GCIH Question #391: Real Exam Question with Answer & Explanation

You are a member of your organization's IT security team. Your team has limited resources, so investigating every suspicious event is impossible. Which one of the following items, when considered by itself, warrants further investigation by the security team? 1: One of your system administrators sent you the following snippet from a 'netstat -ob' command he performed from the console on one of your Windows 2008 r2 File Servers. He noted that he did not have Internet Explorer running on the console. TCP 10.10.10.10:51813 log.clickstream.co.za:https ESTABLISHED 2676 [iexplore.exe] TCP 10.10.10.10:51816 log.clickstream.co.za:https TIME_WAIT 0 TCP 10.10.10.10:51817 log.clickstream.co.za:https TIME_WAIT 0 TCP 10.10.10.10:51818 log.clickstream.co.za:https TIME_WAIT 0 TCP 10.10.10.10:51819 log.clickstream.co.za:https TIME_WAIT 0 TCP 10.10.10.10:51822 log.clickstream.co.za:https TIME_WAIT 0 TCP 10.10.10.10:51826 log.clickstream.co.za:https ESTABLISHED 2676 [iexplore.exe] TCP 10.10.10.10:51827 log.clickstream.co.za:https ESTABLISHED 2676 [iexplore.exe] TCP 10.10.10.10:51828 log.clickstream.co.za:https ESTABLISHED 2676 2: The following was found by a system administrator in a Microsoft Windows 7 workstation's Microsoft Windows event log. 'Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0xE0ED9B3ACBBC. The following error occurred: 0x79. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.' 3: One of your system administrators sent you the following snippet from a 'netstat -nao' command he performed on one of your Windows 2008 R2 File Servers: Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 2236 TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 920 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:554 0.0.0.0:0 LISTENING 6232 TCP 0.0.0.0:623 0.0.0.0:0 LISTENING 7980 TCP 0.0.0.0:902 0.0.0.0:0 LISTENING 3636 TCP 0.0.0.0:912 0.0.0.0:0 LISTENING 3636 4: A user complained that their computer was running very slowly, and they suspected it was because of a virus, even though an anti-virus solution has been installed and is operating correctly.