Skip to content

Instantly share code, notes, and snippets.

@atdt
Created September 8, 2016 20:01
Show Gist options
  • Save atdt/e84483c70c078a72f5e08ead365c69f8 to your computer and use it in GitHub Desktop.
Save atdt/e84483c70c078a72f5e08ead365c69f8 to your computer and use it in GitHub Desktop.
#!/usr/bin/env bash
# Crude script to detect Backdoor.OSX.Mokes.a, as described in
# https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/
locations=(
"$HOME/Library/App Store/storeuserd"
"$HOME/Library/com.apple.spotlight/SpotlightHelper"
"$HOME/Library/Dock/com.apple.dock.cache"
"$HOME/Library/Skype/SkypeHelper"
"$HOME/Library/Dropbox/DropboxCache"
"$HOME/Library/Google/Chrome/nacld"
"$HOME/Library/Firefox/Profiles/profiled"
)
echo 'Suspicious files:'
for loc in "${locations[@]}"; do
/bin/test -f "$loc" && echo "$loc"
done || echo '(none)'
echo 'Suspicious connections:'
/usr/sbin/lsof -i | /usr/bin/grep -e 158.69.241 -e jikenick12and67 -e cameforcameand33212 || echo '(none)'
@JayBrown
Copy link

JayBrown commented Sep 9, 2016

Thank you! One remark: these directories are usually in $HOME/Library/Application\ Support, not in$HOME/Library Are we sure that securelist has the correct paths?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment