adminscripts/check-for-osx-flashback.K.sh at master · Open-Source-GIS/adminscripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#!/bin/sh

# ================================================================================
# check-for-osx-flashback.K.sh
#
# Script to check system for any signs of OSX/Flashback.K trojan
# Checks are based on information from F-Secure's website:
# http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml
#
# Hannes Juutilainen, hjuutilainen@mac.com
#
# History:
# 2012-04-10, Hannes Juutilainen
# - Added support for checking multiple browsers
# - Changes in output formatting
# 2012-04-03, Hannes Juutilainen
# - First version
# ================================================================================

# ================================================================================
# Apps that need to be checked for the LSEnvironment key
# If you need to check additional paths, add them here
# ================================================================================
APPLICATIONS_TO_CHECK=(
"/Applications/Safari.app"
"/Applications/Firefox.app"
"/Applications/Google Chrome.app"
"/Applications/Opera.app"
)

SCAN_RESULTS=0

# ================================================================================
# Check for root
# ================================================================================
if [[ $EUID -ne 0 ]]; then
    echo "This script must be run as root" 2>&1
    exit 1
fi


# ================================================================================
echo "Checking for LSEnvironment key in application bundles"
# ================================================================================
for APPLICATION in "${APPLICATIONS_TO_CHECK[@]}"
do
	if [[ -e "$APPLICATION/Contents/Info.plist" ]]; then
		defaults read "$APPLICATION/Contents/Info" LSEnvironment > /dev/null 2>&1
		if [[ $? -eq 0 ]]; then
			printf "%b\n" "===> WARNING: Found LSEnvironment in $APPLICATION/Contents/Info.plist"
			SCAN_RESULTS=1
		else
			printf "%b\n" "---> Key not found: $APPLICATION/Contents/Info.plist"
		fi
	#else
		#printf "%b\n" "---> File doesn't exist: $APPLICATION/Contents/Info.plist"
	fi
done


# ================================================================================
printf "\n%b\n" "Checking for /Users/Shared/.libgmalloc.dylib"
# ================================================================================
if [[ -e /Users/Shared/.libgmalloc.dylib ]]; then
	printf "%b\n" "===> WARNING: Found /Users/Shared/.libgmalloc.dylib"
	SCAN_RESULTS=1
else
	printf "%b\n" "---> File doesn't exist"
fi


# ================================================================================
printf "\n%b\n" "Checking for DYLD_INSERT_LIBRARIES key in /Users/*/.MacOSX/environment.plist"
# ================================================================================
shopt -s nullglob
USER_HOMES=/Users/*
for f in $USER_HOMES
do
	if [[ -f $f/.MacOSX/environment.plist ]]; then
		defaults read $f/.MacOSX/environment DYLD_INSERT_LIBRARIES > /dev/null 2>&1
		if [[ $? -eq 0 ]]; then
			printf "%b\n" "===> WARNING: Found DYLD_INSERT_LIBRARIES key in $f/.MacOSX/environment"
			SCAN_RESULTS=1
		fi
	else
		printf "%b\n" "---> File doesn't exist in $f/.MacOSX/environment.plist"
	fi
done
shopt -u nullglob
printf "%b\n" "---> Done"


# ================================================================================
printf "\n%b" "Results: "
# ================================================================================
if [[ $SCAN_RESULTS -ne 0 ]]; then
    printf "%b\n\n" "WARNING: System tested positive on at least one of the tests."
else
	printf "%b\n\n" "System is clean."
fi

exit 0