Open GoogleCodeExporter opened 8 years ago
GoogleCodeExporter
commented
8 years ago You should get some other program like Android Status and run the "netstat"
command, maybe this will help you figure out whats happening. At least I'd be
worried by chinese, russian and bulgarian network connections to my phone.Original comment by luot...@gmail.com on 23 Mar 2011 at 9:44
GoogleCodeExporter
commented
8 years ago I have netstat (busybox) and OS Monitor and cannot determine which app is
behaving like this...
Some examples of entries in dmesg:
<4>[86208.024332] [DROIDWALL] IN= OUT=pdp0 SRC=93.108.99.235 DST=93.116.39.51
LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=445 DPT=4687 WINDOW=0
RES=0x00 ACK RST URGP=0
<4>[86436.963970] [DROIDWALL] IN= OUT=pdp0 SRC=93.108.99.235 DST=67.18.187.111
LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=56042 DPT=123 LEN=56
UID=1000 GID=1000
<4>[86676.515735] [DROIDWALL] IN= OUT=pdp0 SRC=93.108.99.235 DST=92.83.211.199
LEN=106 TOS=0x00 PREC=0xC0 TTL=64 ID=56571 PROTO=ICMP TYPE=3 CODE=3
[SRC=92.83.211.199 DST=93.108.99.235 LEN=78 TOS=0x00 PREC=0x00 TTL=113 ID=63990
PROTO=UDP SPT=11499 DPT=137 LEN=58 ]
The first one is somewhere in Moldova, and there is no UID info.
The second looks like it's SNTP, but to some place I don't think is a SNTP
Server.
The third one I really don't know how to read...
Is there a "more detailed log option", in order to identify which app is trying
to send data?Original comment by hcbra...@one-plus-one.pt on 1 Apr 2011 at 1:42
GoogleCodeExporter
commented
8 years ago If there is no UID, then it is most probably a kernel connectionOriginal comment by rodrigo...@gmail.com on 1 Apr 2011 at 2:09
GoogleCodeExporter
commented
8 years ago 93.116.39.51 is an IP from Moldavia, owned by a local ISP.
It maps to host-static-93-116-39-51.moldtelecom.md.
I expect that kernel would only connect to official entities, like Google, Time
Servers, and others...
dmesg also reports other entries with no UID, but the IP maps to Google
servers. These I trust.
But in this case, it's too suspicious for me to trust...
Any other clues?
Removing every single app on my phone in order to find the culprit is not a
good option...Original comment by hcbra...@one-plus-one.pt on 1 Apr 2011 at 2:41
GoogleCodeExporter
commented
8 years ago https://market.android.com/details?id=com.borgshell.connectiontrackerfreeOriginal comment by exec...@gmail.com on 11 Nov 2011 at 1:26
GoogleCodeExporter
commented
8 years ago Thanks.
I'll try to trace the problem with this new app.Original comment by hcbra...@one-plus-one.pt on 11 Nov 2011 at 3:10
GoogleCodeExporter
commented
8 years ago regardless of malware app concerns, I, too, would dearly enjoy BOTH incoming
and outgoing filtering
both in this case is preferable to either
Original comment by axel.how...@yopmail.com on 26 Jan 2012 at 10:02
GoogleCodeExporter
commented
8 years ago Personally I would rather see port-based incoming firewall rules. I run an SSH
server which means that there's no reason to have my VNC server or anything
else respond to non-localhost connection requests. Running this manually seems
to do the trick, but building it into DroidWall would be fantastic:
# Accept incoming connections from localhost, established, or port 22
/system/bin/iptables -A INPUT -i lo -j ACCEPT
/system/bin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/system/bin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Drop all other connections including forwarding but accept outbound
/system/bin/iptables -P INPUT DROP
/system/bin/iptables -P FORWARD DROP
/system/bin/iptables -P OUTPUT ACCEPT
Original comment by jdbower...@gmail.com on 6 Mar 2012 at 11:20
GoogleCodeExporter
commented
8 years ago Would also like to see incoming and outgoing filter abilitiesOriginal comment by rla...@gmail.com on 13 Mar 2014 at 2:53
Original issue reported on code.google.com by
hcbra...@one-plus-one.pton 11 Jan 2011 at 3:41