Insider Threat Management

8 Risky Commands in Unix

Share with your network!

Dangerous commands in unix

(Updated on 10/11/2020)

In Unix, commands are used to execute specific tasks in IT functions such as development, maintenance, and production. Many of these commands are needed for businesses to operate and play key roles in each department or business unit. There are hundreds of commands and most of them are used for day to day operations and are innocuous, but some are very powerful and if used corruptly or maliciously to destroy a system, can cause millions of dollars in losses. Due to their very nature, commands can be very dangerous and companies should take the appropriate security measures such as monitoring and alerting on them.

The Risk of Privileged Unix Users

When it comes to safeguarding against commands, your privileged users are the group that is the riskiest. Privileged users, such as admins who have the access and expertise into the Unix operating system, are the user group that has the know-how to use the commands to steal data, destroy systems, and get away with it. This makes it extremely important to monitor privileged users and create alerts for specific Unix commands that may be used for illegal or malicious purposes.

8 Risky Commands in Unix

A privileged user who wants to compromise a company’s data or system has a plethora of Unix commands at his disposal. Some commands are more dangerous than others and can delete all of a company’s invaluable data while others can steal data without being detected. Certain commands write over hard drives and others move files to hidden folders. Many commands have modifiers which are subtle changes to a command that can perform specialized tasks.

As you can see, commands can be dangerous but which ones are the most dangerous? To help companies protect themselves against these commands and insider threats risk, below are the most dangerous commands that every company should know:

1.  Sudo

Sudo is one of the most dangerous commands in Unix because it allows the user to delegate privileges to run commands as a root or another user. This is important because root (also know as root user, root account, and super user) has access to all of the commands in Unix.

Using sudo to become the root user is ideal for privileged users like admins because it allows them to create new system users, access files, authorize network activity, and change systems, giving them the ability to steal data or act maliciously if they choose to.

Example 1: A disgruntled admin creates a backdoor (a hidden entrance back into the system) to elevate privileges to root so that he can run a cron, which is program that enables Unix users to schedule commands or scripts at a specific time and date. When the scheduled cron job runs, it will open up root user permissions allowing the user to re-enter a system to steal data or cause havoc.

Example 2: A user runs a “set use ID upon execution (setuid)” which allows him to run programs with temporary elevated privileges. If a user decides to escalate his privileges to root, he will have access to all commands, and have temporary ability to harm a company’s entire system.

2. Copy

A copy command that makes a copy of your files or directories is cp. It can copy multiple files, back up files before moving them to a destination, and preserve links while copying. An admin can use the copy command to copy sensitive data to a hidden folder, enabling him to steal the data without triggering any alarms.

Example: An admin is leaving an employer to go to a competitor and decides to copy the customer directory. This gives them a copy of all the customer names, email address, phone numbers, and other PII to take to their next employer, which can result in a loss of customers and revenue for the breached company.

3. Remove

A very dangerous command that can delete specific files or directories is rm. In Unix, the use of rm is especially risky because there is no undelete command, so once deleted, it’s unrecoverable. If a privileged user escalates his privileges to sudo and decides to use rm, then he could permanently remove sensitive and valuable data from the system. The rm command has many modifiers, which can delete configuration files, folders, etc.

Below are 6 modifiers of the rm command:

  1. rm -rf / deletes everything in its path, including files on hard drives or connected devices.
  2. –rf removes the prompt that asks the user if he really want to delete a file or directory. This command is very dangerous to run because there is no undelete command in Unix, so once deleted, it cannot be recovered.
  3. / tells rm to start in the root directory, which contains all the files on a computer.
  4. (rm –rf/) hides the rm command in a snippet of code and runs the rm command once the snippet is executed.
  5. rm –rf ~ is a modifier that can delete all files in your home folder.
  6. rm -rf .* is a modifier that can delete all of your configuration files.

Example 1: A recently terminated admin embedded the rm-rf/ command into an update script that’s schedule to run later in the week. When the script is executed, the hidden command deletes anything that it comes across such as intellectual property, trade secrets, account data, or PII.

Example 2: A corrupt admin uses a –rf command that gets rid of the prompt that asks if you want to permanently delete a file. The next day, one of the team members proceeds to perform a daily task and accidently deletes important files because he did not see a prompt.

4. /dev/sda

In Unix, /dev/sda runs is another very dangerous command because it writes data directly to the hard drive and can destroy a company’s filesystem. It’s actually more dangerous than the rm command because it writes over a hard drive with junk and makes it nearly impossible to recover the original data.

Below are two modifiers of the /dev/sda command:

  1. ext4 /dev/sda1 is a command that creates a new ext4 and specifies the first partition on the first hard drive. This is a dangerous command that wipes out the hard drive with a new file system.

Example: A disgruntled admin decides to run the dev/sda on a user directory to corrupt it with garbage data. The directory will be inoperable and the user accounts and permissions will need to be reassigned creating a major strain on a company’s IT resources.

5. Move

The Unix move command that can move files or folders to new locations is mv. A privileged user can use the mv command to move files or folders to a new location and freeze up the company computers, which can be extremely time consuming to fix because it requires searching for the files or folders and then moving them back.

  • mv ~ /dev/null is a dangerous modifier of the mv command that moves a home folder to /dev/null, which can destroy all of a company’s files and delete the original copies.

Example: A rogue admin accesses the shadow/seshadow folder that stores all encrypted passwords and moves it to a source that only he has access to. The rogue admin now has a copy of all of the company’s passwords and can do a wide-range of illegal activity that can hurt a company seriously.

6. wget

A Unix command that will download files over the network is wget, which stands for “web get”. It’s non-interactive and works in the background even if the user is not logged on. Wget is a powerful command that has number of downloading capabilities such as downloading a single file from the Internet, downloading a file that can be saved locally under a different name, and resuming an interrupted download previous started by wget itself. When used with sh (bourne shell), wget can download and execute the run file and become a very dangerous command.

Example: An admin who wants to cause damage to a system writes a script to update Perl and embeds a wget command. When the Perl update script executes, the wget command downloads a run file from a website that the admin knows is infected by malware, and then the sh command executes the run file, causing an enormous amount of damage to a company’s system.

7. su

The su (su user –c) command stands for “switch user” or “substitute user,” and allows a user to get the access of another user. Admins use su to switch users rather than becoming the root user because there is less potential for accidental or malicious damage to occur. However, su is a dangerous command because it allows a user to access another user’s permissions which could lead to stolen data, damages systems, or worse.

Example: An admin at a healthcare company wants to enter a database to look at the health history of a politician by using another admins account. This tactic gives the admin the authority he wants without escalating privileges to root (which may set off alarms).

8. Leap frogging

Leap frogging is the act of remotely connecting from one network to another network more than once.

Example: A remote vendor has access to RDP to multiple servers at a company. He is authorized to work on a server but decides to send an ICMP command to probe what other resources are on the network. After discovering the domain controller, which he can access because his account is enabled for RDP on the domain, he is able to escalate privileges and remote into the PCI server and access client card information.

Final Thoughts

In conclusion, Unix commands are used to execute specific tasks in IT, but when used to steal data or maliciously damage a system, they can be extremely dangerous. Privileged users have the access to these commands in Unix and the expertise necessary to use them illegally and get away with it.

Some of these eight commands are more deadly than others, such as the 8 dangerous commands presented, and can steal or devastate a company’s system for a substantial amount of time. Due to this, it’s crucial to monitor and alert on these commands.

Learn about Proofpoint Insider Threat Mangement, a user activity monitoring solution that has the capability of monitoring and alerting on these eight dangerous commands and enables companies to protect themselves against privileged users who want to steal sensitive data or maliciously damage systems.

Subscribe to the Proofpoint Blog