nerdexam
Exams312-49Questions#412
EC-CouncilEC-Council

312-49 · Question #412

312-49 Question #412: Real Exam Question with Answer & Explanation

Sign in or unlock 312-49 to reveal the answer and full explanation for question #412. The question stem and answer options stay visible for context.

Submitted by valeria.br· Apr 18, 2026Network Forensics

Question

A honey pot deployed with the IP 172.16.1.108 was compromised by an attacker . Given below is an excerpt from a Snort binary capture of the attack. Decipher the activity carried out by the attacker by studying the log. Please note that you are required to infer only what is explicit in the excerpt. (Note: The student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.) TOS:0x0 ID:29726 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x9B6338C5 Ack: 0x5820ADD0 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 23678634 2878772 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= += 03/15-20:21:24.452051 211.185.125.124:789 -> 172.16.1.103:111 UDP TTL:43 TOS:0x0 ID:29733 IpLen:20 DgmLen:84 Len: 64 01 0A 8A 0A 00 00 00 00 00 00 00 02 00 01 86 A0 ................ 00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01 ................ 00 00 00 11 00 00 00 00 ........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= += 03/15-20:21:24.730436 211.185.125.124:790 -> 172.16.1.103:32773 UDP TTL:43 TOS:0x0 ID:29781 IpLen:20 DgmLen:1104 Len: 1084 47 F7 9F 63 00 00 00 00 00 00 00 02 00 01 86 B8 G..c............ 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 20 ............... 3A B1 5E E5 00 00 00 09 6C 6F 63 61 6C 68 6F 73 :.^.....localhost =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+=+ 03/15-20:21:36.539731 211.185.125.124:4450 -> 172.16.1.108:39168 TCP TTL:43 TOS:0x0 ID:31660 IpLen:20 DgmLen:71 DF ***AP*** Seq: 0x9C6D2BFF Ack: 0x59606333 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 23679878 2880015 63 64 20 2F 3B 20 75 6E 61 6D 65 20 2D 61 3B 20 cd /; uname -a; 69 64 3B id;

Options

  • AThe attacker has conducted a network sweep on port 111
  • BThe attacker has scanned and exploited the system using Buffer Overflow
  • CThe attacker has used a Trojan on port 32773
  • DThe attacker has installed a backdoor

Unlock 312-49 to see the answer

You've previewed enough free 312-49 questions. Unlock 312-49 for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.

Unlock 312-49 - $49.99 / 30 daysSign in

Topics

#Packet Analysis#Network Reconnaissance#Snort Logs#Port Scanning
Full 312-49 PracticeBrowse All 312-49 Questions