Digging for Groundhogs: Holes in Your Linux Server

James Traxel

Published Nov 1, 2015

In July 2015, Check Point’s Incident Response team was contacted by a customer after they noticed strange file system activities occurring in one of their Linux based DNS BIND servers. This strange behavior consisted of a large number of peculiar files being written into sensitive system directories.

A thorough analysis of the infected system by our Incident Response and Malware Research teams quickly revealed that the server was indeed compromised. The source of this compromise was traced to an SSH brute force attack that took place earlier the same month. The attacking IP addresses originated from very distinctive network ranges mostly associated with Chinese Internet service providers. Using this SSH brute-forcing network, it took the attackers only a few days to gain root access and full control of the targeted server.

Digging for Groundhogs: Holes in Your Linux Server

James Traxel

More articles by this author

Insights from the community

Others also viewed

CISA Warns of Active Exploitation of 'PwnKit' Linux Vulnerability in the Wild

BOTNETS EXPLAINED: ZOMBIE COMPUTERS?

Week 30 of 2024

Ransomware protection for Windows 10 users in West Palm Beach and Fort Lauderdale

Top 5+1 Remediation Key Points: Fighting 'NotPetya' Malware

Detect Hacker in Network using kfsensor Honeypot

How to set and Bypass Outbound Rule in Windows Firewall using Metasploit

Antivirus Software Lets PCs Get Hijacked

watch out for fake Microsoft Support Calls

Safe Computing Tips

Explore topics

Check Point Threat Alert: Logjam

May 29, 2015