A script was developed and released to check for the existence of the OS X - Flashback.K trojan which is now believed to have a fairly wide distribution across the globe. It is available from https://github.com/hjuutilainen/adminscripts/blob/master/check-for-osx-flashback.K.sh . The following details how to create a script in the K1000 that will run this script on your machines and also includes a report to view the results.
Step 1 - Create a script
Download the script from https://github.com/hjuutilainen/adminscripts/blob/master/check-for-osx-flashback.K.sh and save it to your hard drive. I copied and pasted the code into TextEdit and saved it as flashback_check.sh
I chose to create an Offline KScript so that I can schedule it to run at a certain time and also at next client check in.
Give the script a name and check the box for enabled
I have my script set to deploy to all machines, but you may want to test it on a few first
Uncheck the box to Pick Specific OS versions and then select Mac OS X
For scheduling I set my script to run at a specific time later today and also at next client check in
Check the box to allow the script to run while logged off
Under dependencies, upload the script you saved earlier
For Task 1 verify:
Launch a program
Directory: $(KACE_DEPENDENCY_DIR)
File: the name of the script you uploaded as the dependency
Save the changes and save the script
Make a note of the script id to use in the reports. If you're using the adminui then the script id will be displayed in the URL when you edit the script (after you save it the first time).
Step 2 - Reporting
I find the function to search script logs to be very slow so I created two reports to view the results. The following SQL can be used in a SQL report to show the script results for all of the machines it ran on:
SELECT MACHINE_ID, MACHINE.NAME, STATUS, START_TIME, KBOT_LOG_DETAIL.TEXT FROM ORG1.KBOT_LOG
JOIN KBOT_LOG_DETAIL on KBOT_LOG_DETAIL.ID = KBOT_LOG.OUTPUT_DETAIL_ID
JOIN MACHINE on MACHINE.ID = KBOT_LOG.MACHINE_ID
WHERE KBOT_ID = <id of script created in step 1>
GROUP BY MACHINE_ID
ORDER BY MACHINE.NAME
If you only want to include machines where the script found something, then you need to find logs that contain the word "WARNING". This SQL includes a like statement with the appropriate syntax:
SELECT MACHINE_ID, MACHINE.NAME, STATUS, START_TIME, KBOT_LOG_DETAIL.TEXT FROM ORG1.KBOT_LOG
JOIN KBOT_LOG_DETAIL on KBOT_LOG_DETAIL.ID = KBOT_LOG.OUTPUT_DETAIL_ID
JOIN MACHINE on MACHINE.ID = KBOT_LOG.MACHINE_ID
WHERE KBOT_ID = 210
and KBOT_LOG_DETAIL.TEXT like '%WARNING%'
GROUP BY MACHINE_ID
ORDER BY MACHINE.NAME
Good luck!
Keep in mind that you must check the 'Wait for startup' checkbox under the 'Launch a program' task for the results to be uploaded. - jaredv 12 years ago