Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Scripts - can anyone here understand what this one might 'do'?


  • Please log in to reply
7 replies to this topic

#1 Brawdy14

Brawdy14

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 13 May 2018 - 07:44 AM

Hello.  :hello: 

Whilst 'messing about' with my old iMac recently, I discovered this script. What is it designed to 'do' on my iMac?

=
 

##
# Common setup for startup scripts.
##
# Copyright 1998-2002 Apple Computer, Inc.
##
 
#######################
# Configure the shell #
#######################
 
##
# Be strict
##
#set -e
set -u
 
##
# Set command search path
##
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/libexec:/System/Library/CoreServices; export PATH
 
##
# Set the terminal mode
##
#if [ -x /usr/bin/tset ] && [ -f /usr/share/misc/termcap ]; then
#    TERM=$(tset - -Q); export TERM
#fi
 
####################
# Useful functions #
####################
 
##
# Determine if the network is up by looking for any non-loopback
# internet network interfaces.
##
CheckForNetwork()
{
    local test
 
    if [ -z "${NETWORKUP:=}" ]; then
test=$(ifconfig -a inet 2>/dev/null | sed -n -e '/127.0.0.1/d' -e '/0.0.0.0/d' -e '/inet/p' | wc -l)
if [ "${test}" -gt 0 ]; then
   NETWORKUP="-YES-"
else
   NETWORKUP="-NO-"
fi
    fi
}
 
alias ConsoleMessage=echo
 
##
# Process management
##
GetPID ()
{
    local program="$1"
    local pidfile="${PIDFILE:=/var/run/${program}.pid}"
    local     pid=""
 
    if [ -f "${pidfile}" ]; then
pid=$(head -1 "${pidfile}")
if ! kill -0 "${pid}" 2> /dev/null; then
   echo "Bad pid file $pidfile; deleting."
   pid=""
   rm -f "${pidfile}"
fi
    fi
 
    if [ -n "${pid}" ]; then
echo "${pid}"
return 0
    else
return 1
    fi
}
 
##
# Generic action handler
##
RunService ()
{
    case $1 in 
      start  ) StartService   ;;
      stop   ) StopService    ;;
      restart) RestartService ;;
      *      ) echo "$0: unknown argument: $1";;
    esac
}

Edited by hamluis, 15 May 2018 - 09:30 AM.
Merged posts - Hamluis.


BC AdBot (Login to Remove)

 


#2 Brawdy14

Brawdy14
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 14 May 2018 - 01:59 AM

HI

 

Can anyone suggest a better forum group for me to ask my question ..... listed here?

https://www.bleepingcomputer.com/forums/t/677410/scripts-can-anyone-here-understand-what-this-one-might-do/

 

I am more than happy for a moderator to move or copy my post into a more appropriate group.

Thanks in advance for any help.

 

 

 



#3 hamluis

hamluis

    Moderator


  • Moderator
  • 56,295 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:03:37 AM

Posted 14 May 2018 - 05:24 PM

Am I understanding correctly...you want someone to tell you what an unknown script...with no source provided...may do on a Mac system?

 

Seems to me that some reference/llink for the source of the script...might be enlightening.

 

Louis



#4 Brawdy14

Brawdy14
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 15 May 2018 - 05:30 AM

Am I understanding correctly...you want someone to tell you what an unknown script...with no source provided...may do on a Mac system?

 

Seems to me that some reference/llink for the source of the script...might be enlightening.

 

Louis

 

 

Hello Louis

Thanks for responding.   :thumbup2: 

I used a facility called 'KnockKnock' to scan my Apple iMac.  Details here:-  https://objective-see.com/products/knockknock.html

 

It found the script I posted in my original post.

 

Rightly or wrongly, I deleted the script/file  ........... but my computer continues to operate normally (as far as I can tell).

So I'm simply curious. What did the script actually 'do'?

Advice welcomed.

D.



#5 Brawdy14

Brawdy14
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 19 May 2018 - 05:14 PM

​

 

 

Am I understanding correctly...you want someone to tell you what an unknown script...with no source provided...may do on a Mac system?

 

Seems to me that some reference/llink for the source of the script...might be enlightening.

 

Louis

 

 

Hello Louis

Thanks for responding.   :thumbup2: 

I used a facility called 'KnockKnock' to scan my Apple iMac.  Details here:-  https://objective-see.com/products/knockknock.html

 

It found the script I posted in my original post.

 

Rightly or wrongly, I deleted the script/file  ........... but my computer continues to operate normally (as far as I can tell).

So I'm simply curious. What did the script actually 'do'?

Advice welcomed.

D.

 

 

 

Thomas Reed says ...  https://forums.malwarebytes.com/topic/229944-is-there-a-better-place-to-ask-my-question/?tab=comments#comment-1243073

That is the rc.common script, which should be found here:

/etc/rc.common
 

This is a script that is no longer used on modern macOS, but it's still present. It can be a means for providing persistence to malware (malware can add malicious lines of code to this script). However, I've tested this on systems from 10.7 and up, and that no longer works. I have been unable to get custom code added to rc.common to actually run on those systems.

 

=

 

That seems an adequate answer!  :bananas:

 

D.



#6 network_packet

network_packet

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 05 June 2018 - 09:55 PM

Curious where you found this bash script. Secondly, I noticed that is looking at services and processes. How did you draw the conclusion that is a script for malware persistence?



#7 Brawdy14

Brawdy14
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 09 June 2018 - 01:57 AM

Curious where you found this bash script. Secondly, I noticed that is looking at services and processes. How did you draw the conclusion that is a script for malware persistence?

Hello :hello:

As I said above "I used a facility called 'KnockKnock' to scan my Apple iMac.  Details here:-  https://objective-see.com/products/knockknock.html

 

It found the script I posted in my original post."

A fellow called 'Treed' gave me the answer  https://forums.malwarebytes.com/profile/190051-treed/

 

Thomas is a 'bit of a whiz' with regard to Apple malware - in fact, Malwarebytes Inc purchased his software and he's now a director of the company. This is where you can find his response to me:-

https://forums.malwarebytes.com/topic/229944-is-there-a-better-place-to-ask-my-question/?tab=comments#comment-1243073

 

Does this help you better understand matters?

 

Regards,

D.

 


 



#8 sflatechguy

sflatechguy

  • BC Advisor
  • 2,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:37 AM

Posted 16 June 2018 - 04:21 PM

It is exactly what it says it is:

 

# Common setup for startup scripts.
##
# Copyright 1998-2002 Apple Computer, Inc.
 
Considering that most of the script is commented out, (that's what all the #'s are for), it doesn't appear to be doing much.
 
What is it doing is setting the PATH environments for all the basic directories a system or a user might launch a command from; and it creates functions to check to see if the Mac is on a network, to get the process ID (PID) of a process, and run a service if asked. It creates the functions, but doesn't call them.
All very basic stuff, nothing malicious to it.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users