GCIH · Question #625
An organization has an SSH server that was compromised, but later eradicated and recovered. The system disks were wiped clean, the OS reinstalled, and patches re-applied. After this process is complet
The correct answer is D. The SSH user account credentials have been compromised. Because the disks were wiped and the OS fully reinstalled, no attacker artifacts remain on the system, so multiple concurrent valid-account SSH logins most likely indicate the attacker is reusing stolen credentials.
Question
An organization has an SSH server that was compromised, but later eradicated and recovered. The system disks were wiped clean, the OS reinstalled, and patches re-applied. After this process is complete, a security analyst noticed multiple simultaneous SSH logins from a single, valid, user-account on that system. Which of the following is the most likely explanation?
Options
- AProper action was not taken on the firewall or router to block SSH traffic
- BAn attacker is accessing the system through a backdoor using netcat
- CNot all of the attackers artifacts have been removed from the system
- DThe SSH user account credentials have been compromised
How the community answered
(38 responses)- A8% (3)
- B11% (4)
- C3% (1)
- D79% (30)
Why each option
Because the disks were wiped and the OS fully reinstalled, no attacker artifacts remain on the system, so multiple concurrent valid-account SSH logins most likely indicate the attacker is reusing stolen credentials.
A firewall or router rule blocking SSH traffic would prevent all SSH connections from reaching the server, but the scenario describes active, successful logins - not blocked or refused connections.
A netcat backdoor requires a persistent binary or scheduled task on the host, both of which would have been eliminated by the complete disk wipe and OS reinstallation.
The scenario explicitly states the disks were wiped clean and the OS reinstalled with patches re-applied, which removes attacker-placed artifacts, making residual malware an unlikely cause of the observed logins.
A complete disk wipe and OS reinstall removes all files, processes, and configuration changes introduced by the attacker, eliminating backdoors and persistence mechanisms. However, credentials captured during the original compromise still exist in the attacker's possession and remain valid even after a full rebuild. The simultaneous logins under a single legitimate account are the hallmark of credential reuse, not of a surviving system-side artifact.
Concept tested: Credential compromise persistence after system rebuild
Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Topics
Community Discussion
No community discussion yet for this question.