API tools faq
paste
Advertisement
Guest User

finfisher

a guest
Sep 3rd, 2014
6,929
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 20.28 KB | None | 0 0
raw download clone embed print report
  1. [source https://pad.riseup.net/p/OmJHHd0z1SGb]
  2.  
  3. TEmail-addresses mentioned in feedback and support requests:
  4. [email protected] (mongolia) (person's e-mail adress was for sale?!)
  5. [email protected]
  6.  
  7. @h2FinSpy Mobile
  8.  
  9. Firstname: E7549C72 at: 2011-12-12 19:14:22
  10.  
  11. Description: To whom it may concern We are currently investigating the possibility of adding the FinSpy Mobile package to our cyber solution. Brydon was always our contact person and he was in contact with our general manager, but he was moved to another structure. Can you please ask him to prepare a proposal and forward it to [email protected]. Regards ZAR
  12.  
  13. [email protected] (mongolia)
  14. [email protected] (nothing known)
  15. [email protected]
  16.  
  17. Possible links from this person:
  18.  
  19. * http://forum.xda-developers.com/search.php?searchid=297151718
  20.  
  21. * https://twitter.com/mnkhzrg
  22.  
  23. * https://secure.flickr.com/photos/7623302@N03/
  24.  
  25. Description: Dear Sirs. We tried to send infected pdf file to gmail account. It giving error message even we had zipped it please give us reference as soon as possible Odmagnai.S [email protected] [email protected] [email protected]
  26.  
  27. [email protected]
  28. [email protected] / [email protected]
  29. [email protected] (mongolia) (http://wq.apnic.net/apnic-bin/whois.pl?searchtext=MAINT-MN-NITSYSTEM&form_type=advanced)
  30. [email protected] / [email protected]
  31.  
  32. Customers I've identified:
  33. 29 - the Bahraini group, in support requests they ask for help setting up a
  34. website targetting activists in 14 Feb, and in another support request they
  35. attach their C&C server logs. The names of people with admin access to the
  36. FinSpy server are in the server logs, grep for "user name:"
  37. Abdulla Husain, Ahmad, Abdulla Al Eid, Yousif Al Sadiq, Rizwan Saleem, Sayed
  38. Ansar Husain, Humayun, and Mohammed Al Majed
  39. From metadata in attached word documents.
  40. 69 - PCS Security Pte Ltd
  41. 49 - Cliff Harris
  42. New names:
  43. Rostislav Psota
  44. From text in support_request or feedback table:
  45. 21 - Nasser Alnuaimi Qatar state security bureau
  46. 82 - Sanjin Custovic, Intelligence-Security Agency of Bosnia and Herzegovina
  47. 73 - Peter Balogh, SSNS - NBSZ hungary secret service
  48. 61 - Wim Bordeyne, gives work e-mail of [email protected] although skynet.be is
  49. an ISP?
  50. 48 - Vietnam
  51. 65 - Nigeria
  52. 18 - Mongolia, and their email [email protected] appears in this whois record:
  53. http://wq.apnic.net/apnic-bin/whois.pl?searchtext=MAINT-MN-NITSYSTEM&form_type=advanced
  54. From their username in customer table:
  55. 34 - Dyplex
  56. 9 - Trovicor (http://www.trovicor.com/images/pdf/release_c02_2013.pdf & ./www/FinFisher/Trovicor/)
  57. 10 - Elaman
  58. 23 - Cobham
  59. Countries mentioined in feedback and support requests:
  60. Bangladesh
  61. Belgium ([email protected] / [email protected])
  62. Bosnia & Herzegowina
  63. Czech Republic
  64. Hungary
  65. Latvia
  66. Mongolia ([email protected])
  67. Nigeria
  68. Qatar ([email protected] / [email protected])
  69. Vietnam
  70. https://news.ycombinator.com/item?id=8146200
  71. 0x03CE7ED9F158ADF2
  72. 0x053650A2977E9F54
  73. 0x0ADA0B76695D98C9
  74. 0x151BDCA37774F144
  75.  
  76. [email protected]
  77.  
  78. 0x1B7061956ABDF71F
  79. 0x1E2E1F1E00BE9690
  80.  
  81. Jochen van der Wal
  82.  
  83. 1024 bit DSA key 0x5A14D578, created: 2003-02-21
  84.  
  85. 0x22C5C361BA87B977
  86. 0x2643AF650FEB4CFF
  87. 0x2F36489D58143658
  88. 0x33A057DC6ABDA7D0
  89. 0x371B124C7704B771
  90. 0x4CA1E3C2780E8451
  91. 0x4D510F44A7A4AC21
  92.  
  93. Hari Purnama (pgp) <[email protected]>
  94.  
  95. 2048 bit RSA key 0xA7A4AC21, created: 2013-03-05
  96.  
  97. 0x6A4F8FA29BBDD293
  98. 0x771696752C52A5C8
  99. 0x77A0959F280AD26F
  100. 0x79EAEE7A42C2DDCE
  101. 0x92B299A48E037629
  102. 0x93C082CED81082F4
  103.  
  104. Melvin Teoh (Gamma Group) <[email protected]>
  105.  
  106. 2048 bit RSA key 0xD81082F4, created: 2012-03-08
  107.  
  108. 0x971A4906B03A5EA9
  109. 0xA013DEEEE061DE51
  110. 0xA4B525F406E990A5
  111. 0xA89933AD6225EAA0
  112. 0xB35A54CC2B9A229A
  113. 0xCB75BDEAF5946EA8
  114. 0xCCDB5A9B77B11C19
  115. 0xD2EFAD8FF166F2CA
  116.  
  117. Alexander Hagenah <[email protected]>
  118.  
  119. 2048 bit RSA key 0x88E6111F3F895273, created: 2013-03-05, expires: 2018-03-04
  120.  
  121. https://twitter.com/xaitax/
  122.  
  123. https://gist.github.com/xaitax
  124.  
  125. 0xDD85E2EB8269976E
  126.  
  127. Alfons Rauscher <[email protected]>
  128.  
  129. 1024 bit DSA key 0x3B76A10166878388, created: 2013-04-17 --> http://buggedplanet.info/index.php?title=VERVIS
  130.  
  131. 0xE366AE080FC82479
  132. 0xE4FB3038C47B1004
  133. 0x4CA1E3C2780E8451
  134. 0x22C5C361BA87B977
  135. 0x1B7061956ABDF71F
  136. 0xCCDB5A9B77B11C19
  137. 0x771696752C52A5C8
  138. 0x371B124C7704B771
  139. 0xE4FB3038C47B1004
  140. 0x4AA946DCC56A85E9
  141. 0xF820192E4FB534CB
  142. 0x6A4F8FA29BBDD293
  143. 0x33A057DC6ABDA7D0
  144. 0x79EAEE7A42C2DDCE
  145. 0xA4B525F406E990A5
  146. 0x79EAEE7A42C2DDCE
  147. 0xA4B525F406E990A5
  148. 0xB35A54CC2B9A229A
  149. 0xA013DEEEE061DE51
  150. 0x10789AA7CF246B05
  151. 0xE366AE080FC82479
  152. 0x82301882C3F3EC1B
  153.  
  154. [email protected] (New key 12/6/09) <[email protected]>
  155.  
  156. 1024 bit DSA key 0x85E86971, created: 2009-06-12
  157.  
  158. 0x007B9D3E3471B217
  159. 0xF852D5DACBFF2AB4
  160. 0x7F02DE5F6D531E64
  161. 0xA95DEAED331A704A
  162. 0x8444467B1B14387E
  163. 0x49F2E9B065BACA20
  164. 0x1E2E1F1E00BE9690
  165. 0x7CA282A470A03877
  166.  
  167. USB on Fire <[email protected]>
  168.  
  169. 2048 bit DSA key 0x89A4703C, created: 2013-07-04
  170.  
  171. Export that and do:
  172.  
  173. for key in `cat fin-keys.txt | grep 0x`; do torsocks gpg --batch --search-keys $key; done
  174.  
  175. Countries mentioined in country statistics for visitors to customer support website: https://twitter.com/GammaGroupPR/status/497005097533321217
  176.  
  177. Australia
  178.  
  179. Austria
  180.  
  181. Belgium
  182.  
  183. Canada
  184.  
  185. Cameroon
  186.  
  187. Chech Republic
  188.  
  189. Columbia
  190.  
  191. Costa Rica
  192.  
  193. China
  194.  
  195. Chile
  196.  
  197. Brazil
  198.  
  199. Bulgaria
  200.  
  201. Denmark
  202.  
  203. Ethiopia
  204.  
  205. France
  206.  
  207. Germany
  208.  
  209. Hong Kong
  210.  
  211. Hungary
  212.  
  213. Indonesia
  214.  
  215. Iran
  216.  
  217. Japan
  218.  
  219. Jordan
  220.  
  221. Korea (South)
  222.  
  223. Lebanon
  224.  
  225. Luxembourgh
  226.  
  227. Netherlands
  228.  
  229. Oman
  230.  
  231. Russian Federation
  232.  
  233. Spain
  234.  
  235. South Africa
  236.  
  237. Sweden
  238.  
  239. Switzerland
  240.  
  241. Taiwan
  242.  
  243. Thailand
  244.  
  245. Tunisia
  246.  
  247. Turkey
  248.  
  249. Trinidad and Tobago
  250.  
  251. United Arab Emirates
  252.  
  253. United States
  254.  
  255. Ukraine
  256.  
  257. Uraguay
  258.  
  259. Logfile of Bahrain government detailing FinFisher victims and the watchers controlling FinSpy
  260.  
  261. www/GGI/Support/Attachments/A169FE42.
  262.  
  263. Usernames extracted from logfiles contained in A169FE42 (urls result of google search for name
  264.  
  265. that may be the person). Extraction done via "if ('user name' in line)":
  266.  
  267. DETIAL: https://pad.riseup.net/p/0QG54xefh1Q3
  268.  
  269. USER ENTRIES:
  270.  
  271. User name Login name Passphrase
  272.  
  273. Abdulla Al Eid 'abdulla' '$@!?09b9ec794320d57719f50c79f8a3ba4c5f78c67bb19a60d258a858bb056d5b79d'
  274.  
  275. https://twitter.com/TheAbdullaa
  276.  
  277. Abdulla Husain 'Abdulla' '$@!?0a80b6b35bce67f9b78f1c6c0b4bee176a1a4265813b7eed6c569b3ca78420713'
  278.  
  279. http://adhrb.org/tag/husain-abdulla/
  280.  
  281. Ahmad 'Ahmad' '$@!?06e56b3ab96c3d1bdd8b091ef3a29012d269c145117eba7ae99d44d6c4527c5ae'
  282.  
  283. finspy 'finspy' '$@!?099c78c062ba994359ff8be008c5a86a79acaafaba4f2e87e22196bfd94e0d0a3'
  284.  
  285. Humayun 'Humayun' '$@!?06fe762d2faca772673650ae31201d9c85b569b2246e9ef0b4d9373db97e24fc7'
  286.  
  287. Mohammed Al Majed 'Mohammed' '$@!?0a9bd7592012a789c382fe9082d464898895abc37b59cab920e310eeb56b7f58c'
  288.  
  289. Rizwan Saleem 'Rizwan' '$@!?02182bd412679669cc0c26ba37ef7a1f764e529661896dd2b64d488f665889dd3'
  290.  
  291. Sayed Ansar Husain 'S.Ansar' '$@!?0340668373c5a88fc0309ddd971a57a138b564f0b2311fbbe9eebb623715d054a'
  292.  
  293. http://www.wayn.com/profiles/nastyrasna
  294.  
  295. Yousif Al Sadiq 'Yousif' '$@!?0abe3717f036da2d30debd96224169bc18ed8334c1289d07ec214b1f4639b644c'
  296.  
  297. TARGET ENTRIES:
  298.  
  299. Target ID User Computer Global IP NOTES
  300.  
  301. 0x10000f2 'USER' 'USER-PC' '109.130.30.82'
  302.  
  303. 0x1538f44c 'ADMIN' 'DIA079' '89.148.9.221'
  304.  
  305. 0x15719405 'SYSTEM' 'ZABEEL-4CA838AD' '78.105.48.42'
  306.  
  307. 0x167a3705 'FAlali' 'FATIMAALALI-PC' '217.17.237.231' http://www.lawyers.com/manama/bahrain/fatima-hussain-al-ali-41383740-a/
  308.  
  309. 0x18a2c941 'SYSTEM' 'USER-84FEEF1356' '178.61.76.42'
  310.  
  311. 0x1abd5e97 'scorpion' 'SCORPION-PC' '46.184.166.133'
  312.  
  313. 0x1b6bdd7e 'SYSTEM' 'COMPUTER-6618DA' '188.220.240.165'
  314.  
  315. 0x1de66f19 'SYSTEM' 'WW' '77.69.229.147'
  316.  
  317. 0x265010fe 'SYSTEM' 'DARYA-SYSTEM' '31.57.114.98'
  318.  
  319. 0x2c0561cb 'mmad' 'MMAD-HP' '188.116.228.164'
  320.  
  321. 0x2dba1fd1 'ALWEFAQ' 'ALWEFAQ-1E731B6' '89.148.29.246'
  322.  
  323. 0x2e3093d8 'HadiMosawi' 'HADIMOSAWI-PC' '88.201.63.24' https://twitter.com/SHalMosawi
  324.  
  325. 0x3433f1fe 'SYSTEM' 'JALILA-PC' '89.148.21.240'
  326.  
  327. 0x36e1dccb '' '' ''
  328.  
  329. 0x38584dbc 'mahmood.aloraibi' 'MAHMOOD-PC' '217.17.237.231' https://twitter.com/LawOraibi
  330.  
  331. 0x3b21966d 'alsayed.jaffer' 'ALSAYED-PC' '217.17.237.231' http://hassanradhi.com/team/mr-al-sayed-jaffer-mohammedassociate/
  332.  
  333. 0x3cae0814 'user' 'WINCTRL-Q2KVLM1' '188.116.249.129'
  334.  
  335. 0x3f5349f9 'SPIDER' 'SPIDER-PC' '89.148.17.52'
  336.  
  337. 0x4189d7d1 'Malalawi' 'MOHSIN-PC' '217.17.237.231'
  338.  
  339. 0x4239bd37 'Mahdi' 'MAHDI-VAIO' '83.136.59.211'
  340.  
  341. 0x48b21bec 'Owner' 'HOME-9526399744' '88.201.63.19'
  342.  
  343. 0x49d98a82 'KMA' 'KMA-VAIO' '77.69.225.196'
  344.  
  345. 0x4cda494f '' '' ''
  346.  
  347. 0x4d8fc8fe 'krishna' 'KRISHNA-PC' '109.161.177.205'
  348.  
  349. 0x4ff60c5c 'Ebrahim' 'EBRAHIM-SONYPC' '84.255.129.88'
  350.  
  351. 0x5075d4c0 'SYSTEM' 'SHIP' '84.255.190.3'
  352.  
  353. 0x51025829 '' '' ''
  354.  
  355. 0x5bf0415a 'SYSTEM' 'USER-PC' '94.76.9.136'
  356.  
  357. 0x5ec9ec9b 'SYSTEM' 'PC' '83.136.59.166'
  358.  
  359. 0x5ff47b05 '' '' ''
  360.  
  361. 0x606ce376 'fars' 'FOREIGNP-2-159' '109.70.143.210'
  362.  
  363. 0x609316da 'Douglass' 'DOUGLAS-HD' '77.69.225.196'
  364.  
  365. 0x60cf8481 'hanan.taqi' 'HUDA-PC' '217.17.237.231'
  366.  
  367. 0x6aef6d29 'SYSTEM' 'USER-CF6420EBAA' '62.215.128.21'
  368.  
  369. 0x700700c7 'Drdoos' 'DRDOOS-PC' '77.69.220.131'
  370.  
  371. 0x7123a0cb 'SYSTEM' 'SA-L-KH1943A' '188.116.192.231'
  372.  
  373. 0x712ff44c 'ADMIN' 'DIA077' '89.31.192.209'
  374.  
  375. 0x757b7e92 'SYSTEM' 'MAHERPC' '217.17.237.231'
  376.  
  377. 0x79d8f34c 'com4a' 'DIA092' '89.31.192.209'
  378.  
  379. 0x7db8bdfe 'user' 'USER-TOSH' '78.105.54.70'
  380.  
  381. 0x82b1a3f9 'User' 'USER-PC' '41.137.70.82'
  382.  
  383. 0x82d93e4c 'comet' 'COMET-PC' '46.64.70.95'
  384.  
  385. 0x835cb0e4 'SYSTEM' 'MATAM-H9074NLYU' '46.184.183.111'
  386.  
  387. 0x86cdbab8 'ehussab' 'EV002481025A9E' '194.237.142.3'
  388.  
  389. 0x8a6be029 'SYSTEM' 'E13889741FA94B9' '217.86.164.76'
  390.  
  391. 0x8c47f176 'SYSTEM' 'LAWPC02' '217.17.237.231'
  392.  
  393. 0x951f6ecb 'user' 'USER-PC' '78.110.70.141'
  394.  
  395. 0x9729f44c 'com1b' 'DIA084' '89.31.192.209'
  396.  
  397. 0x986208c7 'RomelT' 'ROMELTABAJA' '80.83.21.34' http://investing.businessweek.com/research/stocks/private/person.asp?personId=241673142&privcapId=38061438&previousCapId=38061438&previousTitle=Trust%20International%20Insurance%20&%20Reinsurance%20Co.%20B.S.C.%28c%29
  398.  
  399. 0x98987cc0 '0208' '1-PC' '77.69.217.118'
  400.  
  401. 0x9b18b5fa 'SYSTEM' 'USER-PC' '46.42.64.154'
  402.  
  403. 0x9b7b1dcb 'ASUS' 'ASUS-PC' '82.114.188.17'
  404.  
  405. 0x9df4b316 'SYSTEM' 'ALTAGER-PC' '89.148.0.38'
  406.  
  407. 0xa07289a 'abrar' 'ABRAR-PC' '86.145.66.174'
  408.  
  409. 0xa4626b7e 'SYSTEM' 'MYNAME-893A225C' '95.84.119.14'
  410.  
  411. 0xab87739c 'USER' 'USER-PC' '46.184.208.207'
  412.  
  413. 0xabf6064e 'Lenovo' 'LENOVO-PC' '115.67.192.74'
  414.  
  415. 0xae3eeeb9 'com1a' 'DIA086' '89.31.192.209'
  416.  
  417. 0xaed5ec50 '' '' ''
  418.  
  419. 0xb1f51f10 'yousif' 'AL-ARRAYED' '46.42.76.129'
  420.  
  421. 0xb3c17c17 'RMajeed' '455-36BBBBCE1AE' '217.17.237.231'
  422.  
  423. 0xb4a68721 'SYSTEM' 'KHALIL-PC' '217.17.237.231'
  424.  
  425. 0xb609d22b 'user' 'USER-PC' '46.42.104.19'
  426.  
  427. 0xb8bc95a0 'SYSTEM' 'ABRAR-DRGOQH912' '86.145.64.24'
  428.  
  429. 0xbacffba9 'SYSTEM' 'HASANMUSHAIM' '74.115.3.64' https://en.wikipedia.org/wiki/Hasan_Mushaima
  430.  
  431. 0xc2ce5700 'WAFA COMPUTERS' 'WAFACOMPUTERS' '94.187.18.47' ?? http://wikimapia.org/4867042/al-wafa-computers ??
  432.  
  433. 0xc93f83f9 'My Documents' 'DELL' '77.69.173.183'
  434.  
  435. 0xd405e672 'SYSTEM' 'PC-13' '93.97.55.83'
  436.  
  437. 0xdd3bf44c 'ADMIN' 'DIA080' '89.31.192.209'
  438.  
  439. 0xdf2bf44c 'com2c' 'DIA087' '89.31.192.209'
  440.  
  441. 0xdfb41f10 'aya' 'AYA-PC' '89.148.39.32'
  442.  
  443. 0xe3ad7d7e 'SYSTEM' 'SALVATIO-1424E9' '188.220.240.165'
  444.  
  445. 0xe4163efb 'Moosa' 'MOOSA-PC' '94.195.190.251'
  446.  
  447. 0xe51a26fe 'SYSTEM' 'USER-A5CEA6FD42' '46.184.160.135'
  448.  
  449. 0xe5339505 'SYSTEM' 'THE-1A72E930F5E' '78.145.20.73'
  450.  
  451. 0xe56d7b6d 'Qasim' 'ALHASHMI' '46.64.70.95'
  452.  
  453. 0xebbe9ab3 'nader' 'NADER-PC' '82.194.39.198'
  454.  
  455. 0xeee0d4fa 'halmahfoodh' 'HUSSAIN' '77.69.216.195'
  456.  
  457. 0xf5a11f10 'scorpion' 'SCORPION-PC' '46.184.205.228'
  458.  
  459. 0xf627f44c 'com2b' 'DIA096' '89.31.192.209'
  460.  
  461. 0xfd9a1310 'com3b' 'DIA088' '89.31.192.209'
  462.  
  463. 0xfe3ac5af 'Saeed 'JAAFAR' '78.149.123.155' https://en.wikipedia.org/wiki/Saeed_al-Shehabi
  464.  
  465. Email addresses extracted from logfiles contained in A169FE42 (urls result of google search, not
  466.  
  467. from logfiles). Extraction done via "if ('Emailaddress' in line)":
  468.  
  469. [email protected]
  470.  
  471. [email protected]
  472.  
  473. NOTE: These addresses show in the log files for "alarm" entries per target. This may indicate that alarms are sent to these email address for a given subset of targets.
  474.  
  475. GeoIP entries extracted form logfiles contained in A169FE42. Extraction done via "if ('GeoIP entry, item' in line):"
  476.  
  477. and reading the next 4 lines:
  478.  
  479. See file here: https://pad.riseup.net/p/anQZDggEMhh5
  480.  
  481. Targeted computers extracted from 417B7B13.rar. ITACA(?) as source?
  482.  
  483. $ grep -i name 2013-10-09_16-29-24-System.log | sort -k 8 | perl -nle '@a=split; print join " ", @a[6..7], @a[10..20]' | sort | uniq -c | sed -e 's/target//g'|sed 's/(Trojan://g'|sed 's/Comp-Name://g'|sed 's/Inst-Mode:.*//g' | column -s " " -t | sort -k 4
  484.  
  485. N Target_ID Trojan_Name Comp-Name
  486.  
  487. 109 0x71832C7E bolzano-01mbr CARLOS-PC
  488.  
  489. 8 0x82266CA2 new_pc DELL-DEMO-02
  490.  
  491. 7 0x61A39D54 galaxydemo6 DEMO3
  492.  
  493. 2 0x9D1AECF9 csal001 DILORENZO-A
  494.  
  495. 118 0x4B17A31D TestVenPie GENESIMOBILE-PC
  496.  
  497. 3 0x4B17A31D testlat-01 GENESIMOBILE-PC
  498.  
  499. 1 0x1F87136A demo-hsd-at1 GENESIMOBILE-PC
  500.  
  501. 6 0x33595444 GalaxyMacBook1 hamzas-macbook-pro.local
  502.  
  503. 15 0xC9F3E1E3 test_srv01 ITACAAGENT06
  504.  
  505. 2 0x55474150 mac-demo macbook-pro-di-mario-luzi.local
  506.  
  507. 2 0x549DA3AA lin2607 netsiever
  508.  
  509. 1 0x61043D56 test-ancona PICCOLOP-XP
  510.  
  511. 1 0x61043D56 demohsd-02sys PICCOLOP-XP
  512.  
  513. 9 0xFEBBE8BA demo-gl01 TARGET-NB-01
  514.  
  515. 236 0xFEBBE8BA cristian_1 TARGET-NB-01
  516.  
  517. 13 0xFEBBE8BA demogalaxy4 TARGET-NB-01
  518.  
  519. 1 0xFEBBE8BA DemoGalaxy02 TARGET-NB-01
  520.  
  521. 11 0xFEBBE8BA DemoGalaxy_5 TARGET-NB-01
  522.  
  523. 9 0xFEBBE8BA demogalaxy01 TARGET-NB-01
  524.  
  525. 1 0xFEBBE8BA demohsd-02sys TARGET-NB-01
  526.  
  527. 5 0xA7821F10 caserta-01e TERMINALE-PC2
  528.  
  529. 1 0xC9F3E1E3 demogalaxy01mbr TEST02-THINK
  530.  
  531. 1 0x3EF3E1E3 nola-01 TEST-THINK
  532.  
  533. 86 0x3EF3E1E3 demo-at02 TEST-THINK
  534.  
  535. 31 0x3EF3E1E3 Demo Trojan Windows 01 DEMO-THINK
  536.  
  537. 2 0x61043D56 Demo Trojan Windows 01 PICCOLOP-XP
  538.  
  539. 7 0x37145D29 Demo Trojan Windows 02 DEMO-PC
  540.  
  541. 2 0x24E785D6 Aprilia-01mbr UTENTE-PC1
  542.  
  543. 3 0xDA22C929 bolzano-01mbr WIN-JT981OVE4SK
  544.  
  545. 40 0x37AABA29 TestVenPie WIN-O2ABT18KLG8
  546.  
  547. First column (N) relates to the number of times the entry showed up in the log. An entry is added with the note "comes online" each time. So the N column likely indicates number of times the system noticed this target came online.
  548.  
  549. Phone numbers from same log file:
  550.  
  551. $ grep mobile 2013-10-09_16-29-24-System.log | grep 'having phone number' |sort -k 19 | awk '{print $19}' | uniq -c
  552.  
  553. 2 '+393206562399' (30=Italy)
  554.  
  555. 2 '+393311870439'
  556.  
  557. 1 '+393351346777'
  558.  
  559. 4 '+393351515103'
  560.  
  561. 3 '+393355669618'
  562.  
  563. 4 '+393425621143'
  564.  
  565. 2 '+393463536394'
  566.  
  567. IMSI's:
  568.  
  569. $ grep -i imsi 2013-10-09_16-29-24-System.log | cut -d " " -f 6- | sort -k 7 | sed 's/^ *//g'
  570.  
  571. INFO: The IMSI of mobile target 0x00000B82F07A417F has changed to 0x0000CAD0180D0DEB
  572.  
  573. INFO: The IMSI of mobile target 0x00000B82F07A417F has changed to 0x0000D1328A7C0A84
  574.  
  575. INFO: The IMSI of mobile target 0x00000B82F07A417F has changed to 0x0000D1328A7C0A84
  576.  
  577. INFO: The IMSI of mobile target 0x00013FFAF45193CB has changed to 0x0000CA00924A71FE
  578.  
  579. INFO: The IMSI of mobile target 0x00013FFAF4519C55 has changed to 0x0000D1328A7C0A84
  580.  
  581. INFO: The IMSI of mobile target 0x00013FFAF4519C55 has changed to 0x0000D1328A7C0A84
  582.  
  583. INFO: The IMSI of mobile target 0x00013FFAF4519C55 has changed to 0x0000D1328A7C0A84
  584.  
  585. INFO: The IMSI of mobile target 0x00013FFAF4519C55 has changed to 0x0000D1328A7C0A84
  586.  
  587. INFO: The IMSI of mobile target 0x0001470CFA848E76 has changed to 0x0000CA00924A717A
  588.  
  589. INFO: The IMSI of mobile target 0x0001470CFA848E76 has changed to 0x0000CA00924A71DC
  590.  
  591. MMC location change:
  592.  
  593. $ grep -i mcc 2013-10-09_16-29-24-System.log | sed 's/.*INFO: //g' | uniq
  594.  
  595. The MCC value of mobile target 0x00013FFAF4519C55 has changed to '222' (Italy)
  596.  
  597. The MCC value of mobile target 0x00000B82F07A417F has changed to '222'
  598.  
  599. The MCC value of mobile target 0x00013FFAF4519C55 has changed to '222'
  600.  
  601. The MCC value of mobile target 0x00000B82F07A417F has changed to '222'
  602.  
  603. The MCC value of mobile target 0x00013FFAF4519C55 has changed to '222'
  604.  
  605. The MCC value of mobile target 0x00000B82F07A417F has changed to '000' (???)
  606.  
  607. The MCC value of mobile target 0x00000B82F07A417F has changed to '230' (Czech Republic)
  608.  
  609. The MCC value of mobile target 0x00013FFAF4519C55 has changed to '222'
  610.  
  611. The MCC value of mobile target 0x00000B82F07A417F has changed to '000'
  612.  
  613. The MCC value of mobile target 0x00000B82F07A417F has changed to '230'
  614.  
  615. The MCC value of mobile target 0x00013FFAF45193CB has changed to '222'
  616.  
  617. Support/6E51EFE8.txt
  618.  
  619. [Feb 4 22:57:25] WARNING[3629] chan_sip.c: Retransmission timeout reached on transmission 1754558912 for seqno 1 (C3:53:00:0c:31:96:5c:06:08:00 SRC=188.138.32.16 DST=213.168.28.54 LEN=52 TOS=0x02 PREC=0x00 TTL=1Mar 3 08:42:39 F-MP-20-12 kernel: [431659.401063] InDrop IN=eth0.100 OUT= MAC=00:19:99:cb:53:53:00:0c:31:96:5c:06:08:00 SRC=188.138.32.16 DST=213.168.28.54 LEN=52 TOS=0x02 PREC=0x00 TTL=119 ID=8381 DF PROTO=TCP SPT=63683 DPT=16566 WINDOW=32 RES=0x00 CWR ECE SYN URGP=0
  620.  
  621. 19 ID=8233 DF PROTO=TCP SPT=49394 DPT=16565 WINDOW=32 RES=0x00 CWR ECE SYN URGP=0
  622.  
  623. ...
  624.  
  625. The ip's mentioned above:
  626.  
  627. SRC:188.138.32.16 = intergenia AG German Service provider - subblock for Plusserver AG
  628.  
  629. DST:213.168.28.54 = Static Links for Elion Ettevotted Aktsiaselts (Estonian Telco)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!