- Jamf Nation Community
- Products
- Jamf Pro
- Flashback trojan EA
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-03-2012 04:53 PM
I just threw this together - mostly as an excuse to play with named pipes. It will tell you if one of the big 3 browsers or non-hidden users are infected with Flashback.
*IF* I actually find it anywhere I will come up with something to remove it.
#!/bin/bash
app_list=()
mkfifo result_fifo
cat < result_fifo &
exec 3>result_fifo
echo "<result>"
while read -r -d $'�'; do
app_list+=("$REPLY")
done < <(find / ( -iname "google chrome.app" -o -iname "safari.app" -o -iname "firefox.app" ) -print0 2> /dev/null)
for browser in "${app_list[@]}"; do
defaults read "${browser}"/Contents/Info LSEnvironment 2> /dev/null && echo "${browser} is infected" >&3
done
for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do
defaults read /Users/"${username}"/.MacOSX/environment DYLD_INSERT_LIBRARIES 2> /dev/null && echo "user ${username} is infected" >&3
done
exec 3>&-
unlink result_fifo
echo "</result>"p.s. It would be REALLY awesome if the EA display in the JSS supported newlines again.
Solved! Go to Solution.
3 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-12-2012 10:36 AM
...is there a way to create a Smart Computer Group that will show any computers that are infected? This way we can set up an alert.
Don
--
https://donmontalvo.com
https://donmontalvo.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-12-2012 01:20 PM
Here is what I use now. I upgraded to 8.51 so as I mentioned before there is now newlines so it makes sense to add back in the "Not infected" as some have asked for. That means you will have to change the Smart group for all of them to "like is infected" instead of just "like infected"
#!/bin/bash
app_list=()
echo "<result>"
while read -r -d $'�'; do
app_list+=("$REPLY")
done < <(/usr/bin/mdfind -onlyin / ' (kMDItemCFBundleIdentifier == "com.apple.Safari") || (kMDItemCFBundleIdentifier == "com.google.Chrome") || (kMDItemCFBundleIdentifier == "org.mozilla.firefox") ' -0 2> /dev/null)
for browser in "${app_list[@]}"; do
if defaults read "${browser}"/Contents/Info LSEnvironment 2> /dev/null; then
echo "${browser} is infected"
else
echo "${browser} is NOT infected"
fi
done
for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do
if defaults read /Users/"${username}"/.MacOSX/environment DYLD_INSERT_LIBRARIES 2> /dev/null; then
echo "user ${username} is infected"
else
echo "user ${username} is NOT infected"
fi
done
echo "</result>"Here is what the output looks like on the command line now.
<result>
/Applications/Safari.app is NOT infected
/Applications/Google Chrome.app is NOT infected
/Applications/Firefox.app is NOT infected
user bob is NOT infected
user macports is NOT infected
user ryan is NOT infected
</result>And here is the result in the JSS
/Applications/Google Chrome.app is NOT infected
/Applications/Firefox.app is NOT infected
/Applications/Safari.app is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user rmanly_stu is NOT infected
student usernames converted to ---- and trimmed for public posting
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-12-2012 01:55 PM
44 REPLIES 44
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-12-2012 11:31 PM
I've made some mods for my environment, and am cutting my teeth on the JSS these days.
Unfortunately I'm bound by ITIL / Change Management and can't be more aggressive with it, but I figure it does the job.
Points for the comment being as long as the script itself!
#!/bin/bash
# JSS Flashback Checker Extension Attribute script
# credit to rmanly and talkingmoose on the jamfnation
# forum for the basis of this script
#
# modified by Dave Castelletti @davecastelletti (admittedly a scripting- & JSS novice)
# Intent of mods for OS-variable large environment:
# 10.4-10.7 compatibility
# Efficient output to Extension Attribute (set as visible in JSS inventory)
# Improvements needed:
# mailer using org's open relay to tail the system.log | grep lines containing "infected"
# Figure out why some 10.5/10.6 return a blank $AppResult
#
# Associated Policy to trigger this script
# RunOnce AllComputers UpdateInventory (simple as it gets!)
# Associatted SmartGroups
# FlashbackInfected = EA like 'infected', associated with ongoing inventory for group
# removal once cleaned
# FlashbackFixNeeded-10.6 = Associated with removal policy scope (Update8 pkg push)
# FlashbackFixNeeded-10.7 = Associated with removal policy scope (2012-003 pkg push)
#
# Feedback welcomed via the twitter. My n00bulb doth shine brightly.
# Original broke on my 10.4 tests; eliminated from results
OLD=`sw_vers | grep "10.4" | wc -l`
if [ $OLD -ne 0 ]; then
echo "<result>N/A (10.4)</result>"
exit 0
fi
app_list=()
while read -r -d $'�'; do
app_list+=("$REPLY")
done < <(/usr/bin/mdfind -onlyin / ' (kMDItemCFBundleIdentifier == "com.apple.Safari") || (kMDItemCFBundleIdentifier == "com.google.Chrome") || (kMDItemCFBundleIdentifier == "org.mozilla.firefox") ' -0 2> /dev/null)
# wrote details to system.log for manual dive or, ideally, sendmail to the MacEng team
# in order to keep the DB small and the JSS web copy concise (lots of users on some boxes!)
for browser in "${app_list[@]}"; do
if defaults read "${browser}"/Contents/Info LSEnvironment 2> /dev/null; then
logger "${browser} is infected with Flashback"
AppResult="${browser} Infected"
else
AppResult="Apps Clean"
fi
done
# details also in system.log
for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do
if defaults read /Users/"${username}"/.MacOSX/environment DYLD_INSERT_LIBRARIES 2> /dev/null; then
logger "user ${username} is infected with Flashback"
UserResult="User Infected"
else
UserResult="Users Clean"
fi
done
echo "<result>$AppResult, $UserResult<result>"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-13-2012 01:35 AM
For those who prefer downloads:
10.7
http://support.apple.com/downloads/DL1515/en_US/JavaForOSX.dmg
10.6
http://support.apple.com/downloads/DL1516/en_US/JavaForMacOSX10.6.dmg
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-13-2012 07:52 AM
Awesome work everybody! This saves will save me so much work. I'm added this EA to our environment now.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-13-2012 08:03 AM
i concur
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-13-2012 08:26 AM
Points for the comment being as long as the script itself!
I say major points for actually adding comments. It's a habit I need to work on.
