I have been Hacked!

Clawsman · Feb 28, 2012

Yeah..as the title says.. 3 weeks ago this hacker hacked into my network..
placed rootkits in all my 3 computers and then hacked its way to my Desire and my wifes iphone. good thing i had wireshark running same time.
So.. 5 units hacked with the method in like 1 houre. Bad luck for me i guess.
And kaspersky didnt give me any warnings at all. bye bye kaspersky.

Anyway... i flashed my desire's HBOOT just to be sure. after i did a check with "AutoKiller Memory Optimizer" all kinds of malware services was attached to most of my apps.
1- downgraded HBOOT
2- flashed stock HBOOT from alpharev
3- Changed recovery from CWM to 4EXT as i suspected the recovery being infected somehow.

I checkd my log... the hacker had removed some files and moved shell files from an folder to another as well as busybox and so on. it was so many i thought il be better of installing new ROM.
I tried with Gingervillain first... everything installed fine..
checking with "root explorer" i see same files that had been moved and added was still there.

OK.. i tried again..
full wipe with 4ext and then installed Runnymede.. still.. when i check my root partition most of the files still there and i get same results doing a root check.

any idees...? im not sure if my kernel is right. it should be, when i installed Runnymede. when checking kernel v.
it says.. "2.6.35.10_EBfixTP2WcLsSma2OcUvVddS35+droidzone@supernova #11"
May be kernel rootkit? does the kernel start before recovery?

can someone plz confirm this?

baseband seem to be the same

any advise as for how to start from scratch will be much appreciated.

erklat · Feb 28, 2012

Clawsman said:
full wipe with 4ext and then installed Runnymede.. still.. when i check my root partition most of the files still there and i get same results doing a root check.

Full wipe wipes /cache, /data and /sd-ext to my knowledge. There is a possibility some of the files remain on /system. Use 4EXT to manually format each partition using format option.

Clawsman said:
it says.. "2.6.35.10_EBfixTP2WcLsSma2OcUvVddS35+droidzone@supernova #11"

That seems in order. Long name in attach marks modules added to that kernel.

Sent from my HTC Desire using Tapatalk

Clawsman · Feb 28, 2012

Ok
well.. i did the format manually in 4EXT.
I suspect some files still to be there..also some boot files containing malware script.
what file contains the boot script? i mean.. what file is the first to be triggered when booting in HBOOT. because many things in the recovery doesnt seem right. and the hboot fastrecovery starts with a delay.
Like when i want to partition or when i want to format all partitions except sd. Acts like it doesnt want to.

Anyway.. was just wondering if i could just adb and delete every file folder that is in in my phone and then flash recovery and ROM again.
Is that what RUU does?
is that something to recomend?

Bingley · Mar 1, 2012

RUU is complete wipe of everything. /system, /hboot etc.
Download the correct one for your phone, *follow its instructions* (may need a gold card - google it) and run it on a clean pc.

Clean your pc ie format and reinstall after taking backups.

Then start again wit ha new hboot/rom setup.

andreigherghe · Mar 2, 2012

Is that even possible? Infecting an Android phone via a Wi-fi network?

And Recovery shouldn't be able to get infected. I think ONLY /data can, and eventually /system if it's mounted as RW.

But on a wipe data gets deleted, and on a ROM install /system and boot (which holds the kernel and ramdisk) is deleted anyway.

RADIO starts before HBOOT. And there's absolutely no way they can be infected.

To be safe:

fastboot erase cache
fastboot erase system
fastboot erase boot
fastboot erase recovery *OVERKILL*

Then just do fastboot flash recovery {RECOVERY}

And there's nothing more you must do. HBOOT reflashing is 100% pointless.

TVTV · Mar 3, 2012

Maybe top-notch hackers are shifting their interest from hacking NASA, FBI and similar organizations in the US to hacking Android phones. Or maybe it's one of their favourite ways to have fun in their idle time. Who knows?

Anyways, here's a Thanks from me, mr. Andrei, for your contribution to this community.

andreigherghe · Mar 3, 2012

TVTV said:
Maybe top-notch hackers are shifting their interest from hacking NASA, FBI and similar organizations in the US to hacking Android phones. Or maybe it's one of their favourite ways to have fun in their idle time. Who knows?

Anyways, here's a Thanks from me, mr. Andrei, for your contribution to this community.

I do what i can.

There are many devs that know much more than me. Your thanks are appreciated

For me it's still strange, tho. Only data and system could be "infected"

Take a look at this: http://xdaforums.com/showthread.php?t=1399076

It's a scheme i made on how HTC and Nexus devices work. (How they boot, what are the individual partitions, etc)

andQlimax · Mar 3, 2012

Clawsman said:
Yeah..as the title says.. 3 weeks ago this hacker hacked into my network..
placed rootkits in all my 3 computers and then hacked its way to my Desire and my wifes iphone. good thing i had wireshark running same time.
So.. 5 units hacked with the method in like 1 houre. Bad luck for me i guess.
And kaspersky didnt give me any warnings at all. bye bye kaspersky.

Anyway... i flashed my desire's HBOOT just to be sure. after i did a check with "AutoKiller Memory Optimizer" all kinds of malware services was attached to most of my apps.
1- downgraded HBOOT
2- flashed stock HBOOT from alpharev
3- Changed recovery from CWM to 4EXT as i suspected the recovery being infected somehow.

I checkd my log... the hacker had removed some files and moved shell files from an folder to another as well as busybox and so on. it was so many i thought il be better of installing new ROM.
I tried with Gingervillain first... everything installed fine..
checking with "root explorer" i see same files that had been moved and added was still there.

OK.. i tried again..
full wipe with 4ext and then installed Runnymede.. still.. when i check my root partition most of the files still there and i get same results doing a root check.

any idees...? im not sure if my kernel is right. it should be, when i installed Runnymede. when checking kernel v.
it says.. "2.6.35.10_EBfixTP2WcLsSma2OcUvVddS35+droidzone@supernova #11"
May be kernel rootkit? does the kernel start before recovery?

can someone plz confirm this?

baseband seem to be the same

any advise as for how to start from scratch will be much appreciated.

An example of those infecting file?? What file in your root partition?? What path? Rom files are only on /system

Inviato dal mio Galaxy Nexus usando Tapatalk

pirlouyt · Mar 3, 2012

I never use a anti virus and until now never have a problem...As i know!

Clawsman · Mar 20, 2012

Well it happened to me..
I have deleted everything.. I remember i checkd my log, and busybox files was moved to the system folder.. And all kinds of services was attached to Google map, calender, Facebook, wifi apps, market, etc..
And new apps installed like vpn, cam apps, recorders.. etc

Im currently using the free lookout...
And want to Buy a security tool.
Any advice Will be much appreciated.

Sent from my HTC Desire using xda premium

Topics

Topics

I have been Hacked!

Clawsman

Senior Member

erklat

Senior Member

Clawsman

Senior Member

Bingley

Senior Member

andreigherghe

Inactive Recognized Developer

TVTV

Senior Member

andreigherghe

Inactive Recognized Developer

andQlimax

Senior Member

pirlouyt

Member

Clawsman

Senior Member

Similar threads

Top Liked Posts

New posts