Bash whois script calling local information with *?

Question

I'm getting a very strange output from a script. Here is the line run in the terminal by itself:

root@KaliTestBox:~/Desktop/dns1# echo $(whois 13.66.39.88 |head -n 40 |tail -n 28 |tr '\n' ' ')

But the output is running a "ls" somehow? Using block quotes as I removed newlines to use in a CSV. Everything is bold is a "ls" run twice? I don't understand. The actual whois is below it.

EDIT: looking at this it's something to do with the *, but that doesn't work just put into the command line? I'm still posting and changing the title: why does the star in the script dump the directory contents? Isn't this kind of thing a security risk?

> root@KaliTestBox:~/Desktop/dns1# echo $(whois 13.66.39.88 |head -n 40 |tail -n 28 |tr '\n' ' ')

NetRange: 13.64.0.0 - 13.107.255.255 CIDR: 13.96.0.0/13, 13.104.0.0/14, 13.64.0.0/11 NetName: MSFT NetHandle: NET-13-64-0-0-1 Parent: NET13 (NET-13-0-0-0-0) NetType: Direct Assignment OriginAS: Organization: Microsoft Corporation (MSFT) RegDate: 2015-03-26 Updated: 2015-03-26 Ref: https://rdap.arin.net/registry/ip/13.64.0.0 OrgName: Microsoft Corporation OrgId: MSFT Address: One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country: US RegDate: 1998-07-09 Updated: 2017-01-28 Comment: To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to: Comment: **Akamai Akamai1 Akamai DNS.rtf Akamai_hosts_4-30.txt Akamai_hosts_cleaned complete-domainlist-4-30.txt dns2 dnschecker.sh dnsCSV dnsCSV1 dnsCSV.7z dnsCSVexternal dnsCSVfail DNS Exp1.7z dnsExport2.7z dnsExternal1.txt dnslist1 dnslistProd DNSlist.txt exeternalNmap1.txt externalNmapOutput externalNmapProd ipsExternal1.txt ipsExternal2.txt LVSIDEV.txt LVSIP.txt LVSIRED.txt LVS.txt LV_Website_Management.xlsx MarkMon_12-27-2018.xls prodAkamai1Url prodAkamaiUrl1 rvCSV rvCSVerror rvdns.sh test test1 test2 test3 test4 test5 test6 test7 whoischeck.sh whoisCSV whoisCSV3-25** https://cert.microsoft.com. Comment: Comment: For SPAM and other abuse issues, such as Microsoft Accounts, please contact: Comment: **Akamai Akamai1 Akamai DNS.rtf Akamai_hosts_4-30.txt Akamai_hosts_cleaned complete-domainlist-4-30.txt dns2 dnschecker.sh dnsCSV dnsCSV1 dnsCSV.7z dnsCSVexternal dnsCSVfail DNS Exp1.7z dnsExport2.7z dnsExternal1.txt dnslist1 dnslistProd DNSlist.txt exeternalNmap1.txt externalNmapOutput externalNmapProd ipsExternal1.txt ipsExternal2.txt LVSIDEV.txt LVSIP.txt LVSIRED.txt LVS.txt LV_Website_Management.xlsx MarkMon_12-27-2018.xls prodAkamai1Url prodAkamaiUrl1 rvCSV rvCSVerror rvdns.sh test test1 test2 test3 test4 test5 test6 test7 whoischeck.sh whoisCSV whoisCSV3-25** abuse@microsoft.com.

whois output:

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2019, American Registry for Internet Numbers, Ltd.
#


NetRange:       13.64.0.0 - 13.107.255.255
CIDR:           13.104.0.0/14, 13.64.0.0/11, 13.96.0.0/13
NetName:        MSFT
NetHandle:      NET-13-64-0-0-1
Parent:         NET13 (NET-13-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       
Organization:   Microsoft Corporation (MSFT)
RegDate:        2015-03-26
Updated:        2015-03-26
Ref:            https://rdap.arin.net/registry/ip/13.64.0.0



OrgName:        Microsoft Corporation
OrgId:          MSFT
Address:        One Microsoft Way
City:           Redmond
StateProv:      WA
PostalCode:     98052
Country:        US
RegDate:        1998-07-09
Updated:        2017-01-28
Comment:        To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:
Comment:        * https://cert.microsoft.com.  
Comment:        
Comment:        For SPAM and other abuse issues, such as Microsoft Accounts, please contact:
Comment:        * abuse@microsoft.com.  
Comment:        
Comment:        To report security vulnerabilities in Microsoft products and services, please contact:
Comment:        * secure@microsoft.com.  
Comment:        
Comment:        For legal and law enforcement-related requests, please contact:
Comment:        * msndcc@microsoft.com
Comment:        
Comment:        For routing, peering or DNS issues, please 
Comment:        contact:
Comment:        * IOC@microsoft.com
Ref:            https://rdap.arin.net/registry/entity/MSFT


OrgAbuseHandle: MAC74-ARIN
OrgAbuseName:   Microsoft Abuse Contact
OrgAbusePhone:  +1-425-882-8080 
OrgAbuseEmail:  abuse@microsoft.com
OrgAbuseRef:    https://rdap.arin.net/registry/entity/MAC74-ARIN

OrgTechHandle: MRPD-ARIN
OrgTechName:   Microsoft Routing, Peering, and DNS
OrgTechPhone:  +1-425-882-8080 
OrgTechEmail:  IOC@microsoft.com
OrgTechRef:    https://rdap.arin.net/registry/entity/MRPD-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2019, American Registry for Internet Numbers, Ltd.

Double-quote the command substitution, or better yet don't use echo and $() like this (they mostly cancel each other out)l just run the command directly. BTW, this is a near-duplicate of: When is double-quoting necessary? (that concerns variable substitution, but the same thing applies to command substitution). — Gordon Davisson, Jun 25 '19 at 03:42
If you check the Ref: link from the whois output you will see that you can obtain the same data from arin.net in json format which you can extract and format in proper .csv with jq, instead of trying to "parse" it with $(whois | head | tail | tr). You can even bulk download the whole data — , Jun 25 '19 at 08:37

score 2 · Answer 1 · answered Jun 25 '19 at 07:59

You don't need echo $(somecommand) to see the output of somecommand. Just somecommand is enough. You don't usually use echo to see the output of other commands, and you don't need it here either.

What is also happening in your case is that you are using the command substitution (the $(...) bit) unquoted. When you do this, two things happens:

The shell splits the result of the expansion (the output of your pipeline) into words based on the contents of $IFS. By default, this means that each whitespace-separated string will become one word.
Each word generated in the word-splitting stage undergoes filename generation ("globbing"). This means that if a word is a valid filename pattern, like * (which occurs a number of times in the whois output), then the shell will try to match it against the filenames available in the filesystem.

This means that you will get the same effect as if you did

echo *

But the main point here is that you don't need echo to see the output of your pipeline at all. Just remove the echo and the $(...):

whois 13.66.39.88 | head -n 40 | tail -n 28 | tr '\n' ' '

Ok so this is helpful. I'm not sure why you keep highlighting I don't need to use the command sub. If I didn't; it wouldn't show the result I'm talking about. I have to use it in my script because I'm checking it inside another function. Thank you for explanation of * — bashCypher, Jun 25 '19 at 23:39

Bash whois script calling local information with *?

1 Answers1