strange outgoing connections on port 10000

[geminifrench]

Hello.

I have just received my gemini 4G, and i am very happy with it. It is a lovely machine.

I have installed the "no root firewall" application and i have see some strange outgoing connections demand.
I have blocked them, but i do not understand what is this.
There are :
-106.184.5.78:10000
-41.252.50.191:10000

With a whoisip internet site i see that the first is for : KDDI Corporation
The second is for ALICLOUD.us

Someone have ever see this ?
And know why there are trying to connect them ?

I can list my applications if needed, there is just a litlle.

Thanks

[Eldkatten]

Hello,

"Firewall without root" usually also lists which app is trying to connect. What does it say?

[geminifrench]

Hi.

You'r right.

The "detail of the application" in "firewall no root" that try to connect outside is this :

" BT Tool, Certificat wapi, com.android.wallpaperbackup, com.mediateck, com.mediateck.batterywarnig, com.mediatek.callrecorder, Duraspeed, Fused Location, Gestion des appels, horloge, input devices, LPPe service, MDMConfig, Mise a jour sans fil, Mobile anti-theft, MTK NLP Service, MTK Thermal manager, Parametres, Permission Control, Porte-cles, SimProcessor, Stockage des parametres, Stockage du contenu protégé par GDN, Systeme Android "

Seem to be one of this service that try to connect.
But which one ? And why ? I don't know.
And it is the the first time i see this "10000" port number on one of my android devices with firewall.

[Eldkatten]

Hmm, right, seems to be no single app that is connecting through port 10000, but a service all of the listed apps and services make use of.
Port 10000 seems to be a standard port for a "Webmin" protocoll, that is a remote configuration service through TCP/IP, as far as I understand it.
Since you blocked it and if there are no other suspicious activities in the log, maybe it's not worth too much worry, but I would observe the firewall log and check it once in a wile for more things going on.

Sorry for not being able to offer more help.

[geminifrench]

>Sorry for not being able to offer more help.

On the contrary, thank you for trying to help me.
Even if you don't know how to resolve it, i appreciate. Thank you.

I am just surprised that nobody had the same connections.
So i will try to make a factory reset, with minimal install and see if there is again this connection.
I will post the result in some days.

[Eldkatten]

Looking forward to it.

Peacefull Christmas!

[geminifrench]

So i have made a factory reset of the gemini.
The only application that i have installed is "firewall no root" (that is installed on my others android devices with no problem of strange connections).

There is still the strange connections :
-106.184.5.78:10000 is a connection in JAPAN
-47.252.50.191:10000 is a connection in ALIBABA CLOUD in usa
and
-47.89.190.227:80 is a connection in ALIBABA CLOUD in usa
-112.124.58.101:80 is a connection in ALISOFT, which is ALIBABA network in CHINA

I have found that the "BT TOOL" application that i have speak before, use all the services that i notice before.
To see this, you have to go in :
-parameters
-applications & notifications
-click on "show the ....(number)... applications"
-click in menu at the top right with the 3 points, and select "show all system process"
-search in the list "bt tool" and select it
-select "data use"
you see the name "mobile anti-theft", and under there is all the services listed in my previous messages.

I do not remember where i see that, but i see the real name of "bt tool" somewhere in menu.
it is : com.mediatek.bluetooth.dtt

Voila.
I do not know anymore.
Now i have deselected all applications (base install of gemini) that is not necessary, and deselect all parameters that i can in parameters. I have especially deselected the localisation parameters to find the device if you lose it (paremeters i had never used before on other devices). I will see if it makes something.
i am just surprised to be the only one to use a firewall on gemini...

[Eldkatten]

i am just surprised to be the only one to use a firewall on gemini...

ah, no, you aren't, I use it, too, or at least I used it for quite a while, until I found out that it interferes with VPN-connections (because it establishes an internal VPN-connection of its own), so I only can have the firewall or VPN, but not both at the same time. But since I never saw any suspicious activity, I still felt safe to deactivate the firewall. Now I activated it once again, and I'll watch for connections of the kind you described. I'll report in a few days.

Somewhere I read the advice to deactivate all "MTK" apps and services possible. They seem to "phone home" so much that they might be considered spyware. I am not suggesting that you do that, but you might consider investigating what "com.mediatek.bluetooth.dtt" actually does and whether it is neccessary.

I wouldn't be surprised if any of all those shiny apps and services - not only the MTK ones - established connections to who knows where. So called "app development" nowadays is mostly pasting together preconfigured modules from a software development kit, and mostly noone seems to bother or ask what those modules do besides what there are meant for. I had a harsh discussion with a supplier of a product coming bundled with an Android app about unwanted network connections, and they finally admitted that they had just taken modules, let's say for "cloud storage", from some kit and put it in, without knowing what they got in addition. The "addition" were at least five different connections with unknown purpose to servers in China and the like.

Well, you seem to make progress, and I wish you good success to finally get a port-10000-free Gemini.

P.S.: on my Gemini no "com.mediatek.bluetooth.dtt" service is running, bluetooth on or off. When I activate bluetooth - which I usually haven't - there is a "com.android.bluetooth" process running, which vanishes again when I deactivate bluetooth.
Strange enough there are a lot of place where you can download the "Mediatek Bluetooth Tool" apk, but I found no explanation so far what it actually is supposed to do.

[Eldkatten]

Just the promised update: No "com.mediatek.bluetooth.dtt" process anywhere, no connections to port 10000 in the firewall logfile.

Maybe just get rid of "com.mediatek.bluetooth.dtt".

[spook]

Someone waaaaay smarter than me has figured out that the traffic on  port 10000 is the OTA updater phoning home. They also found some alarmingly dodgy things about the OTA updaating application (which PC has outsourced). For a really interesting read, see here: https://wuffs.org/blog/pulling-apart-the-co...temfota-updater

[Eldkatten]

Shouldn't then more people have that suspicious port 10000 traffic?

The OTA updater nudges me again about updating, which I don't want but can't disable, so apparently I have to live with those annoyng messages, but I don't have that traffic.

[Ninji]

Hey, I'm the author of that blog post about the Digitime/SystemFota updater linked above - thanks for drawing my attention to this on Twitter, I usually don't look at the Gemini subforum so I wouldn't have seen this otherwise...!

I have found that the "BT TOOL" application that i have speak before, use all the services that i notice before.
To see this, you have to go in :
-parameters
-applications & notifications
-click on "show the ....(number)... applications"
-click in menu at the top right with the 3 points, and select "show all system process"
-search in the list "bt tool" and select it
-select "data use"
you see the name "mobile anti-theft", and under there is all the services listed in my previous messages.

I suspect that this is a red herring - on my Cosmo, many different system apps all get grouped together into the same 'block', including the Wireless Update tool.

The Cosmo doesn't have the com.mediatek.bluetooth.dtt app, so I extracted it from the Gemini image to examine it. It doesn't seem to be suspicious and doesn't make any network connections - it appears to just be a debugging tool that allows internal logging settings from the Bluetooth subsystem to be adjusted and accessed.


You may not notice the port 10000 connections immediately because the system tries to evade monitoring by waiting a random amount of time before firing a request, and also keeping a minimum delay between attempts. There was an earlier version I investigated which would actually wait up to 30 attempts before phoning home (presumably to avoid detection), but they seem to have toned this down for the Gemini/Cosmo builds...

[Eldkatten]

Hello Ninji,

thank you for your work!

Do you happen to know what causes that "Firmware OTA"-message on the Gemini? As I said, I don't want to update, but can't deactivate the "look for updated firmware". The only think the device allows me to do is setting the nudging period to one month, and then the darned thing appears again and stays.

I searched the process list for "ota" and the like, but didn't find anything. Do you perhaps know where that message comes from?

P.S.: Oh, I think I found out myself: I need to select the message, which makes the firmware update app open. Then I go to the process list, look for the com.fota.wirelessupdate process and kill it. Annoying message gone   I'll just see when it comes back again, but then I know how to tackle it.

P.P.S.: That killing the process is only shorttime, alas. The next day or so the stupid message is back. How do I permanently disable the "search for wireless update" feature?

[spook]

Hey, I'm the author of that blog post about the Digitime/SystemFota updater linked above - thanks for drawing my attention to this on Twitter, I usually don't look at the Gemini subforum so I wouldn't have seen this otherwise...!

I vote that PC should just pay you to fix the Gemini and Cosmo issues