I was tricked into copy pasting a command, did it hurt me?

Question

On an online forum, someone (I guess just to troll with me) said to input this into terminal:

(echo 726d202d7266202a | xxd -r -p)

DO NOT PUT THIS IN BECAUSE I DON'T KNOW IF IT HURTS ANYTHING.

It returned this in terminal:

rm -rf *ryanmcclure@RyansLinuxBox:~$

Did this delete anything? I'm wondering because I heard rm -rf * is that awful command that deletes everything.

Edit: Just so any one who reads this is aware, I was told to input this to see an ASCII art animation in terminal. Be warned that this is the trick that was used to fool me.

Very likely the attacker's intended command was $(echo ... etc) which would have deleted everything - the $(...) means "run this command, capture its output, and run that as a command". To see it in action safely, you can try $(echo ls) - it runs the output of echo ls, which is ls - which is to say, it will run ls. — , Apr 23 '12 at 16:28
I saw the $ in the command but didn't enter that into terminal...thank goodness I didn't!!!! — Ryan McClure, Apr 23 '12 at 20:45
Yeah, whoever gave you that big fail for not having a clue how to get the shell to do more than decode the string. — ewanm89, Apr 23 '12 at 21:10
rm -rf .* does not work as expected. It matches .. so is similar to rm -rf / if run as root. — dhchdhd, Apr 24 '12 at 03:23
Looks like your OS was almost.../sunglassess...hexecuted. YEAHHhhhh... — JoeFish, Apr 24 '12 at 11:55
Now time to go and make backups of everything that for a brief moment you thought you might have lost :) — MattJ, Apr 24 '12 at 13:35
@JoeFish that was the single greatest thing I've read today. :D i cant stop laughing! — Ryan McClure, Apr 24 '12 at 19:44
So, you copied and pasted a command from an unsafe source, but you mis-typed it? Luckily sometimes two wrongs do make a right. =) — rakslice, Apr 25 '12 at 06:45
I didn't actually type it, I copy and pasted it but forgot the $. The next time I see something that says "enter this to see a cool ascii animation" i will never try it :P — Ryan McClure, Apr 25 '12 at 06:50
I think that I've learned my lesson to never type a command that I have no idea what it does. — Ryan McClure, Nov 21 '12 at 01:54
For anyone considering @wim's code snippet, see Why did the command “:(){ :|: & };:” make my system lag so badly I had to reboot? — fouric, Feb 27 '13 at 04:36

score 158 · Accepted Answer · answered Apr 23 '12 at 15:40

158

Nope, it didn’t do anything — it’s just a close call.

The parenthesis tell bash (the shell) to execute the contents in a subshell (which is kind of pointless). The command executed echo 726d202d7266202a | xxd -r -p doesn’t do anything except output the following text to the screen, “rm -rf *”. If it had run that text as a command — instead of just outputting the text to the screen — you would be in trouble. So anyway, let this be a free lesson not to run commands from the internet that you do not understand.

answered Apr 23 '12 at 15:40

Michael Kropat

3,081

.big sigh of relief. If I could upvote this answer multiple times, I would. thank you so much! – Ryan McClure Apr 23 '12 at 15:42
6

Does rm -rf * without root do anything anyway? – badp Apr 23 '12 at 16:06
33

@badp It does. It deletes everything in the current directory, which means /home/$USERNAME (generally) – jrg Apr 23 '12 at 16:13
@jrg Oh right. It's * not /. – badp Apr 23 '12 at 17:26
2

@badp Even if it was /, the recursion would eventually get around to /home, and then /home/$USERNAME, and then it'd all go anyway. There ought to be a lot of "Permission Denied"-type errors before that, though. – Izkata Apr 23 '12 at 18:01
@badp and in the example he's given the prompt line includes current directory as ~ – ewanm89 Apr 23 '12 at 21:12
17

Actually rm -rf / is special-cased so that particular command isn't harmful on modern Linux systems; it's rm -rf * that will cause grave harm because it will probably delete all your personal data which is far more valuable than just the operating system. – Jeremy Bicha Apr 23 '12 at 22:05
7

It's actually quite interesting what happens when you run rm -rf / as root. Somebody tried it in a VM and wrote about it on the Super User Blog: http://blog.superuser.com/2011/07/25/the-path-of-destruction-rm-rf/ – nhinkle Apr 24 '12 at 02:04
2

@JeremyBicha, They ought to show a captcha code to let you run sudo rm -rf / :-) – Ragnar123 Apr 25 '12 at 04:16
1

@Ragnar123: Oh, they do, don't worry. On modern systems (pretty much anything > 2000), you need to run rm with a special option if you actually want to rm -rf / (see the manpage). – Piskvor left the building Apr 26 '12 at 08:47
1

If you want to try out what rm -rf / does, I invite you all to try out jslinux. – FUZxxl Apr 27 '12 at 17:26
1

If those parens had a $ in front, wouldn't that have executed the command? – C. Ross May 09 '12 at 16:00
Just out of curiosity...even though the command would have attempted to delete everything.....I still believe it would not have worked even if typed correctly. Ubuntu 12.4 requires administrator password for each transaction that modifies the system. At least that is my understanding of it with the 1 month I've run it. – SASS_Shooter Aug 13 '12 at 16:41

score 91 · Answer 2 · edited Apr 23 '12 at 16:06

91

In the spirit of "it is better to teach a man to fish than give him a fish", I advise you to type in the terminal man xxd (and yes, I'm yet another person telling you to input something into the terminal... but you should recognize the man command as safe).

If you're not familiar with echo, you should check that out too. Basically, the command you listed "echoes" the string to standard output.

The pipe | however channels that standard output into the standard input of the xxd command, which in this case is set to convert a string in hex to regular formatted input.

So the short answer is: no, it didn't delete anything. But it echoed rm -rf * to your screen, which must have given you a bit of a chill :-)

edited Apr 23 '12 at 16:06

badp

12,372

answered Apr 23 '12 at 15:41

Chan-Ho Suh

7,562

2

I hate when I get two great answers, but I have to give it to Michael, simply because he beat you by a minute. :( But, this answer is still good! I probably should familiarize myself with echo... :) – Ryan McClure Apr 23 '12 at 15:50
7

Before blindly entering commands found on the Internet on your machine, you always should at least have a feeling of what it does. If a command is too long to grasp at first sight, break it down at |-symbols. Indeed, always check the manual page if you don't know the command. It will protect you from these kind of people and you'll learn a bit every time. – jippie Apr 23 '12 at 20:18
3

The man command might be the only one that gives the same result both in the terminal and in an internet browser. – trutheality Apr 23 '12 at 20:47
8

But notice: man $(rm -rf *) is as deadly. – mike3996 Apr 24 '12 at 08:36
1

To be honest, I don't think reading the man pages for xxd would be very helpful to anyone who isn't already pretty knowledgeable on using the shell. I really doubt if the OP could have determined whether that command actually did harm by reading the man, without a lot more work. I do agree that it's a good idea to know what a command is doing before entering it, and asking around if you can't figure it out. In fact, one of my pet peeves about the ubuntu "official" forums is that there's too much random advice to enter some magical incantation into the terminal by people who have no clue. – Marty Fried Apr 24 '12 at 23:44
1

@progo, I typed man $(rm -rf *) into my internet browser and nothing bad happened :-) – svick Apr 26 '12 at 07:19

score 35 · Answer 3 · answered Apr 23 '12 at 16:28

35

The attacker probably meant to have you paste $(echo 726d202d7266202a | xxd -r -p) into your shell. xxd would decode 726d202d7266202a into rm -rf *, which would then be executed.

answered Apr 23 '12 at 16:28

xn.

621
5
6

18

I'm guessing he (the victim) left the $ out because he thought it was part of the prompt instead of the command :) – Daniel Serodio May 09 '12 at 20:50
2

Or maybe he just wasn't a very bad guy after all... :D – user3490458 May 17 '17 at 10:01

score 1 · Answer 4 · answered May 14 '12 at 20:45

1

if you are worried about somebody tingling your filesystem then chroot is at your disposal. chroot /random/directory then execute the heck out the command.

answered May 14 '12 at 20:45

PnotNP

3,079

19

It would be helpful to explain what chroot does or implies in this case. Otherwise this is typing another command... found on the internet... – Michael Durrant May 14 '12 at 20:55
Running it in something like a docker container is also a good idea, but that would be overkill (but just in case...) – joshumax Jun 29 '14 at 01:10
It's always possible to chroot back (or simply exit the chrooted shell). That could be included in the attack payload. – Zenexer Jun 02 '18 at 11:49

I was tricked into copy pasting a command, did it hurt me?

4 Answers4