Results 1 to 4 of 4
  1. #1

    Exclamation fake IP addresses being generated on android phone

    Sorry for what feels like a crosspost , but it was suggested this was a better forum:

    I've been getting some alerts from different layers of firewall I run.

    When I finally got to the bottom it was two android phones. They are attempting to send requests OUT but are quoting a SRC address which while plausible, cannot exist on my networks. So far I've seen it try to contact twitter and the android market .. NB this is NOT somebody using twitter, as that goes out with the correct SRC address. Now it strikes me if I ran a simpler firewall regime these would get out and come back and assuming the phone was in promiscuous mode it could catch the reply but any attempt to trace it back to source would be thwarted. Using twitter to post the info means the final server need not reveal itself ... has anybody seen this before? The SRC addresses used change say about once per hour. PS They do not appear in the APR table either.

    (original thread http://www.linuxquestions.org/questi...8/#post4497072 )

  2. #2
    Member
    Join Date
    Aug 2011
    Location
    Wroclaw, Poland
    Posts
    44
    Are these phones rooted? Then you can install any Busybox, Terminal, run it as root, and write"netstat -p". Then you get connections with programs names.



  3. #3
    no they are not rooted. However a friend , who's phone IS rooted ran wireshark on his phone and spotted similar 10.* addresses appearing ( his phone is 192.168...)
    so he may care to try this. ... I'll point him at this thread (Peter this is the Thread !)



  4. #4
    Yes, Graeme, I ran the android port of wireshark several times and saw 4 such packets in total ... all 4 were on my first run. At the time, the android phone ip address was 192.168.175.128 (on my internal LAN)

    Packet #1

    src MAC android phone, src IP 10.170.6.86
    dest MAC local router, dest IP 209.85.229.188 port 58205
    23 bytes of binary data

    Packet #2

    src MAC android phone, src IP 10.170.6.86
    dest MAC local router, dest IP 219.136.248.195 port 80
    no data

    packet #3

    src MAC android phone, src IP 10.170.6.86
    dest MAC local router, dest IP 219.136.248.195 port 80
    no data

    packet #4
    src MAC android phone, src IP 10.170.6.86
    dest MAC local router, dest IP 209.85.229.188 port 58205 [ re-transmission ]
    23 bytes of binary data

    209.85.229.188 is ww-in-f188.1e100.net ... part of google.
    219.136.248.195 port 80 shows a php page


    Last edited by plord; 10-15-2011 at 03:27 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •