What is the risk of copy and pasting Linux commands from a website? How can some commands be invisible?
Websites can append to your clipboard
The risk is exactly what you said it was. It's definitely possible to append malicious commands to the clipboard.
You could even append && rm -rf /*
(only executes if the first command was successful), or ; rm -rf /*
(executes even if the first command was unsuccessful) and brick certain UEFI devices.
You should also check out Michael's post in this thread for another example.
In the end, it really depends on how creative and malicious a particular evil "hacker" is.
But how can you make the commands "invisible" in the terminal?"
Method one
echo test;echo insert evil here;clear;echo installing package
Execution order:
- Echo "test" happens
- Echo "insert evil here" happens
- Actions are "cleared"
- Intended action happens here, but you don't see the rest.
...
You can try to scroll up in the terminal window to find the rest of it.
Method two
stty -echo tput smcup
This will disable the terminal from showing what you're typing, so it doesn't appear in the terminal window at all.
You can try it like this:
stty -echo;tput smcup;echo evil commands expected command
Those are just two really rough examples, but show the potential of what can be done to obfuscate commands. Note that it likely doesn't hide from ~/.bash_history unless the hidden commands specifically delete/modify it's contents.
You should assume that there are other ways to do this.
Mitigation
I recommend using an addon to disable clipboard manipulation. There are unfortunately ways to get around that, so I'd recommend pasting everything into a GUI text editor before it goes into your terminal, or anywhere.
You need to verify what you're doing. If you don't understand each individual command, you should google it. This is proper tinfoil hattery because copy and pasting can force the commands to auto-execute on many Linux flavors.
Repairing your Linux installation
You might not have any idea how deep the rabbit hole goes. Unless you have the time and effort to put into it, I'd suggest you just nuke from orbit, unless you have important files. If you have important files, just back up the non-executable stuff (no pdfs, documents, etc), and then nuke from orbit.
If you have PDFs, you can convert the PDF to post-script, or copy and paste the contents into a text file. With documents, copy and paste the text and format it later.
There is a risk. Websites can use CSS and JavaScript to hide things and then when you copy from that website, you actually copy what they want. @Gumbo provided the example: https://thejh.net/misc/website-terminal-copy-paste.
The fix: Don't copy and paste from websites you don't trust. Or visit them.
Yes, cutting and pasting commands from untrusted web sites can be dangerous. The text you paste will always contain the text you copy, but can have more text before, in between or after that.
On the web page this is done by CSS. Just make the extra text invisible. It will still be copied.
When you paste it in a terminal, the extra text will be shown. However, if it contains a newline it will be immediately executed and the damage will be done. Also, it can contain commands to clear away the extra text.
To avoid the danger paste the text into a text editor. Look it over. And then copy it from the editor to the terminal.
Just... make sure you understand the command well enough that you know it is safe. The other danger of pasting unknown commands is that you can simply don't understand what you are doing.