弁財天

ゴフマン「専門家を信じるのではなく、自分自身で考えて判断せよ」

「ES ファイルエクスプローラー」はスパイウェアw 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18と111.202.64.0/18] 中国の新世紀グループw update6

ES ファイルエクスプローラー
ESファイルエクスプローラーが謎のIPアドレスへポート80番のアクセスをしているらしいので簡易的に調べてみた

まじかー

ZenPhone2でtPacketPautureは動かなかったので 代わりにPacket Captureで確認してみた。

あ、ほんとだ。
つかパケットキャプチャ自身もAmazonのクラウドと何か通信してるだろw


gzipというのはHTTPの圧縮通信のことだな。
それでもhmma.baidu.com(202.108.23.85:80)にPOSTしてるのは間違いないw
HTTPボタンを押すと解凍表示してくれる。


へんなIDは消した。でもIMEI番号とは違うみたいだけどw

こういうのは以前にドルフィン・ブラウザでもあったな。

個人情報ではないのだからいいんじゃね、みたいな。

AFWall+のログ。hmma.baidu.com(202.108.23.85:80)以外にもアクセスしてそーな。

    ---------
AppID : 10152
Application's Name: ES ファイルエクスプローラ
Total Packets Blocked:  5
[TCP]202.108.23.85:80(1)
[TCP]61.135.185.83:80(1)
[UDP]239.2.0.252:5353(1)
[UDP]239.2.0.251:5353(1)
[TCP]61.135.185.235:80(1)

    ---------
59777 ポートでLISTENしてる。
tcp6       0      0 :::59777               :::*                   LISTEN
tcp        0      0 :::59777                :::*                    LISTEN      7017/com.estrongs.a
root@Z00A:/storage/MicroSD # ps|grep 7017
u0_a152   7017  320   1318984 120456 ffffffff f7746f05 S com.estrongs.android.pop
u0_a152   7044  7017  4892   716   ffffffff f7674c63 S /data/data/com.estrongs.android.pop/files/libestool2.so
root@Z00A:/storage/MicroSD # 

我が家でその時間に使ってたのは「ESファイルエクスプローラー」だけ。 snortに引っかかったw

08/31-04:54:21.909903  [**] [1:2010066:10]   ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:50449 -> 123.125.114.8:80
08/31-04:57:40.241722  [**] [1:2010066:10]   ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:36895 -> 123.125.114.8:80
08/31-05:05:15.163410  [**] [1:2010066:10]   ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:49660 -> 123.125.114.8:80

08/01-21:54:44.437500 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:41177 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/01-21:54:47.816843 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:35204 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/01-22:14:34.562768 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:45634 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/02-05:24:51.504883 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:34797 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/03-05:12:44.584597 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:55018 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/03-05:12:44.700140 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:55018 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/03-05:12:45.866856 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:51681 -> 111.202.114.38:80 111.202.114.38 北京市 中国 [ASN4808 CNC Group 111.202.64.0/18]
08/03-05:12:46.501681 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:51681 -> 111.202.114.38:80 111.202.114.38 北京市 中国 [ASN4808 CNC Group 111.202.64.0/18]
08/03-05:14:34.347507 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:51536 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/03-05:26:59.410222 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:55858 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/06-10:20:19.490414 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:35966 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/06-10:20:23.837098 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:38471 -> 111.202.114.38:80 111.202.114.38 北京市 中国 [ASN4808 CNC Group 111.202.64.0/18]
08/06-10:22:10.308301 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:51402 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/07-06:46:41.847222 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:33839 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/07-06:55:32.269119 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:39904 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/07-06:56:44.080029 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:35075 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/09-05:52:20.067973 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:43693 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/09-05:52:25.280646 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:48430 -> 111.202.114.38:80 111.202.114.38 北京市 中国 [ASN4808 CNC Group 111.202.64.0/18]
08/10-04:47:17.265006 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:46079 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/10-04:47:17.435108 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:46079 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/11-05:53:29.213886 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:46341 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/11-05:53:29.385201 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:46341 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/11-05:53:30.108765 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:47503 -> 111.202.114.38:80 111.202.114.38 北京市 中国 [ASN4808 CNC Group 111.202.64.0/18]
08/12-05:25:42.691239 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:50289 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/12-05:25:42.874311 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:50289 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/15-06:03:54.163813 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:45582 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/15-06:03:54.592299 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:36936 -> 111.202.114.38:80 111.202.114.38 北京市 中国 [ASN4808 CNC Group 111.202.64.0/18]
08/15-06:03:54.443965 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:45582 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/15-06:07:25.570296 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:45526 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/15-06:10:05.687740 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:34614 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/15-06:12:51.082953 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:43503 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/15-06:14:47.457465 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:37564 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/15-06:15:50.387397 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:60315 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/15-06:19:02.604289 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:36736 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/15-06:24:08.935589 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:35949 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/18-05:54:41.392273 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:60878 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/18-05:55:08.052320 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:36816 -> 111.202.114.38:80 111.202.114.38 北京市 中国 [ASN4808 CNC Group 111.202.64.0/18]
08/20-09:59:51.073976 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:40086 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/22-05:29:38.374841 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:47050 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/22-05:29:40.266620 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:52964 -> 111.202.114.38:80 111.202.114.38 北京市 中国 [ASN4808 CNC Group 111.202.64.0/18]
08/23-05:29:47.470765 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:58602 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/23-05:29:47.873859 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:40616 -> 111.202.114.38:80 111.202.114.38 北京市 中国 [ASN4808 CNC Group 111.202.64.0/18]
08/23-05:31:51.859062 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:57529 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/23-05:35:27.151272 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:34519 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/23-05:48:06.617426 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:56817 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/29-05:31:11.258538 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:46655 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/29-05:31:11.364605 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:46655 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/29-05:31:11.596741 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:60166 -> 111.202.114.38:80 111.202.114.38 北京市 中国 [ASN4808 CNC Group 111.202.64.0/18]
08/30-04:59:33.879705 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:47902 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/30-04:59:34.052203 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:47902 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/30-05:01:22.251481 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:44600 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/30-06:50:54.413773 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:57280 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/30-06:50:54.586041 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:58212 -> 111.202.114.38:80 111.202.114.38 北京市 中国 [ASN4808 CNC Group 111.202.64.0/18]
08/31-04:54:21.909903 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:50449 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/31-04:57:40.241722 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:36895 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
08/31-05:05:15.163410 [**] [1:2010066:10] <br0> ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 我が家Android:49660 -> 123.125.114.8:80 123.125.114.8 北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]

SnortのログにASN追加

北京市 中国 [ASN4808 CNC Group 123.125.64.0/18]
中国のCNC Grop、中国の新世紀グループ

F/Wでブロックすべきプレフィクスは
[ASN4808 CNC Group 111.202.64.0/18]
[ASN4808 CNC Group 123.125.64.0/18]
の2つだけだな。

F/Wを仕掛けてESファイルエクスプローラを使い続けちゃうオレw

AndoridでAFWall+を使ってるのだけど そのカスタムスクリプト(Set custom script)で

. /data/local/bin/iptables_custom.sh
とか設定して/data/local/bin/iptables_custom.shには
#!/system/bin/sh

IP6TABLES=/system/bin/ip6tables
IPTABLES=/system/bin/iptables

#$IPTABLES -A "afwall-wifi" -d 111.202.64.0/18 -j REJECT --reject-with icmp-port-unreachable
#$IPTABLES -A "afwall-wifi" -d 123.125.64.0/18 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A "afwall" -d 111.202.64.0/18 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A "afwall" -d 123.125.64.0/18 -j REJECT --reject-with icmp-port-unreachable
とかやっちゃえばいいのかすらーw

投稿されたコメント:

コメント
コメントは無効になっています。