PrepAway - Latest Free Exam Questions & Answers

Which of the following BEST describes the compromised system?

An administrator is investigating a system that may potentially be compromised, and sees the following
log entries on the router.
*Jul 15 14:47:29.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) ->
10.10.1.5 (6667), 3 packets.
*Jul 15 14:47:38.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) ->
10.10.1.5 (6667), 6 packets.
*Jul 15 14:47:45.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) ->
10.10.1.5 (6667), 8 packets.
Which of the following BEST describes the compromised system?

PrepAway - Latest Free Exam Questions & Answers

A.
It is running a rogue web server

B.
It is being used in a man-in-the-middle attack

C.
It is participating in a botnet

D.
It is an ARP poisoning attack

Explanation:
In this question, we have a source computer (192.10.3.204) sending data to a single destination IP
address 10.10.1.5. No data is being received back by source computer which suggests the data being sent
is some kind of Denial-of-service attack. This is common practice for computers participating in a botnet.
The port used is TCP 6667 which is IRC (Internet Relay Chat). This port is used by many Trojans and is
commonly used for DoS attacks.
Software running on infected computers called zombies is often known as a botnet. Bots, by themselves,
are but a form of software that runs automatically and autonomously. (For example, Google uses the
Googlebot to find web pages and bring back values for the index.)
Botnet, however, has come to be the word used to describe malicious software running on a zombie and
under the control of a bot-herder.
Denial-of-service attacks—DoS and DDoS—can be launched by botnets, as can many forms of adware,
spyware, and spam (via spambots). Most bots are written to run in the background with no visible
evidence of their presence. Many malware kits can be used to create botnets and modify existing ones.
Incorrect Answers:
A: The compromised system is not running a rogue web server. The ports used are not ports used by a
web server (typically TCP ports 80 and 443). Furthermore, the computer is not responding to a web
request. It is just sending out data.
B: If the compromised computer was being used in a man-in-the-middle attack, it would be receiving
data, not just sending it.
D: Address Resolution Protocol poisoning (ARP poisoning) is a form of attack in which an attacker changes
the Media Access Control (MAC) address and attacks an Ethernet LAN by changing the target computer’s
ARP cache with a forged ARP request and reply packets. This is not what is happening in this question.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, p. 309


Leave a Reply