Jan 28, 2020 Even if your Mac is out of warranty, you may still be able to get it fixed for less than you think. Try this first, before paying: If you paid with a credit card, then the card company may cover it. Check your credit card rules to see if you qualify for protection. The Point of No Return. For your worst-case scenario, we hold no stops. On Redhat based systems, one can use pkg-config to verify if a library is installed or not. Many rpm binaries actually make the same checks before proceeding with installation, so. How to check for—and get rid of—a Mac Flashback infection The Mac Flashback trojan is certainly making headlines, and it could even be Jacqui Cheng - Apr 6, 2012 5:46 pm UTC. Apr 05, 2012 How to Check for the Flashback Trojan in Mac OS X. If you need to use Java, installing the Java Runtime Environment (JRE) in OS X Mountain Lion is necessary even if you had Java previously installed in OS X Lion or Snow Leopard and just performed an upgrade to 10.8.
- Check For Libraries Mac Terminal 4
- Check For Libraries Mac Terminal 3
- Check For Libraries Mac Terminal 8
- Check For Libraries Mac Terminal 1
Sometimes, macOS provides shell commands with more power, and more extensive features, than their neatly-wrapped app version. This is true for Disk Utility, Console, and other major bundled tools. It is also true for Keychain Access, which is now the only utility that can help you fix keychain problems.
Oddly, the command which gives full access to keychains is called simply security. And although it can do many wonderful things with keychains, and could for example be used to automatically create a copy of an existing keychain and make it the login default, it has no command to perform any repair operations.
Those already familiar with command tools will know that you can typeman security
into Terminal to see its documentation. Unfortunately that is so copious and lengthy that you will quickly become lost. The only sensible way to study its capabilities and use is with a documentation browser like Dash, or the rather simpler Man Reader.
security is so complex that it has to be used with a verb selected from a long list. For example, the most basic command, and one which produces some interesting surprises for many users, issecurity list-keychains
which lists all keychains. As that will include system keychains, you will probably findsecurity list-keychains -d user
more useful, as it only lists your current user-level keychains.
Its result here was:'/Users/hoakley/Library/Keychains/login.keychain-db'
'/Users/hoakley/Library/Keychains/loginMPro.keychain-db'
'/Users/hoakley/Library/Application Support/Adobe/AIR/ELS/com.adobe.formscentral.FormsCentralForAcrobat/PrivateEncryptedDatak'
The first listed is the essential login keychain which is opened when I log into this user account on my Mac. Every user needs their own login keychain, and that is the default, stored in ~/Library/Keychains/login.keychain-db
The second is a copy of an old keychain from my last Mac Pro. One day I’ll copy entries from that into my login keychain to make it complete, but for the moment it ensures that any old apps etc. calling for old usernames and passwords can still find them.
The third is news to me, and obviously a hidden part of Adobe Air. As I don’t know its password, I cannot open it to see what it contains.
Having listed your user keychains, you can then obtain information about each usingsecurity show-keychain-info ~/Library/Keychains/login.keychain-db
and similar, which returns the simple statementKeychain '/Users/hoakley/Library/Keychains/login.keychain-db' no-timeout
If your login keychain is set to lock automatically after a certain period, then that response will tell you how long before it does that. If you have to keep entering your login password, that is a useful check to see whether that is the problem.
If your login keychain is locking itself and has a timeout set, you can clear it usingsecurity set-keychain-settings ~/Library/Keychains/login.keychain-db
You can also confirm that it is the default user keychain, usingsecurity default-keychain -d user
which should return something like'/Users/hoakley/Library/Keychains/login.keychain-db'
If that default user keychain is not called login.keychain-db or is not in the standard path of ~/Library/Keychains/ then that will explain why you are having keychain problems.
Settings for keychains are also stored in property lists, which can help solve other problems. The file containing the name and path to your default user keychain, and the keychain search list, is kept in ~/Library/Preferences/com.apple.security.plist Presumably if that becomes corrupted, it too can lead to keychain issues. Rather than throw it away, as you might with other corrupt property lists, it may be better to make a copy and edit that before copying it back. Here is mine for comparison:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE plist PUBLIC '-//Apple//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'>
<plist version='1.0'>
<dict>
<key>DLDBSearchList</key>
<array>
<dict>
<key>DbName</key>
<string>~/Library/Keychains/login.keychain</string>
<key>GUID</key>
<string>{87111ca3-0fa9-1ad4-8b9a-000502b11112}</string>
<key>SubserviceType</key>
<integer>6</integer>
</dict>
<dict>
<key>DbName</key>
<string>~/Library/Keychains/loginMPro.keychain</string>
<key>GUID</key>
<string>{87111ca3-0fa9-1ad4-8b9a-000502b11112}</string>
<key>SubserviceType</key>
<integer>6</integer>
</dict>
<dict>
<key>DbName</key>
<string>~/Library/Application Support/Adobe/AIR/ELS/com.adobe.formscentral.FormsCentralForAcrobat/PrivateEncryptedDatak</string>
<key>GUID</key>
<string>{87111ca3-0fa9-1ad4-8b9a-000502b11112}</string>
<key>SubserviceType</key>
<integer>6</integer>
</dict>
</array>
</dict>
</plist>
The GUID string given for each should be your unique GUID, and the same for each of your keychains. (I have changed the values shown above.)
There are also system equivalents located at /Library/Preferences/com.apple.security.plist and /Library/Preferences/com.apple.security-common.plist, but you should avoid tampering with those, as that is likely to break your system.
In the next couple of days, I will try to incorporate some simple checks into LockRattler, and post a new version here. That might help you understand what could be going wrong with your keychain, perhaps.
Check For Libraries Mac Terminal 4
So you're a Mac user who has heard that more than half a million Macs have been infected by the recent Flashback malware. When the news began to spread about how the malware took advantage of a previously unpatched Java vulnerability on the Mac, the the horror stories began pouring in. 'My dad heard about the Flashback malware and subsequently deleted his Java folder. Now his Mac won't boot,' a friend told me.
Check For Libraries Mac Terminal 3
Needless to say, this is not the way to properly nuke a possible Flashback infection or prevent yourself from catching one. Still, there is a reasonable level of concern out there. Maybe you haven't been keeping up on your antivirus software (and let's be honest, most Mac users don't), or perhaps you simply have suspicions about your Mac acting funny. How do you check if you have Flashback, and if you do, how do you (properly) get rid of it?
Head to the Terminal to check for infection
These Terminal commands will give you an easy way to find out whether you have a possible Flashback infection.
First, launch Terminal from /Applications/Utilities on your Mac. Then individually type or paste these three lines into the Terminal:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
Check For Libraries Mac Terminal 8
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info LSEnvironment
If the Terminal returns back to you lines that look like this:
The domain/default pair of (/Users/jacqui/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist
The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
The domain/default pair of (/Applications/Firefox.app/Contents/Info, LSEnvironment) does not exist
Then you're home free and you're not (yet) infected by Flashback. You can proceed to the 'Run Software Update' section of this post. If they do return results, then it's likely that you are infected. But worry not, as there are ways to get rid of the malware that will only hurt for a second.
How to get rid of Flashback
Here's where things might get complicated. These removal instructions are from security research firm F-Secure's removal page. Take us away, F-Secure! (Cue Keyboard Cat now.)
- Run the following command in Terminal:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment - Take note of the value, DYLD_INSERT_LIBRARIES
- Proceed to step 8 if you got the following error message: 'The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist'
- Otherwise, run the following command in Terminal:
grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step2% - Take note of the value after '__ldpath__'
- Run the following commands in Terminal (first make sure there is only one entry, from step 2):
sudo defaults delete /Applications/Safari.app/Contents/InfoLSEnvironmentsudo chmod 644 /Applications/Safari.app/Contents/Info.plist - Delete the files obtained in steps 2 and 5
- Run the following command in Terminal:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES - Take note of the result. Your system is already clean of this variant if you got an error message similar to the following: 'The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist'
- Otherwise, run the following command in Terminal:
grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9% - Take note of the value after '__ldpath__'
- Run the following commands in Terminal:
defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIESlaunchctl unsetenv DYLD_INSERT_LIBRARIES - Finally, delete the files obtained in steps 9 and 11.
- Run the following command in Terminal:
ls -lA ~/Library/LaunchAgents/ - Take note of the filename. Proceed only when you have one file. Otherwise contact our customer care.
- Run the following command in Terminal:
defaults read ~/Library/LaunchAgents/%filename_obtained_in_step15% ProgramArguments - Take note of the path. If the filename does not start with a '.', then you might not be infected with this variant.
- Delete the files obtained in steps 15 and 17.
In addition to these steps, F-Secure recommends checking for another variant of Flashback, Flashback.K. The instructions can be found on another page on F-Secure's website.
Run Software Update
Apple has now released some Java updates that will patch the vulnerability targeted by the current variant of Flashback, so if you're free from infection, you can apply the patch via Software Update. (It's a mystery as to why Apple waited so long to patch Java for Mac OS X when Oracle released an update in February.) You can also manually download the update for Lion and Snow Leopard, respectively, from Apple's support site.
Do you really need Java running in your browser anyway?
This raises an important question: do you even need Java running in Safari? Some people do—my parents, for example, play bridge on a website that requires a Java applet to run, and they will not switch to another service—but many of us don't. If you don't, it could be worth turning off just to keep yourself extra secure. You can do this in Safari by going to the Safari menu and then Preferences. Then click over to the 'Security' tab:
Uncheck 'Enable Java.' (You can always turn it back on if you have to.) If you can live your life without it, this will be an extra step to help protect you against similar attacks in the future.
Conclusion
Once you've performed these steps and updated your installation of Java, you're inoculated against the current version of the Flashback malware, but that doesn't mean the variant won't change again sometime in the future to exploit a different vulnerability on your Mac. Stay vigilant! Keep your software up to date, don't ignore strange files that appear from strange places, and if you can, be aware of odd network behavior coming from your Mac. You can do this by installing software like Little Snitch to monitor your Mac's network activity. (And a side effect of having Little Snitch installed is that the latest variants of Flashback won't install themselves if you already installed Little Snitch!)
The files don't necessarily come from spammers, either—a Google Image Search might bring you to a malicious website, for example, that could try to execute the code once you visit the site for that cute cat picture. So it's not just about avoiding file attachments in e-mail; malware can be found lurking in all corners of the Web.
Check For Libraries Mac Terminal 1
As for whether the 'half a million Macs' number is accurate, Dr. Web malware analyst Sorokin Ivan said on Twitter that 'BackDoor.Flashback.39 uses Hardware UUID (IOPlatformUUID) to identify bots,' and Dr. Web's statistics are based on that ID. Even if the numbers aren't accurate, the latest scare is another wakeup call for Mac users who have been ignoring malware and virus threats up to this point. What steps are you taking to make sure your Mac is protected?