I remember using and understanding a terminal for the first time: That feeling when you realize that you are able to reach every file, run every program and fully control the whole system by simply typing something into a black window. And I also remember the fear that came with it to make a mistake and lose or destroy something irrecoverably.
I'm not exactly a sysadmin, but over the years I worked with a lot of Linux/UNIX based systems and found myself more than once in a situation where I hesitated hitting the Enter key to rethink what I'm just about to execute.
In the following I want to share some commands you should not use at all or at least very carefully. If you're new to bash commands, I hope you can learn something new. If you're a bash pro, you can take this post as exercise to predict the result before reading the explanation.
Note: Some of these commands I learned myself the hard way, but most of them I picked up once in a while, i.e. in this old thread.
Before we start, the last warning:
⚠ Do not run any of these commands on a system you care about! ⚠
1. Destructive directory changing
I decided not to start with the classic rm -rf /* but with a variation of it:
alias cd='rm -rf'
💡 That's what happens
-
aliasdeclares a aliases/shortcuts for bash commands. The syntax is likealias alias_name="command_to_run" -
cdis the alias name and the same like the change directory command -
rm -rfis the command to run. This doesn't translate to "read mail, -realfast" rather than "remove the given directory with all its content without asking".
So if an evil person adds this alias to your open bash when you're afk and you want to cd through your file system, you will quickly notice a strange behavior...
Luckily alias will only be temporarily available throughout the current shell session, unless it's added to one of the files that are loaded on start of a terminal session, i.e. ~/.bashrc.
🛡 How to prevent possible damage
Well, simply don't add this alias and double-check the command, when adding a new alias. You can always check which aliases exist with the alias command and remove an alias with unalias alias_name.
To prevent deleting files unknowingly, you can add the following alias to your ~/.bashrc:
alias rm='rm -i'
This will make your bash always ask you before deleting something, even if the rm command is added as another alias.
* In case you didn't know: this command cannot be executed this simply anymore—an additional flag --no-preserve-root is required to execute it on the root directory.
2. Memory-eater
In case you doubt it, the following is a valid bash command:
:(){:|: &};:
💡 That's what happens
In short: Recursion without termination condition. A function is defined which is called :. It calls itself twice in its own definition. At the end of the command, the function is initially called. It becomes more clear, when we write it in separate lines and rename the function:
evil () {
evil|evil &
}
evil
If this gets executed, it replicates itself quickly consuming all your memory and CPU resources (also known as fork bomb). It can freeze your whole system and is therefore an example of a denial-of-service attack. It's surprising how such an attack can be executed with a command of just 12 Bytes!
🛡 How to prevent possible damage
If you're using iterative or recursive bash functions, always double-check for proper termination condition and use a safe environment for testing purposes.
Since a fork bomb launches an unlimited number of processes, the only way to protect your system is limiting the number of processes a local user can run. You can do so by editing the /etc/security/limits.conf accordingly. A user could work with about 200-300 processes at the same time, so limiting to something like 2000 processes should shield your system from a fork bomb without limiting the corresponding user too much.
3. Zero memory
dd if=/dev/zero of=/dev/sda
💡 That's what happens
-
ddis a command to copy data from one file or device to another -
if=specifies the source and/dev/zerois an unlimited source of zero bytes -
of=specifies the target and/dev/sdais a disk drive or volume
You see where this is going. It's an excellent way to erase the contents of a whole disk and a pretty quick way to lose a lot of data.
🛡 How to prevent possible damage
Unfortunately there is no -i flag as it is the case for rm, so my only advice is to double-check, if the devices you specified in your dd command are really the correct ones. Don't use the dd command at all, if it's to risky for you.
You can disable the whole dd command with the following alias:
alias dd='echo "no dd command available"'
If the dd command is now executed on your system, it only prints out no dd command available.
4. Zero recovery
The following variation of the above command is also possible:
for i in {1..10};do dd if=/dev/urandom of=/dev/sda;done
💡 That's what happens
This overrides the whole disk ten times with random bytes and minimizes the probability of recovering data even more.
🛡 How to prevent possible damage
Since this is also using the dd command, see the advices from the preceding section 4.
5. Uncommitted and lost
git reset --hard
💡 That's what happens
-
git resetresets the current HEAD of a git repository to the last committed (or specified) state -
--hardresets the index and working tree. Any changes to tracked files in the working tree since the last commit are discarded.
In other words: it discards all uncommitted changes. Since these aren't tracked by git, there's no way to restore them.
🛡 How to prevent possible damage
Simply don't use the --hard flag. And if you have to: double-check if there are any local changes you want to keep before resetting it. I would recommend to do a hard reset only if the output of git status is empty or you're absolutely sure to wipe all uncommitted data.
6. Demolition by compression
tar -czvf /path/to/file archive.tgz
# instead of
tar -czvf archive.tgz /path/to/file
💡 That's what happens
-
tar -czvfis the command to create a new archive, use gzip, show a verbose list of all files and use the given archive file -
archive.tgzthe name of the archive file to create -
/path/to/filethe path of the file to be compressed
The order of the files here is crucial. If the first file is the file you want to compress, it gets completely destroyed, because tar starts creating the archive by overwriting the first given file and realizes only afterwards, that the second given file doesn't exist. This is especially annoying if you wanted to make a backup of a file and used the wrong order of arguments...
🛡 How to prevent possible damage
Instead of grouping all flags together, you could separate the -f flag and use the longer version to remind yourself, which file the archive file is, e.g. like this:
tar -czv --file archive.tgz /path/to/file/to/compress
7. Too many rights
chmod -R 777 /
# instead of
chmod -R 777 ./
💡 That's what happens
-
chmod -Rapplies file permissions recursively -
777permission mode to set (permit everything) -
./the directory or file which should be changed
If you don't pay attention which directory you want to target and accidentally take the root directory instead of the current directory, you will mess up all permissions of your whole system, making it impossible to use anymore.
🛡 How to prevent possible damage
To prevent the result of the typo above, you can add the following alias:
alias chmod='chmod --preserve-root'
This will always decline a recursive change on the root directory.
8. The root of all evil
The same applies to owner changes:
chown -R root:root /
# instead of
chown -R root:root ./
💡 That's what happens
-
chown -Rapplies new owner recursively -
root:rootthe owner:group to set -
./the directory or file which should be changed
This will mess up all files in a similar way that you would most likely need to reinstall your system.
🛡 How to prevent possible damage
As we already did with chmod, you can add the following alias for chown too:
alias chown='chown --preserve-root'
This will also in this case always decline a recursive change on the root directory.
9. Encrypted and destroyed
fsck -y /dev/sda
💡 That's what happens
-
fsckperform a filesystem check -
-ythe flag to always attempt to fix any detected filesystem corruption automatically -
/dev/sdathe volume to check
This is normally a good thing, except your volume is encrypted. In this case, the attempt of fsck fixing it would destroy it completely. A filesystem can only be checked after it is unlocked.
🛡 How to prevent possible damage
Only use the fsck command if you're absolutely sure, that you're using it on a normal, unencrypted volume. To prevent damage caused by an attempt of automatically fixing errors, don't use the -y flag at all.
Wrap it up
We saw that it's incredibly easy to destroy data or make a whole system unusable by typing a simple command.
I found that in the end the best protection is knowing what you type and double check for typos before executing something! Never just copy and paste code—that's especially true for bash commands! And: always keep a good set of backups.
Most of the commands above need root privileges to be executed. So always be careful what you do as root!
If you know another evil command, please share it with us in the comments below.
Disclaimer: I'm not responsible for any damage you do to your system by trying the above commands. Please use a safe environment like a virtual machine for testing. You have been warned.
Edited: 16th December 2019 (🛡 section for damage prevention)
Published: 10th December 2019
Cover Image: https://codepen.io/devmount/full/ExaPBra
Oldest comments (68)
Interesting! Thanks for sharing!
You're very welcome. I'm glad if it's useful for you!
Oh my... This is like a BOFH toolkit! (If you don't know what BOFH is, Google it. IT entertainment from the early to mid-90s).
Well, yes you can see it this way 😅 but this post was completely meant for self protection not for making it easy for attackers... So I hope there are no BOFHs here... 🙊
A few of these scared me most in how easy it would be to make that mistake.
Yes same here. That was one of the reasons to write this post. However I read that some of these depend on the Linux distribution, but I wouldn't count on that. I was really surprised to see, that
chmodandchownboth have a--preserve-rootand--no-preserve-rootflag to prevent misuse, but the default argument is--no-preserve-root! So if you run a command without a "preserve" option, it will default to "no preserve" mode and hence change permissions on a lot of files that shouldn't be changed.I was thinking the same thing. Right up there with etherkillers.
If you don't know what an etherkiller is Google it. Basically an etherkiller is a modified ethernet cable that is hooked directly to a 110/220 power cord there are variations of that theme.
Wikipedia: The Bastard Operator From Hell (BOFH) is a fictional rogue computer operator who takes out his anger on users and others who pester him with their computer problems, uses his expertise against his enemies and manipulates his employer.
Hope this saves someone a couple of keystrokes.
The idea of googling it was for people to find the jokes, not the definition. ;)
It is better to use /dev/urandom
It is a PRNG and thus faster. /dev/random needs enough entropy otherwise it'll block.
I see, thanks for your suggestions! I updated the post accordingly ☑
4) on steroids (much much faster than dev/urandom):
WARNING: THIS COMMAND WILL DELETE YOUR ENTIRE HARD DRIVE
we are using AES cipher of openssl in parallel mode to encrypt a stream of plain zeros with some random pw. this will look like random data. then we write to sda
did not know the forkbomb :)
nice and entertaining article :)
I'm glad you liked it!
I got goosebumps through 1-4. This is really scary.
I've experienced number 7. 🤦🏽♂️
Darn you apache2!
Indeed it is!
I'm sorry to hear that, did you manage to restore the system?
Not at all. Thanks to git and Dropbox, my stuff was safe. I had to do a fresh install right after
Backups ftw! 💪🏻
Nice post
Thank You 😊
Thank you for sharing horrible commands we should take care of...
About N5 if you have a good IDE like vscode you can get back to it and there is a way like ctrl+z.
However it will become so much difficult if there were lots of changes.
You're welcome!
Yes you're right, with the help of external tools it might be possible to recover the data. I did this a few times with Sublime Text...
Great to see these explained. You might put a warning at the top, though:
...just for the readers who might not have caught how evil "evil" really is.
Thank you for this suggestions, I put that warning in! ⚠✔
just tried 1 command yesterday I'm commenting today to say that this post is savage hahaha
😅 Which command did you try?
Great article! The fork bomb is very funny.
I think you can still comeback from number 5 using git reflog, but it won't be funny :p
Thank you 😊
I don't think it's possible to recover uncommitted changes with
git reflog. This would only help people who actually had committed something.But I read that if lost changes are in files that were earlier added to the index (with
git add) it might be possible to recover the data withgit fsck --lost-found.I KNEW I'd see rm -rf on here, but the alias was a fun twist.
And you managed dd ♥️
Backstory: I see more than a few of these, but they'll show rimraf and skip over dd. This one... Yes. These are evil. You've earned your 🦄 lol
Thanks 😊
Yes I thought
rm -rfis very well known and therefore too boring 😅A coworker did an:
rm -rf /etc once...
Luckily we had an exact server with same config in the other rack an we restore it without service disruption
I wish a had a camera!
Thank you for sharing this story. This emphasizes again how important backups are (in whatever form)!
This is awesome 😂 Thanks for sharing!
Nice post, the cd alias was a evil trick, some debate and experiences here: twitter.com/co7wt/status/120465628...
Thank you!
You're very welcome. Thanks for sharing this repo, didn't know about this! There are even a lot more evil commands!