Post Reply

I have been Hacked!

OP Clawsman

28th February 2012, 12:12 AM   |  #1  
OP Senior Member
Thanks Meter: 4
 
115 posts
Join Date:Joined: Nov 2011
Yeah..as the title says.. 3 weeks ago this hacker hacked into my network..
placed rootkits in all my 3 computers and then hacked its way to my Desire and my wifes iphone. good thing i had wireshark running same time.
So.. 5 units hacked with the method in like 1 houre. Bad luck for me i guess.
And kaspersky didnt give me any warnings at all. bye bye kaspersky.

Anyway... i flashed my desire's HBOOT just to be sure. after i did a check with "AutoKiller Memory Optimizer" all kinds of malware services was attached to most of my apps.
1- downgraded HBOOT
2- flashed stock HBOOT from alpharev
3- Changed recovery from CWM to 4EXT as i suspected the recovery being infected somehow.

I checkd my log... the hacker had removed some files and moved shell files from an folder to another as well as busybox and so on. it was so many i thought il be better of installing new ROM.
I tried with Gingervillain first... everything installed fine..
checking with "root explorer" i see same files that had been moved and added was still there.

OK.. i tried again..
full wipe with 4ext and then installed Runnymede.. still.. when i check my root partition most of the files still there and i get same results doing a root check.

any idees...? im not sure if my kernel is right. it should be, when i installed Runnymede. when checking kernel v.
it says.. "2.6.35.10_EBfixTP2WcLsSma2OcUvVddS35+droidzone@su pernova #11"
May be kernel rootkit? does the kernel start before recovery?

can someone plz confirm this?

baseband seem to be the same

any advise as for how to start from scratch will be much appreciated.
28th February 2012, 06:32 AM   |  #2  
erklat's Avatar
Senior Member
Thanks Meter: 454
 
2,444 posts
Join Date:Joined: Nov 2010
More
Quote:
Originally Posted by Clawsman

full wipe with 4ext and then installed Runnymede.. still.. when i check my root partition most of the files still there and i get same results doing a root check.

Full wipe wipes /cache, /data and /sd-ext to my knowledge. There is a possibility some of the files remain on /system. Use 4EXT to manually format each partition using format option.

Quote:
Originally Posted by Clawsman

it says.. "2.6.35.10_EBfixTP2WcLsSma2OcUvVddS35+droidzone@su pernova #11"

That seems in order. Long name in attach marks modules added to that kernel.

Sent from my HTC Desire using Tapatalk
The Following User Says Thank You to erklat For This Useful Post: [ View ]
28th February 2012, 03:58 PM   |  #3  
OP Senior Member
Thanks Meter: 4
 
115 posts
Join Date:Joined: Nov 2011
Ok
well.. i did the format manually in 4EXT.
I suspect some files still to be there..also some boot files containing malware script.
what file contains the boot script? i mean.. what file is the first to be triggered when booting in HBOOT. because many things in the recovery doesnt seem right. and the hboot fastrecovery starts with a delay.
Like when i want to partition or when i want to format all partitions except sd. Acts like it doesnt want to.

Anyway.. was just wondering if i could just adb and delete every file folder that is in in my phone and then flash recovery and ROM again.
Is that what RUU does?
is that something to recomend?
1st March 2012, 12:05 PM   |  #4  
Bingley's Avatar
Senior Member
Flag Netherfield
Thanks Meter: 56
 
536 posts
Join Date:Joined: Jan 2011
More
RUU is complete wipe of everything. /system, /hboot etc.
Download the correct one for your phone, *follow its instructions* (may need a gold card - google it) and run it on a clean pc.

Clean your pc ie format and reinstall after taking backups.

Then start again wit ha new hboot/rom setup.
The Following User Says Thank You to Bingley For This Useful Post: [ View ]
2nd March 2012, 11:48 PM   |  #5  
andreigherghe's Avatar
Recognized Developer
Flag Fetești
Thanks Meter: 433
 
243 posts
Join Date:Joined: Dec 2010
More
Is that even possible? Infecting an Android phone via a Wi-fi network?

And Recovery shouldn't be able to get infected. I think ONLY /data can, and eventually /system if it's mounted as RW.

But on a wipe data gets deleted, and on a ROM install /system and boot (which holds the kernel and ramdisk) is deleted anyway.

RADIO starts before HBOOT. And there's absolutely no way they can be infected.

To be safe:

fastboot erase cache
fastboot erase system
fastboot erase boot
fastboot erase recovery *OVERKILL*

Then just do fastboot flash recovery {RECOVERY}

And there's nothing more you must do. HBOOT reflashing is 100% pointless.
Last edited by andreigherghe; 2nd March 2012 at 11:54 PM.
The Following 2 Users Say Thank You to andreigherghe For This Useful Post: [ View ]
3rd March 2012, 09:02 AM   |  #6  
Senior Member
Flag Bucharest
Thanks Meter: 141
 
327 posts
Join Date:Joined: Jan 2010
More
Maybe top-notch hackers are shifting their interest from hacking NASA, FBI and similar organizations in the US to hacking Android phones. Or maybe it's one of their favourite ways to have fun in their idle time. Who knows?

Anyways, here's a Thanks from me, mr. Andrei, for your contribution to this community.
3rd March 2012, 12:37 PM   |  #7  
andreigherghe's Avatar
Recognized Developer
Flag Fetești
Thanks Meter: 433
 
243 posts
Join Date:Joined: Dec 2010
More
Quote:
Originally Posted by TVTV

Maybe top-notch hackers are shifting their interest from hacking NASA, FBI and similar organizations in the US to hacking Android phones. Or maybe it's one of their favourite ways to have fun in their idle time. Who knows?

Anyways, here's a Thanks from me, mr. Andrei, for your contribution to this community.

I do what i can. There are many devs that know much more than me. Your thanks are appreciated

For me it's still strange, tho. Only data and system could be "infected"

Take a look at this: http://forum.xda-developers.com/show....php?t=1399076

It's a scheme i made on how HTC and Nexus devices work. (How they boot, what are the individual partitions, etc)
The Following User Says Thank You to andreigherghe For This Useful Post: [ View ]
3rd March 2012, 06:15 PM   |  #8  
andQlimax's Avatar
Senior Member
Flag Rome
Thanks Meter: 859
 
2,370 posts
Join Date:Joined: Jul 2010
Donate to Me
More
Quote:
Originally Posted by Clawsman

Yeah..as the title says.. 3 weeks ago this hacker hacked into my network..
placed rootkits in all my 3 computers and then hacked its way to my Desire and my wifes iphone. good thing i had wireshark running same time.
So.. 5 units hacked with the method in like 1 houre. Bad luck for me i guess.
And kaspersky didnt give me any warnings at all. bye bye kaspersky.

Anyway... i flashed my desire's HBOOT just to be sure. after i did a check with "AutoKiller Memory Optimizer" all kinds of malware services was attached to most of my apps.
1- downgraded HBOOT
2- flashed stock HBOOT from alpharev
3- Changed recovery from CWM to 4EXT as i suspected the recovery being infected somehow.

I checkd my log... the hacker had removed some files and moved shell files from an folder to another as well as busybox and so on. it was so many i thought il be better of installing new ROM.
I tried with Gingervillain first... everything installed fine..
checking with "root explorer" i see same files that had been moved and added was still there.

OK.. i tried again..
full wipe with 4ext and then installed Runnymede.. still.. when i check my root partition most of the files still there and i get same results doing a root check.

any idees...? im not sure if my kernel is right. it should be, when i installed Runnymede. when checking kernel v.
it says.. "2.6.35.10_EBfixTP2WcLsSma2OcUvVddS35+droidzone@su pernova #11"
May be kernel rootkit? does the kernel start before recovery?

can someone plz confirm this?

baseband seem to be the same

any advise as for how to start from scratch will be much appreciated.

An example of those infecting file?? What file in your root partition?? What path? Rom files are only on /system

Inviato dal mio Galaxy Nexus usando Tapatalk
3rd March 2012, 09:37 PM   |  #9  
Junior Member
Thanks Meter: 0
 
9 posts
Join Date:Joined: Mar 2012
I never use a anti virus and until now never have a problem...As i know!
20th March 2012, 01:36 AM   |  #10  
OP Senior Member
Thanks Meter: 4
 
115 posts
Join Date:Joined: Nov 2011
Well it happened to me..
I have deleted everything.. I remember i checkd my log, and busybox files was moved to the system folder.. And all kinds of services was attached to Google map, calender, Facebook, wifi apps, market, etc..
And new apps installed like vpn, cam apps, recorders.. etc

Im currently using the free lookout...
And want to Buy a security tool.
Any advice Will be much appreciated.

Sent from my HTC Desire using xda premium

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes