Could this be an infected Android cell phone?



  • I tried to google for details from the logs like e.g. 'central/motorola-11-voice20000-1600-bpi.cm' but I could not find a single result. So my question is, could that be an infected Android phone?

    What does the logs at that point do actually tell me. Despite the fact that it got blocked and is still getting blocked at a rate of ~ 4 blocks per minute.

    pfSense:

    Version:
    2.1-RELEASE (i386)
    built on Wed Sep 11 18:16:44 EDT 2013
    FreeBSD 8.3-RELEASE-p11

    System -> Advanced -> Networking -> Allow IPv6  ==> is unchecked

    Client:

    IP: 192.168.<hidden>. <hidden>MAC: cc:fa:00:a7::
    Name: android-dcd79d0cd <hidden>### Filter logs:
    Feb 26 12:42:37 tmh-firewall pf: 00:00:02.823886 rule 5/0(match): block in on em0_vlan112: (tos 0x0, ttl 64, id 56167, offset 0, flags [DF], proto TCP (6), length 79)
    Feb 26 12:42:37 tmh-firewall pf:    192.168.<hidden>.<hidden>.47438 > 173.194.44.31.443: Flags [P.], cksum 0xa8b1 (correct), ack 3479133114, win 264, options [nop,nop,TS val 1895616 ecr 571900440], length 27

    Feb 26 12:42:27 tmh-firewall pf: 00:00:00.958737 rule 45/0(match): block in on re0: (tos 0x0, ttl 255, id 19360, offset 0, flags [none], proto UDP (17), length 456)
    Feb 26 12:42:27 tmh-firewall pf:    10.220.112.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 428, hops 1, xid 0x1773e7ea, Flags [Broadcast]
    Feb 26 12:42:27 tmh-firewall pf:          Your-IP 10.220.123.137
    Feb 26 12:42:27 tmh-firewall pf:          Server-IP 195.234.128.44
    Feb 26 12:42:27 tmh-firewall pf:          Gateway-IP 10.220.112.1
    Feb 26 12:42:27 tmh-firewall pf:          Client-Ethernet-Address 00:14:e8:a6:61:aa
    Feb 26 12:42:27 tmh-firewall pf:          file "central/motorola-11-voice20000-1600-bpi.cm" [|bootp]
    Feb 26 12:42:27 tmh-firewall pf: 00:00:00.095688 rule 5/0(match): block in on em0_vlan112: (tos 0x0, ttl 64, id 54655, offset 0, flags [DF], proto TCP (6), length 79)

    Feb 26 12:54:20 tmh-firewall pf: 00:00:00.439478 rule 5/0(match): block in on em0_vlan112: (tos 0x0, ttl 64, id 49569, offset 0, flags [DF], proto TCP (6), length 603)
    Feb 26 12:54:20 tmh-firewall pf:    192.168.<hidden>.<hidden>.32821 > 173.194.70.95.443: Flags [P.], ack 3906605826, win 408, options [nop,nop,TS val 1965844 ecr 1110537749], length 551
    Feb 26 12:54:20 tmh-firewall pf: 00:00:00.413795 rule 3/0(match): block in on em0: (hlim 1, next-header UDP (17) payload length: 107) fe80::e524:c7e1:e886:dd29.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit
    (xid=b52a0a (elapsed time 300) (client ID hwaddr/time type 1 time 411801340 000c29e45988) (IA_NA IAID:234884137 T1:0 T2:0) (Client FQDN) (vendor class) (option request DNS name DNS vendor-specific info Clie
    nt FQDN))
    Feb 26 12:54:20 tmh-firewall pf: 00:00:00.000031 rule 3/0(match): block in on bridge0: (hlim 1, next-header UDP (17) payload length: 107) fe80::e524:c7e1:e886:dd29.546 > ff02::1:2.547: [udp sum ok] dhcp6 sol
    icit (xid=b52a0a (elapsed time 300) (client ID hwaddr/time type 1 time 411801340 000c29e45988) (IA_NA IAID:234884137 T1:0 T2:0) (Client FQDN) (vendor class) (option request DNS name DNS vendor-specific info
    Client FQDN))
    Feb 26 12:54:20 tmh-firewall pf: 00:00:00.000010 rule 3/0(match): block in on em0: (hlim 1, next-header UDP (17) payload length: 107) fe80::e524:c7e1:e886:dd29.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit
    (xid=b52a0a (elapsed time 300) (client ID hwaddr/time type 1 time 411801340 000c29e45988) (IA_NA IAID:234884137 T1:0 T2:0) (Client FQDN) (vendor class) (option request DNS name DNS vendor-specific info Clie
    nt FQDN))</hidden></hidden></hidden></hidden></hidden></hidden></hidden>