Life plus Linux: Look before you paste from a website to terminal

Paolo Redaelli

Look before you paste from a website to terminal

Most of the time when we see a code snippet online to do something, we often blindly copy paste it to the terminal. Even the tech savy ones just see it on the website before copy pasting. Here is why you shouldn’t do this. Try pasting the following line to your terminal (SFW)

ls <span class="malicious"> ; clear; echo 'Haha! You gave me access to your computer with sudo!'; echo -ne 'h4cking ## (10%)\r'; sleep 0.3; echo -ne 'h4cking ### (20%)\r'; sleep 0.3; echo -ne 'h4cking ##### (33%)\r'; sleep 0.3; echo -ne 'h4cking ####### (40%)\r'; sleep 0.3; echo -ne 'h4cking ########## (50%)\r'; sleep 0.3; echo -ne 'h4cking ############# (66%)\r'; sleep 0.3; echo -ne 'h4cking ##################### (99%)\r'; sleep 0.3; echo -ne 'h4cking ####################### (100%)\r'; echo -ne '\n'; echo 'Hacking complete.'; echo 'Use GUI interface using visual basic to track my IP'
ls </span> -lat

It should look something like this once it is pasted onto your terminal.

You probably guessed it. There is some malicious code between ls and -lat that is hidden from the user

Malicious code’s color is set to that of the background, it’s font size is set to 0, it is moved away from rest of the code and it is made un-selectable (that blue color thing doesn’t reveal it); to make sure that it works in all possible OSes, browsers and screen sizes.

Data hosted with ♥ by Pastebin.comDownload RawSee Original
.malicious {
  color: #f3f5f6; // set it to that of the page
  font-size: 0px; // make it small
  // move it out of the way
  position: absolute;
  left: -100px;
  top: -100px;
  height: 0px;
  z-index:100;
  display: inline-block;
  // make it un-selectable
  -webkit-touch-callout: none;
  -webkit-user-select: none;
  -khtml-user-select: none;
  -moz-user-select: none;
  -ms-user-select: none;
  user-select: none;
}

 

Data hosted with ♥ by Pastebin.comDownload RawSee Original
<span>ls</span>
<span class=“malicious”>
  ; clear; echo ‘Haha! You gave me access to your computer with sudo!’;
  echo -ne ‘h4cking ##                        (10%)\r’;
  sleep 0.3;
  echo -ne ‘h4cking ###                       (20%)\r’;
  sleep 0.3;
  echo -ne ‘h4cking #####                     (33%)\r’;
  sleep 0.3;
  echo -ne ‘h4cking #######                   (40%)\r’;
  sleep 0.3;
  echo -ne ‘h4cking ##########                (50%)\r’;
  sleep 0.3;
  echo -ne ‘h4cking #############             (66%)\r’;
  sleep 0.3;
  echo -ne ‘h4cking #####################     (99%)\r’;
  sleep 0.3;
  echo -ne ‘h4cking #######################   (100%)\r’;
  echo -ne ‘\n’;
  echo ‘Hacking complete.’;
  echo ‘Use GUI interface using visual basic to track my IP’<br> ls
</span>
<span>-lat </span>

This can be worse. If the code snippet had a command with sudo for instance, the malicious code will have sudo access too. Or, it can silently install a keylogger on your machine; possibilities are endless. So, the lesson here is, make sure that you paste code snippets from untrusted sources onto a text editor before executing it.

Thanks for reading!

Pages: 1 2

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related