Accept-Enc >>> 0x00d0: 6f64 696e 670d 0a58 2d50 6f77 6572 6564 oding..X-Powered >>> 0x00e0: 2d42 793a 2050 4850 2f35 2e32 2e31 3770 -By:.PHP/5.2.17p >>> 0x00f0: 310d 0a0d 0a38 330d 0a3c 3f78 6d6c 2076 1....83..<?xml.v >>> 0x0100: 6572 7369 6f6e 3d22 312e 3022 2065 6e63 ersion="1.0".enc >>> 0x0110: 6f64 696e 673d 2275 7466 2d38 223f 3e3c oding="utf-8"?>< >>> 0x0120: 7265 743e 3c70 6c69 7374 2068 7469 6d65 ret><plist.htime >>> 0x0130: 3d22 3132 2220 7074 696d 653d 2231 3222 ="12".ptime="12" >>> <font fac >>> ... >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Android Security Discussions" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to >> [email protected]. >> Visit this group at >> http://groups.google.com/group/android-security-discuss. >> For more options, visit https://groups.google.com/d/optout. >> > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to > [email protected]. > Visit this group at > http://groups.google.com/group/android-security-discuss. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
