300-215 Question #7: Real Exam Question with Answer & Explanation

Question

Refer to the exhibit. Which two determinations should be made about the attack from the Apache access logs? (Choose two.)

Options

• AThe attacker used r57 exploit to elevate their privilege.
• BThe attacker uploaded the WordPress file manager trojan.
• CThe attacker performed a brute force attack against WordPress and used SQL injection against
• DThe attacker used the WordPress file manager plugin to upload r57.php.
• EThe attacker logged on normally to WordPress admin page.

Explanation

The Apache access logs in the exhibit show a sequence of HTTP requests and responses indicative of a malicious upload via WordPress: /wp-admin/admin-ajax.php with parameters that include uploading r57.php (a known PHP web The uploaded file name appears as r57.php in: &name=%5B%5D=r57.php&FILES... There are plugin installation and activation attempts, specifically for: file-manager plugin: plugin=file-manager&... Which is known to be vulnerable and exploited for file uploads. GET requests to: /wp-content/57.php and variations such as 57.php?28 -- This suggests that r57.php was successfully uploaded and is being accessed. These logs reveal that: The attacker used the WordPress file manager plugin to upload r57.php -- confirmed by plugin activity and file uploads. The attacker uploaded the WordPress file manager trojan -- as evidenced by the direct access to /wp-content/57.php (r57 shell variant).

No community discussion yet for this question.