Table of Contents
Suspicious files must be examined to determine their content but can cat be entirely trusted? An example of how output can be overwritten by manipulating cursor position using escape codes:
BASH
1echo -e '#!/bin/sh\necho "malware"\nexit\n\033[A\033[Aecho "nothing to see here"' > script.sh
Without reading further, what output is expected for cat script.sh? Let’s check:
BASH
123cat script.sh
#!/bin/sh
echo "nothing to see here"
How about more or less? Would those display the entire content?
BASH
123more script.sh
#!/bin/sh
echo "nothing to see here"
BASH
123456less script.sh
#!/bin/sh
echo "malware"
exit
ESC[AESC[Aecho "nothing to see here"
script.sh (END)"
Trust your intuition regarding suspicious files until proven otherwise. Don’t rely on only a single tool.
Thanks for reading!