From 7949b98dfeb87aabdcb80996c0b599dbbcd893fb Mon Sep 17 00:00:00 2001 From: Greg Foss Date: Tue, 12 Feb 2019 09:21:12 -0700 Subject: [PATCH] New Directories and Timed Warning for Autoremove Adding newly discovered directories, a timed warning for autoremove, and small readme updates. --- remediation/shlayer/README.md | 11 +++++----- remediation/shlayer/shlayer-cleanup.sh | 28 ++++++++++++++++---------- 2 files changed, 22 insertions(+), 17 deletions(-) diff --git a/remediation/shlayer/README.md b/remediation/shlayer/README.md index 8fe2113..914ccdd 100644 --- a/remediation/shlayer/README.md +++ b/remediation/shlayer/README.md @@ -2,7 +2,7 @@ #### Blog: [TBD]() -#### Instructuions +#### Instructions There are two ways to run this script. Interactively and Automatically. @@ -10,13 +10,13 @@ First things first, ensure the script is executable: $ chmod +x ./shlayer-cleanup.sh -###### Interactive Execution +##### Interactive Execution Allows you to step through the execution and review all files before making a decision on removing them. $ ./shlayer-cleanup.sh -###### Automatic Execution +##### Automatic Execution Runs the script and automatically deletes any detected Shlayer malicious files. @@ -28,7 +28,6 @@ To download and execute this script directly from this repository you can run th To execute this script using Carbon Black's Live Response, add 'execfg' to the beginning of the string. -###### Example - -![image](https://user-images.githubusercontent.com/727732/52592602-10e99080-2e04-11e9-8278-8ad92ef5fe33.png) +##### Example +![image](https://user-images.githubusercontent.com/727732/52649660-ecde8b80-2ea5-11e9-81f8-0f9dce1d187d.png) diff --git a/remediation/shlayer/shlayer-cleanup.sh b/remediation/shlayer/shlayer-cleanup.sh index 3488c46..7337cef 100755 --- a/remediation/shlayer/shlayer-cleanup.sh +++ b/remediation/shlayer/shlayer-cleanup.sh @@ -14,25 +14,31 @@ fi if [[ $autoremove == "false" ]]; then echo "" echo "[[ WARNING - THIS SCRIPT WILL DELETE FILES! MAKE SURE THAT YOU ARE OKAY WITH THIS BEFORE PROCEEDING! ]]" - echo -n " Enter 'YES' to continue: " + echo -n " Enter 'YES' to continue: " read shallWeContinue if [ $shallWeContinue != 'YES' ]; then echo "" exit 1 fi +else + echo "" + echo "[[ WARNING - THIS SCRIPT WILL DELETE FILES! MAKE SURE THAT YOU ARE OKAY WITH THIS BEFORE PROCEEDING! ]]" + echo " Press CRTL+C to abort..." + sleep 5 fi # Set Directories directories=("/tmp/*/Player*.app/" - "/Volumes/Player/" - "/Volumes/FlashPlayer/" - "/private/tmp/*/Player/" - "/private/var/folders/*/*/T/AppTranslocation/*/d/Player_*.app" - "/private/var/folders/*/*/T/AppTranslocation/*/d/FashPlayer_*.app" - "/private/var/folders/*/*/T/AppTranslocation/*/d/iZipFast_*.app" - "/private/var/folders/*/*/T/AppTranslocation/*/d/Player_DMG_*.app" - "/private/var/folders/*/*/T/AppTranslocation/*/d/TimerRush_*.app" - "/private/var/folders/*/*/T/AppTranslocation/*/d/VidsToGifs_*.app") + "/Applications/Mac*Cleanup*Pro*.app/" + "/Volumes/Player/" + "/Volumes/FlashPlayer/" + "/private/tmp/*/Player/" + "/private/var/folders/*/*/T/AppTranslocation/*/d/Player_*.app" + "/private/var/folders/*/*/T/AppTranslocation/*/d/FashPlayer_*.app" + "/private/var/folders/*/*/T/AppTranslocation/*/d/iZipFast_*.app" + "/private/var/folders/*/*/T/AppTranslocation/*/d/Player_DMG_*.app" + "/private/var/folders/*/*/T/AppTranslocation/*/d/TimerRush_*.app" + "/private/var/folders/*/*/T/AppTranslocation/*/d/VidsToGifs_*.app") echo "" @@ -48,7 +54,7 @@ for directory in ${directories[@]}; do cleanupChoice="y" fi if [ $cleanupChoice == "y" ]; then - sudo rm -rf $directory && echo "Malware Has Been Removed..." || echo "unable to remove this directory, please run this script with sudo or manually delete this directory" + sudo rm -rf "$directory" && echo "Malware Has Been Removed..." || echo "unable to remove this directory, please run this script with sudo or manually delete this directory" else echo "It is recommended to remove this directory to prevent continued infection!" fi