nerdexam
ExamsCAS-003Questions#170
CompTIA

CAS-003 · Question #170

CAS-003 Question #170: Real Exam Question with Answer & Explanation

The correct answer is C: Isolate the system immediately and begin forensic analysis on the host.. The log shows six attempts to log in to a system. The first five attempts failed due to `failed password'. The sixth attempt was a successful login. Therefore, the MOST likely explanation of what is occurring is that a remote attacker has guessed the root password using a diction

Question

A security administrator is shown the following log excerpt from a Unix system: 2013 Oct 10 07:14:57 web14 sshd[1632]: Failed password for root from 198.51.100.23 port 37914 ssh2 2013 Oct 10 07:14:57 web14 sshd[1635]: Failed password for root from 198.51.100.23 port 37915 ssh2 2013 Oct 10 07:14:58 web14 sshd[1638]: Failed password for root from 198.51.100.23 port 37916 ssh2 2013 Oct 10 07:15:59 web14 sshd[1640]: Failed password for root from 198.51.100.23 port 37918 ssh2 2013 Oct 10 07:16:00 web14 sshd[1641]: Failed password for root from 198.51.100.23 port 37920 ssh2 2013 Oct 10 07:16:00 web14 sshd[1642]: Successful login for root from 198.51.100.23 port 37924 ssh2 Which of the following is the MOST likely explanation of what is occurring and the BEST immediate response? (Select TWO).

Options

  • AAn authorized administrator has logged into the root account remotely.
  • BThe administrator should disable remote root logins.
  • CIsolate the system immediately and begin forensic analysis on the host.
  • DA remote attacker has compromised the root account using a buffer overflow in sshd.
  • EA remote attacker has guessed the root password using a dictionary attack.
  • FUse iptables to immediately DROP connections from the IP 198.51.100.23.
  • GA remote attacker has compromised the private key of the root account.
  • HChange the root password immediately to a password not found in a dictionary.

Explanation

The log shows six attempts to log in to a system. The first five attempts failed due to `failed password'. The sixth attempt was a successful login. Therefore, the MOST likely explanation of what is occurring is that a remote attacker has guessed the root password using a dictionary The BEST immediate response is to isolate the system immediately and begin forensic analysis on the host. You should isolate the system to prevent any further access to it and prevent it from doing any damage to other systems on the network. You should perform a forensic analysis on the system to determine what the attacker did on the system after gaining access.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-003 Practice