Guardicore - Caught red handed - Alex

Caught red handed – Alex

Opportunistic hackers are far from the limelight these days but they still exist and can cause large amounts of damage if they manage to break into your systems. We’ve recently observed our Data Center Security Suite catch such a hacker, an “Alex” from Romania who has kindly enough supplied his own name and private domain for publicity.

Despite this being a very typical attack, we think it’s worth going over the entire flow in order to better highlight current techniques. We’ll be using screenshots from Guardicore’s Security Suite to demonstrate “Alex’s” flow.

We can clearly see our attacker trying to connect  to a target server, where our product silently redirected him to the honeypot dynamically . From here, we can observe the brute force root login attempts.  It’s also easy to note that the attacker is a human being, automated attacks don’t wait 22 seconds between password guesses, nor wait 21 seconds after receiving a password prompt.

In the end, we let the attacker in for further observation.

Attacker poking around the honeypot

After a quick look around, the attacker attempts to download files from multiple websites hosted under and execute it. The honeypot allows the file downloads and intercepts them, and shortly after running the tools, we cut the honeypot off, ending the incident.

Further investigation on our end shows that the attacker downloaded a perl script that provides DoS capabilities and a custom toolkit that provides backdoor access to the server and tools for lateral movement in the network using a recompiled version of tcpdump and nmap.

Denial of Service script example

A quick look around the hackers website(https://k3nz0rhacking.alter broken link) shows that he’s a freelance hacker for hire from Romania for Denial of Service services.

Incident closed, we think there are several interesting notes from such a simple attack.

  1. There are still freelance hackers who have very distinctive ‘human’ giveaways and work with amateur techniques such as password guessing and manually looking around an infected station.
  2. Protecting yourself from brute force password guessing is still relevant in the age of modern exploits.
  3. Being part of a DoS botnet is still an active risk in today’s Internet and you should monitor your network egress traffic to make sure you’re not infected.

From Guardicore's
Resource Center

Managed threat hunting delivered by Guardicore Labs
Synchronize and automate security across your entire network.

Subscribe To Our Newsletter

No spam, we promise. We’re only going to send you insights on how to reduce risk in your data center and clouds.

See Centra in Action

Reduce your attack surface and prevent lateral movement with fast and simple segmentation that works everywhere.

See Guardicore Centra in Action

Schedule a demo customized to your specific security needs