Mmh, pipes!
But why not replace "find" with "mdfind" to make use of the awesome speed of spotlight? You could even leave out "-onlyin /" to search all local volumes in lightning speed...
# /usr/bin/mdfind -onlyin / ' (kMDItemCFBundleIdentifier == "com.apple.Safari") || (kMDItemCFBundleIdentifier == "com.google.Chrome") || (kMDItemCFBundleIdentifier == "org.mozilla.firefox") '
/Applications/Firefox.app
/Applications/Safari.app
/Applications/Google Chrome.app
Related topic: This might grow into a bigger problem. Now I am worried about all of the websites offering scripts that promise to check and clean the Mac from the flashback trojan.
@cvgs Ohh that is much faster :)
Nice.
@sean I thought I had voted up on that a while ago but just did it again.
It is pretty annoying. My original script for this had an if then else statement for the checks so it would go
/Application/Safari.app is NOT infected
/Application/Firefox.app is infected
rmanly is infected
etc..but on student machines with tons of mobile accounts the result was incomprehensible without newlines so I took out all the NOTs
This EA is very helpful, thanks!!!
Has anyone found a threat yet?
!/bin/bash
#Would this work? How would I echo back that the computer is not infected?
SAFARI_BROWSERS=$(/usr/bin/mdfind "kMDItemCFBundleIdentifier == 'com.apple.safari'")
echo "<result>"
defaults read "$SAFARI_BROWSERS"/Contents/Info LSEnvironment 2> /dev/null && echo "$SAFARI_BROWSERS" is infected"" 2>&1
for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do
defaults read /Users/"${username}"/.MacOSX/environment DYLD_INSERT_LIBRARIES 2> /dev/null && echo "user ${username} is infected" 2>&1
done
echo "</result>"
when I tried the EA with the mfind tweak all I get is
/private/tmp/extensionAttributeScript: line 25: syntax error near unexpected token `<' /private/tmp/extensionAttributeScript: line 25: `done < </usr/bin/mdfind -onlyin / ' (kMDItemCFBundleIdentifier == "com.apple.Safari") || (kMDItemCFBundleIdentifier == "com.google.Chrome") || (kMDItemCFBundleIdentifier == "org.mozilla.firefox") ''
That modified line should look like this:
done < <(/usr/bin/mdfind -onlyin / ' (kMDItemCFBundleIdentifier == "com.apple.Safari") || (kMDItemCFBundleIdentifier == "com.google.Chrome") || (kMDItemCFBundleIdentifier == "org.mozilla.firefox") ' -print0 2> /dev/null)
that got passed that line - but now it's returning
/private/tmp/extensionAttributeScript: line 56: syntax error: unexpected end of file
However, i went back and counted the lines in the EA - and it's only 37 lines...... unless I stretch the box out then it's 28...
This is Ryan's script with Christoph's suggested mdfind modification. I added another check for /Users/Shared/.libgmalloc.dylib.
#!/bin/bash
app_list=()
mkfifo result_fifo
cat < result_fifo &
exec 3>result_fifo
echo "<result>"
while read -r -d $''; do
app_list+=("$REPLY")
done < <(/usr/bin/mdfind -onlyin / ' (kMDItemCFBundleIdentifier == "com.apple.Safari") || (kMDItemCFBundleIdentifier == "com.google.Chrome") || (kMDItemCFBundleIdentifier == "org.mozilla.firefox") ' -print0 2> /dev/null)
for browser in "${app_list[@]}"; do
defaults read "${browser}"/Contents/Info LSEnvironment 2> /dev/null && echo "${browser} is infected" >&3
done
for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do
defaults read /Users/"${username}"/.MacOSX/environment DYLD_INSERT_LIBRARIES 2> /dev/null && echo "user ${username} is infected" >&3
done
if [[ -f /Users/Shared/.libgmalloc.dylib ]]; then
echo "/Users/Shared/ is infected" >&3
fi
exec 3>&-
unlink result_fifo
echo "</result>"
First, a big "Thank you" to everyone for the script and modifications.
My question, I know how to make a policy to run this but how do I get it to report back to me on what computers are infected?
When I run it on a couple of my test computers, I have to actually view each computer's install log to see the result.
Thanks again and I apologize for the ignorant question.
I wouldn't create a policy. Just create an Extension Attribute and recon your machines or wait for them to check in and provide an inventory. If you have Smart Group that checks the Extension Attribute for "like" infected and check off Send Email Notification on Change that should take care of it.
Thanks Golbiga....
It's a Friday... I'm forgetting everything I learned it seems.
Enjoy the weekend everyone!
Thanks for crafting the scripts!
A note confirming speed improvement with using talkingmoose's script compared to the first one posted by rmanly. recon time went from 5m 04s down to 2m 34s on my test device.
So far none discovered. I am tempted figure out how to fake my test device so I know the detection is working.
This is great! thank you! It's completing VERY quickly now.
Is the only output should be infected? If it's clean then there is nothing output?
@talkingmoose- Just a slight modification to your last script... shouldn't be a -print0, but a -0.
done < <(/usr/bin/mdfind -onlyin / ' (kMDItemCFBundleIdentifier == "com.apple.Safari") || (kMDItemCFBundleIdentifier == "com.google.Chrome") || (kMDItemCFBundleIdentifier == "org.mozilla.firefox") ' -0 2> /dev/null)
Unsure about elsewhere, but my few test systems don't have kMDItemCFBundleIdentifier for Safari. So, instead for that one, I'm using kMDItemFSName == "Safari.app". The other two apps have kMDItemCFBundleIdentifier.
And thanks to rmanly, talkingmoose and cvgs for the code. Really quite useful.
You may get a faster response doing an onlyin, but there is nothing to say that Firefox or Chrome could be anywhere on the system.
You may also wish to check launchctl for a set environment variable "DYLD_INSERT_LIBRARIES". You could run this as a login hook
Something like:
userPID=`ps -ef | grep "loginwindow console" | grep -v grep | awk '{print $2}'`
launchctl bsexec $userPID su $3 -c 'launchctl getenv DYLD_INSERT_LIBRARIES'
Write the response to your own file, plist for example and make an EA against that and you can remove it with the unset option.
@sean
Could you elaborate on what you mean on your last post? Write out the output to plist and EA that output?
Cheers
Thought you all would like to know that we got a positive hit over here using the original EA posted by Ryan. About to update with the version posted by William. Thank you Ryan, Christoph, and William for your work on this.
Now..any suggestions on automating removal of Flashback?
Got two hits here right after lunch.
@vescala I will work on a script for removing it this afternoon.
I would have done it last Thursday but I got distracted figuring out how to disable Java in all the browsers via script.
FYI here is the output of my original and how it shows up in the JSS.
Because the output of the the check on the user points to the common /Users/Shared/.libgmalloc.dylib I don't think that needs to be checked for seperately. It's existence is part of the User being infected.
https://skitch.com/feydrmm/8t377/computer-details--glenbrook-225--jssv8.51
https://skitch.com/feydrmm/8t37w/computer-details--glenbrook-225--jssv8.51
Here is the text of the second screenie.
{
"DYLD_INSERT_LIBRARIES" = "/Applications/Safari.app/Contents/Resources/.IntenetTweak.xsl";
}
@rpotvin
You could just run unsetenv and forget about it. Alternatively, if you want a report on it, you need to provide an answer to it somewhere. Since you would like to know if this variable is set on each user, network or local, then you need to run this command against users when they are logged in, so you can't really just use an EA for this. Hence, run the getenv as a login script and redirect the output to a file, any file you like, so send it to the system.log, create your own log or make you own plist, text file, etc, your choice.
Create an EA that will read the above created file. If you want an immediate report from this file, then you would want to also include a jamf recon at the end of the login script.
I haven't concisely read the docs on launchd to work out if there is a way to read the users environment variables without them being logged in, but if I get a chance I will.
Sean
Nice tool created for this FYI.
https://github.com/jils/FlashbackChecker/downloads
