forked from hjuutilainen/adminscripts
-
Notifications
You must be signed in to change notification settings - Fork 3
/
check-for-osx-malware.sh
executable file
·114 lines (99 loc) · 3.13 KB
/
check-for-osx-malware.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#!/bin/bash
# ================================================================================
# check-for-osx-malware.sh
#
# Simple script to check the existance of files used by:
# - Backdoor:OSX/MacKontrol.A
# - Backdoor:OSX/Olyx.C
# - Backdoor:OSX/Sabpab.A
#
# Checks are based on information from F-Secure's database:
# http://www.f-secure.com/v-descs/
#
#
# Hannes Juutilainen, [email protected]
#
# History:
# 2012-04-18, Hannes Juutilainen
# - First version
# ================================================================================
VERBOSE=false
DID_FIND_FILES=false
FILES_TO_CHECK=(
"/Applications/Automator.app/Contents/MacOS/DockLight" # Backdoor:OSX/Olyx.C
"/Library/launched" # Backdoor:OSX/MacKontrol.A
)
USERFILES_TO_CHECK=(
"Library/Preferences/com.apple.PubSabAgent.pfile" # Backdoor:OSX/Sabpab.A
"Library/LaunchAgents/com.apple.PubSabAgent.plist" # Backdoor:OSX/Sabpab.A
"Library/LaunchAgents/com.apple.FolderActionsxl.plist" # Backdoor:OSX/MacKontrol.A
"Library/LaunchAgents/com.apple.DockActions.plist" # Backdoor:OSX/Olyx.C
)
# ================================================================================
# Check for root
# ================================================================================
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 2>&1
exit 1
fi
# ================================================================================
# Arguments
# ================================================================================
while [[ -n "$1" ]]; do
case $1 in
-v | --verbose )
shift
VERBOSE=true
;;
* )
printf "Unrecognized arguments\n"
exit 1
esac
shift
done
# ================================================================================
for INFECTION_FILE in "${FILES_TO_CHECK[@]}"
# ================================================================================
do
if $VERBOSE; then
printf "\n%b\n" "Checking for $INFECTION_FILE"
fi
if [[ -f "$INFECTION_FILE" ]]; then
printf "%b\n" "===> WARNING: Found $INFECTION_FILE"
DID_FIND_FILES=true
elif $VERBOSE; then
printf "%b\n" "---> File doesn't exist in $INFECTION_FILE"
fi
done
# ================================================================================
for USERFILE in "${USERFILES_TO_CHECK[@]}"
# ================================================================================
do
if $VERBOSE; then
printf "\n%b\n" "Checking for /Users/*/$USERFILE"
fi
shopt -s nullglob
USER_HOMES=/Users/*
for f in $USER_HOMES
do
if [[ -f "$f/$USERFILE" ]]; then
printf "%b\n" "===> WARNING: Found $f/$USERFILE"
DID_FIND_FILES=true
elif $VERBOSE; then
printf "%b\n" "---> File doesn't exist in $f/$USERFILE"
fi
done
shopt -u nullglob
done
if $VERBOSE; then
printf "\n"
fi
# ================================================================================
printf "%b" "Results: "
# ================================================================================
if $DID_FIND_FILES; then
printf "%b\n" "WARNING: System tested positive on at least one of the tests."
else
printf "%b\n" "System is clean."
fi
exit 0