In July 2015, Check Point’s Incident Response team was contacted by a customer after they noticed strange file system activities in one of their Linux-based DNS BIND servers. This strange behavior consisted of a large amount of peculiar files being written into sensitive system directories. A thorough analysis of the infected system by our Incident Response and Malware Research teams quickly revealed that the server was indeed compromised. The source of this compromise was traced to an SSH brute force attack that took place earlier the same month. The attacking IP addresses originated from very distinctive network ranges mostly associated with Chinese Internet service providers. Using this SSH brute-forcing network, it took the attackers only a few days to gain root access and full control of the targeted server. Once they obtained access to the server, the attackers infected the system with two malicious payloads.