New Directories and Timed Warning for Autoremove

Adding newly discovered directories, a timed warning for autoremove, and small readme updates.
weldingwit · Feb 12, 2019 · 7949b98 · 7949b98
1 parent 47f24a2
commit 7949b98
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 17 deletions.
diff --git a/remediation/shlayer/README.md b/remediation/shlayer/README.md
@@ -2,21 +2,21 @@
 
 #### Blog: [TBD]()
 
-#### Instructuions
+#### Instructions
 
 There are two ways to run this script. Interactively and Automatically.
 
 First things first, ensure the script is executable:
 
     $ chmod +x ./shlayer-cleanup.sh
 
-###### Interactive Execution
+##### Interactive Execution
 
 Allows you to step through the execution and review all files before making a decision on removing them.
 
     $ ./shlayer-cleanup.sh
 
-###### Automatic Execution
+##### Automatic Execution
 
 Runs the script and automatically deletes any detected Shlayer malicious files.
 
@@ -28,7 +28,6 @@ To download and execute this script directly from this repository you can run th
 
 To execute this script using Carbon Black's Live Response, add 'execfg' to the beginning of the string.
 
-###### Example
-
-![image](https://user-images.githubusercontent.com/727732/52592602-10e99080-2e04-11e9-8278-8ad92ef5fe33.png)
+##### Example
 
+![image](https://user-images.githubusercontent.com/727732/52649660-ecde8b80-2ea5-11e9-81f8-0f9dce1d187d.png)
diff --git a/remediation/shlayer/shlayer-cleanup.sh b/remediation/shlayer/shlayer-cleanup.sh
@@ -14,25 +14,31 @@ fi
 if [[ $autoremove == "false" ]]; then
 	echo ""
 	echo "[[ WARNING - THIS SCRIPT WILL DELETE FILES! MAKE SURE THAT YOU ARE OKAY WITH THIS BEFORE PROCEEDING! ]]"
-	echo -n "	Enter 'YES' to continue: "
+	echo -n "					Enter 'YES' to continue: "
 	read shallWeContinue
 	if [ $shallWeContinue != 'YES' ]; then
 		echo ""
 		exit 1
 	fi
+else
+	echo ""
+	echo "[[ WARNING - THIS SCRIPT WILL DELETE FILES! MAKE SURE THAT YOU ARE OKAY WITH THIS BEFORE PROCEEDING! ]]"
+	echo "					Press CRTL+C to abort..."
+	sleep 5
 fi
 
 # Set Directories
 directories=("/tmp/*/Player*.app/"
-			"/Volumes/Player/"
-			"/Volumes/FlashPlayer/"
-			"/private/tmp/*/Player/"
-			"/private/var/folders/*/*/T/AppTranslocation/*/d/Player_*.app"
-			"/private/var/folders/*/*/T/AppTranslocation/*/d/FashPlayer_*.app"
-			"/private/var/folders/*/*/T/AppTranslocation/*/d/iZipFast_*.app"
-			"/private/var/folders/*/*/T/AppTranslocation/*/d/Player_DMG_*.app"
-			"/private/var/folders/*/*/T/AppTranslocation/*/d/TimerRush_*.app"
-			"/private/var/folders/*/*/T/AppTranslocation/*/d/VidsToGifs_*.app")
+		"/Applications/Mac*Cleanup*Pro*.app/"
+		"/Volumes/Player/"
+		"/Volumes/FlashPlayer/"
+		"/private/tmp/*/Player/"
+		"/private/var/folders/*/*/T/AppTranslocation/*/d/Player_*.app"
+		"/private/var/folders/*/*/T/AppTranslocation/*/d/FashPlayer_*.app"
+		"/private/var/folders/*/*/T/AppTranslocation/*/d/iZipFast_*.app"
+		"/private/var/folders/*/*/T/AppTranslocation/*/d/Player_DMG_*.app"
+		"/private/var/folders/*/*/T/AppTranslocation/*/d/TimerRush_*.app"
+		"/private/var/folders/*/*/T/AppTranslocation/*/d/VidsToGifs_*.app")
 
 echo ""
 
@@ -48,7 +54,7 @@ for directory in ${directories[@]}; do
 			cleanupChoice="y"
 		fi
 		if [ $cleanupChoice == "y" ]; then
-			sudo rm -rf $directory && echo "Malware Has Been Removed..." || echo "unable to remove this directory, please run this script with sudo or manually delete this directory"
+			sudo rm -rf "$directory" && echo "Malware Has Been Removed..." || echo "unable to remove this directory, please run this script with sudo or manually delete this directory"
 		else
 			echo "It is recommended to remove this directory to prevent continued infection!"
 		fi