Trusted Design

Digging for groundhogs: holes in your linux server

概要

In July 2015, Check Point’s Incident Response team was contacted by a customer after they noticed strange file system activities in one of their Linux-based DNS BIND servers. This strange behavior consisted of a large amount of peculiar files being written into sensitive system directories. A thorough analysis of the infected system by our Incident Response and Malware Research teams quickly revealed that the server was indeed compromised. The source of this compromise was traced to an SSH brute force attack that took place earlier the same month. The attacking IP addresses originated from very distinctive network ranges mostly associated with Chinese Internet service providers. Using this SSH brute-forcing network, it took the attackers only a few days to gain root access and full control of the targeted server. Once they obtained access to the server, the attackers infected the system with two malicious payloads.

Created: 2026-02-23

Indicators

• hostname - ndns.dsaj2a.org -
• FileHash-SHA256 - e8cb63cc050c952c1168965f597105a128b56114835eb7d40bdec964a0e243dc -
• FileHash-SHA256 - 49963d925701fe5c7797a728a044f09562ca19edd157733bc10a6efd43356ea0 -
• FileHash-SHA256 - 34700258a7cd947c85c3465680c0f0855940fe1380efd65a0f99501248078a24 -
• FileHash-SHA256 - 4bf0b1243d9ced3740f86015eb9bbf610000ac342ff133e14cf1f783be8eb6dc -
• hostname - aaa.xxxatat456.com -
• FileHash-SHA256 - 8c459a7cf1337bca62c256717273bb49c1166b05c97b5afcd5b04932beb33b97 -
• FileHash-SHA256 - 6b901291d59efe98e34f245f8cf52aed5a10e94b591e66896d36bbe7717d53dd -
• hostname - ndns.dsaj2a1.org -
• hostname - aaa.gggatat456.com -
• FileHash-SHA256 - f7dd38bb822b09fae818c9cf7ccf38e147256966d2075b18d70b9295f3806b06 -
• hostname - groundhog.mapsnode.com -
• FileHash-SHA256 - ce46658b3ec80b2d25eac5b629b488f5808cce2da8683daad58bb23204bb0aad -
• FileHash-SHA256 - edbfaba19072beeeb2cfdbf56d3f4f820f90404d5782f6bdbfb0583be1be0ddd -
• FileHash-SHA256 - f862de27e5d6c33e9de8b8ef907f2621fd86cbbadf6bfc019143cb546dbd9e14 -
• FileHash-SHA256 - c962232ca3780814389e56868363688d238ab1b714ff69f18cb2595d0b718825 -
• hostname - gh.dsaj2a1.org -
• FileHash-SHA256 - 1bba5771b3c3412bd8a0cb060575f5b2aa2d498baa99e9e5405f3f5145d31973 -
• FileHash-SHA256 - 2f20b41d601bde086a823e505ae0c1d6cfd3d40469373963ec3e15cd8df3baba -
• FileHash-SHA256 - bf4495ba77e999d3fe391db1a7a08fda29f09a1bbf8cad403c4c8e3812f41e90 -
• hostname - www1.gggatat456.com -
• FileHash-SHA256 - dced727001cbddf74303de20211148ac8fad0794355c108b87531b3a4a2ad6d5 -
• hostname - jq.cfdddos.com -
• FileHash-SHA256 - d8ebf75697902e883006fc46410558d98c667bc50ebf374d2acd5cc3bfcdc2ff -
• FileHash-SHA256 - e95c0cea8a0e90c7670387512d1b99a8f6f78fa70e2cb35763e2ba5453b14cfa -
• FileHash-SHA256 - 19c25663f2912ab9dd1f7907e2907d6f4b332fda85d05ebec97ee29ea25ef5f4 -
• FileHash-SHA256 - 64eee462375810e00d0b262523a53ee405b274f29451f85cb1f9bcd1497b1f33 -
• FileHash-SHA256 - 9a8c589fbfa928bacea0f323fe61e398dc370e2fd72229fc36a9af53004f6c9c -
• FileHash-SHA256 - 44153031700a019e8f9e434107e4706a705f032898d3a9819c4909b2af634f18 -
• FileHash-SHA256 - 859a952ff05806c9e0652a9ba18d521e57090d4e3ed3bef07442e42ca1df04b6 -
• FileHash-SHA256 - 834eb864a29471d0abe178068c259470e4403eb546554247e2f5832acf9586ab -
• hostname - ns4.hostasa.org -
• FileHash-SHA256 - 6a4541d2b7b5f1b9ad3becefe257e0ebc3648d6275e663a921ec5fa905ad6cfd -
• FileHash-SHA256 - 292adb2a5917259e10fbfce5e936f993dad8bf1d813e3b9d5d9c9bf4ea4b8037 -
• hostname - ns1.hostasa.org -
• FileHash-SHA256 - 24b9db26b4335fc7d8a230f04f49f87b1f20d1e60c2fe6a12c70070bf8427aff -
• hostname - www.gggatat456.com -
• FileHash-SHA256 - 0b09ac166546cd7b4bcfb745e4098a1afb6d1d08d78d5bf77c04a67a8a0dd2f8 -
• FileHash-SHA256 - 022b8d68e117bc9107a4c22eac56548bcc96ac7430245644e3306d98b9010d05 -
• hostname - ns3.hostasa.org -
• FileHash-SHA256 - b84cf164fde12dd07192aa44f1b943044610539fd979e0f9359d44062f21a612 -
• FileHash-SHA256 - 54e4e86a9c809e57e754411a4b735241dce631006310252e55aeed2663cbce7d -
• hostname - www.xxxatat456.com -
• hostname - uc.f1122.org -
• FileHash-SHA256 - 926bc6bbd17d86da5b7cb5fd4265217e8a289a14da8e85a7c5b9b10a84dea7b0 -
• FileHash-SHA256 - a5afcc42f5eb61dc7992576195f8abb1c519d32d8c788b547d3b634277f16681 -
• domain - navert0p.com -
• domain - wangzongfacai.com -
• hostname - ndns.dsaj2a.com -
• hostname - ns2.hostasa.org -
• FileHash-SHA256 - 5f19e73c88d32148bde454e788d06ec8d9910d850cf1152cb2b29e354e100575 -
• FileHash-SHA256 - 072ca4c25ca70e68af5e9f452176459ef4d0b2df24417ccb4448aab654fc22ef -
• FileHash-SHA256 - 7b7cd047dc04cbb5c88c2768ba80d5caba572ea17d3ccec0a40af4a530def810 -
• hostname - zhegege.3322.org -
• FileHash-SHA256 - eb0c0587cf20c81921b7b6d174177ef8b11133bb65a760d9016fbdce917a2ee6 -
• FileHash-SHA256 - a6b8d218bfa051b3234977290ad6c9af6c3ea7dcf26b643b381f8876f12e7d68 -
• hostname - linux.bc5j.com -
• FileHash-SHA256 - 498f3348df1b6804db2692e4f937d7cbefd71916e83a9421347077fb1cdafa95 -
• FileHash-SHA256 - 4240e265ad237382e5a2c22f65f022775c07463e5309439d226c2cc1f852624b -
• FileHash-SHA256 - 74ea918b27f1952f47ab52e75de09f623e29928301da16ac5c27bd5ef8475520 -
• FileHash-SHA256 - 0c20826dc6d105cc7ff6fc79c68605bd1503c2de320d2d636384a8618f126552 -
• FileHash-SHA256 - 9c79670d65ffd317d7f1a0ca75e4870720a0321f8634f7ec7fe2385e28222c26 -
• FileHash-SHA256 - 64f241c9724fd9065f9c68c67a767406df7cd60fd0ea94cc7a2cce485b0aa061 -
• hostname - ndns.hcxiaoao.com -
• FileHash-SHA256 - 82ea63f37f85e4853ae64473d933f73eed0bb484ae7db0d39104659b75a223f4 -
• FileHash-SHA256 - 5d6c8c82ed6d218478b6a6cb9e9808c5248de52eff4eaadabb94766c3c8e8e23 -
• FileHash-SHA256 - 2c37f104ec1e9f70a9fa316757e1a512241d72dbd95ad092a817ac3854e03036 -

類似Pulses

• SSH Bruteforce / Linux XOR Malware / DDoS UPDATED: 14/04/2016 (score: 0.65)
• SSH Attacker d/l's DDOS, Backdoors - ChinaZ - GoArm, BillGates (score: 0.64)
• Suspicious IP addresses (score: 0.64)
• Attack Gains Foothold Against East Asian Government (score: 0.62)
• Linux DDoS Malware delivered via SSH (score: 0.61)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る