-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathMacCheck.sh
156 lines (142 loc) · 6.24 KB
/
MacCheck.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
#!/usr/bin/env bash
echo ""
echo " ========================================================= "
echo " \ Mac应急响应/信息搜集脚本 V1.1 / "
echo " ========================================================= "
echo " # Mac OS 系统检测脚本 "
echo " # author:al0ne "
echo " # https://github.com/al0ne "
echo " # 重点搜集MAC下系统信息,检测挖矿病毒以及其他常见病毒,开箱即用"
echo -e "\n"
filename='result_'$(hostname -s)'_'$(whoami)'.log'
if [ -e "${filename}" ]; then
echo '' >$filename
fi
xsdk() {
echo -e "\n\033[31m[+]xsdk挖矿检测\033[0m" | tee -a $filename
result=$(ps aux | egrep -i "mgo|xsdk" | grep -v 'grep')
if [ -n "$result" ]; then
echo "存在xsdk挖矿进程!" | tee -a $filename
pid=$(ps -ef | egrep 'xsdk|mgo' | egrep -v 'egrep' | awk '{print $2}')
echo "kill -9 干掉xsdk挖矿进程!" | tee -a $filename
kill -9 $pid
echo $result | tee -a $filename
echo -e "\n" | tee -a $filename
fi
result=$(ls -alh /etc/bbrj /etc/evtconf /etc/mach_inlt /etc/periodoc.d ~/Documents/Tunings /private/etc/mach_inlt /private/etc/mach_init.d /private/etc/mach_inlt_per_user.d/ /private/etc/mach_inlt_per_login_session.d 2>/dev/null)
if [ -n "$result" ]; then
echo "存在xsdk挖矿文件!" | tee -a $filename
files=$(ls /etc/bbrj /etc/evtconf /etc/mach_inlt /etc/periodoc.d ~/Documents/Tunings /private/etc/mach_inlt /private/etc/mach_init.d /private/etc/mach_inlt_per_user.d/ /private/etc/mach_inlt_per_login_session.d 2>/dev/null)
echo "删除xsdk挖矿文件!" | tee -a $filename
echo $files | sed 's@:@@g' | xargs -I F rm -r "F"
echo $result | tee -a $filename
fi
}
ssl3() {
echo -e "\n\033[31m[+]ssl3挖矿检测\033[0m" | tee -a $filename
result=$(ps -ef | egrep -i "ssl\d.plist")
if [ -n "$result" ]; then
echo "存在ssl3挖矿进程!" | tee -a $filename
echo $result | tee -a $filename
echo -e "\n" | tee -a $filename
fi
result=$(find ~ -name 'ssl?.plist' 2>/dev/null)
if [ -n "$result" ]; then
echo "存在ssl3挖矿文件!" | tee -a $filename
echo $result | tee -a $filename
echo -e "\n" | tee -a $filename
fi
result=$(find ~/Library/Caches -name '*.plist' | egrep 'com.apple.[a-zA-Z0-9]+.plist' | grep -v 'nsservicescache' 2>/dev/null)
if [ -n "$result" ]; then
echo "可疑ssl3挖矿文件!" | tee -a $filename
echo $result | tee -a $filename
echo "删除ssl3挖矿文件!" | tee -a $filename
echo $result | xargs -I F rm -r "F"
echo -e "\n" | tee -a $filename
fi
}
autorun() {
echo -e "\033[31m[+]可疑启动项检测\033[0m" | tee -a $filename
ls -a /Library/LaunchDaemons /Library/LaunchAgents ~/Library/LaunchAgents /System/Library/LaunchAgents /System/Library/LaunchDaemons | egrep -i '\bLibrary|com\.\w{2,6}.plist|yahoo|apple.google|ssl|unioncrypto|^\.\w+' | egrep -v "\->" | tee -a $filename
echo -e "\n" | tee -a $filename
}
file_check() {
echo -e "\033[31m[+]可疑文件检测\033[0m" | tee -a $filename
ls -alh /Library/search.amp 2>/dev/null | tee -a $filename
ls -alh ~/Library/search.amp 2>/dev/null | tee -a $filename
ls -alh /Library/UnionCrypto 2>/dev/null | tee -a $filename
echo -e "\n" | tee -a $filename
}
main_check() {
echo -e "\033[31m[+]环境检测\033[0m" | tee -a $filename
# 验证是否为root权限
if [ $UID -ne 0 ]; then
echo -e "\n\033[31m请使用root权限运行! \033[00m"
echo -e "\033[31mchmod u+x ./MacCheck.sh \033[00m"
echo -e "\033[31msudo ./MacCheck.sh \033[00m"
exit 1
else
echo -e "\033[00;32m当前为root权限 \033[00m"
fi
#当前用户
echo -e "USER:\t\t" $(whoami) 2>/dev/null | tee -a $filename
#主机名
echo -e "Hostname: \t" $(hostname -s) | tee -a $filename
#uptime
echo -e "Uptime: \t" $(uptime | awk -F ',' '{print $1}') | tee -a $filename
#CPU占用TOP 15
cpu=$(ps aux | grep -v ^'USER' | sort -rn -k3 | head -15) 2>/dev/null
echo -e "\n" | tee -a $filename
echo -e "\033[00;31m[+]CPU TOP15: \033[00m\n${cpu}\n" | tee -a $filename
echo -e "\n" | tee -a $filename
#ifconfig
echo -e "\033[00;31m[+]ifconfig\033[00m" | tee -a $filename
ifconfig | egrep '192.|172.' | tee -a $filename
echo -e "\n" | tee -a $filename
#端口监听
echo -e "\033[00;31m[+]端口监听\033[00m" | tee -a $filename
lsof -nP -iTCP | grep LISTEN | tee -a $filename
echo -e "\n" | tee -a $filename
#网络连接
echo -e "\033[00;31m[+]网络连接\033[00m" | tee -a $filename
lsof -nP -iTCP | grep 'ESTABLISHED' | egrep -v 'Google|Microsoft|Cisco' | tee -a $filename
echo -e "\n" | tee -a $filename
#DNS
echo -e "\033[00;31m[+]DNS Server\033[00m" | tee -a $filename
cat /etc/resolv.conf | egrep -v '#' | tee -a $filename
echo -e "\n" | tee -a $filename
#passwd信息
echo -e "\033[00;31m[+]可登陆用户\033[00m" | tee -a $filename
cat /etc/passwd | egrep -v 'nologin$|false$|#' | tee -a $filename
echo -e "\n" | tee -a $filename
echo -e "\033[00;31m[+]sudoers(请注意NOPASSWD)\033[00m" | tee -a $filename
cat /etc/sudoers | egrep -v '#' | sed -e '/^$/d' | tee -a $filename
echo -e "\n" | tee -a $filename
#tmp目录
echo -e "\033[00;31m[+]/tmp \033[00m" | tee -a $filename
ls -alht /tmp /var/tmp /private/tmp/ | tee -a $filename
echo -e "\n" | tee -a $filename
echo -e "\033[00;31m[+]lsof +L1 \033[00m" | tee -a $filename
lsof +L1 | egrep -v 'cache|messages|/private/' | tee -a $filename
echo -e "\n" | tee -a $filename
#检查ssh key
echo -e "\033[00;31m[+]SSH key\033[00m" | tee -a $filename
sshkey=${HOME}/.ssh/authorized_keys
if [ -e "${sshkey}" ]; then
cat ${sshkey} | tee -a $filename
else
echo -e "SSH key文件不存在\n" | tee -a $filename
fi
echo -e "\033[00;31m[+]用户启动项\033[00m" | tee -a $filename
ls -alht /Library/LaunchDaemons /Library/LaunchAgents ~/Library/LaunchAgents | tee -a $filename
}
# 开始检查
main_check
# xsdk挖矿检查
xsdk
# ssl3挖矿检测
ssl3
# 启动项检测
autorun
# 可疑文件检测
file_check