Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Jailbroken iPhone4 4.1 running very warm at times

H

htsource

macrumors newbie
Original poster
Dec 3, 2010
7
0
I don't know what's going on lately but my jailbroken iPhone4 with 4.1 firmware runs hot from time to time with nothing special running that I know of. Battery would drain half in an hour and a bit.

Unfortunately as of lately possibly after some Cydia app updates, I've lost the ability to do SSH to my phone. It refuses connectoin. I downloaded SysInfoPlus and SysStatsLite to check the CPU usage, unfortunately it doesn't show CPU usage per process, I see the total CPU usage. When the phone is warm, I see the CPU usage would hover around 85% to 90% free. When it's working fine, it's sitting at about 97% free.

Are there any apps I can see CPU usage per process? I have SBSettings, and usually I have only Phone and Mail running under processes.

Much appreciate any help,
 
Open up SysInfoPlus and check your running Processes.
Look for poc-bbot
If you see this process then you have a virus on your phone.
You might also notice that bash and cp processes are at the top of the list and the PPID number is the same as poc-bbot PID number.

If you do not see poc-bbot then look for another process with a PPID that is not 1 or 0, and reply back with that process name.

If you have the above process running I'll post removal steps for you, instead of making a huge post that doesn't apply
 
Thank you, looks like I do have the virus.

I can see the following:

cp - PID: 3304 PPID: 3302
bash - PID: 3305 PPID: 3302
poc-bbot - PID: 3302 PPID: 1

Please send the instructions when you have a moment, much appreciate it

P.S. Is this the reason I'm not able to SSH to the phone anymore?
 
Last edited:
Sorry to hear that

First thing you would want to do is change your device root password.
Cydia has it right on the home screen, read it: http://cydia.saurik.com/password.html
I personally wasn't able to launch that Terminal app on Cydia's default repos but if you have any other repos then try that and see if their Terminal app works. Otherwise you might have to reinstall OpenSSH from Cydia for SSH to work. But once it does then launch Putty or any other terminal program from your computer and follow the steps listed by Saurik as they work fine via your computer.

For the following steps you should have a program like iPhoneBrowser (http://code.google.com/p/iphonebrowser/) or if you can manage via SSH then try that and follow below:

As with any virus, there are various versions out there so the following files and locations might not exist, but remove them:
/bin/poc-bbot
/bin/sshpass
/System/Library/LaunchDaemons/com.ikey.bbot.plist
/var/lock/bbot.lock


There is another version which alters the following images:
/var/log/youcanbeclosertogod.jpg
/var/mobile/LockBackground.jpg
I recommend copying the file to your computer and viewing it first to see if the image is altered or not.

Another version also alters Cydia files
/usr/libexec/cydia/startup
/usr/libexec/cydia/startup.so
/usr/libexec/cydia/startup-helper
/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
I recommend that you view each of those files before deleting them if the file looks fine leave it. If you do delete the files then you may have to install Cydia manually, so take caution.

REMEMBER: DELETING FILES YOU ARE NOT SURE OF COULD CAUSE SERIOUS PROBLEMS WITH YOUR iPHONE!


The most common version out in the wild would only have the first section of 4 files. When you copy poc-bbot over to your computer, your virus scanner should immediately identify it as the ikee virus (which is what you got caught with)


The reason why you got caught is because you did not change your device root password from the default 'alpine' and left SSH turned on. Leaving it on allows someone like me to access your device from the comfort of my home and dump a virus in there, and while I am at it steal some of your precious data... Consider SSH like a backdoor to your phone. Change that default password, keep SSH off when you are not using it and you are safe.

Let me know if you need some clarification.
 
Last edited:
Thanks so much, looks like I only have the first 4 files infected. Removed them as soon as I copied them over by using iPhonebrowser, my antivirus program picked it up right away as virus, wow!

I'll see if the battery usage improves, thank you so much once again!
 
No problem,

Just remember to change that default root password from 'alpine' to something else to stop this from happening again
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back