EC-Council: Computer Hacking Forensic Investigator(CHFI-V10)
Module 8 : Network Forensics
         
Questions available : 133 You are not logged in.
Please Login for track your learning progress
   
 
Q. No: 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 |
Go to Question No.



Question No 130

If you want to share the link of this question, please click here to "Copy Question Link" and share that generated link. Link from URL may change in future.
 
   
Bookmark this Question
QID: 850  
   
The following excerpt is taken from a honeypot log. The log captures activities across three days. There are several intrusion attempts; however, a few are successful.
(Note: The objective of this question is to test whether the student can read basic information from log entries and interpret the nature of attack.)
Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169
Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482
Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53
Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21
Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53
Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111
Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80
Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)
Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080
Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558

From the options given below choose the one which best interprets the following entry:
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53


 
A:    An IDS evasion technique
  
B:    A buffer overflow attempt
C:    A DNS zone transfer
  
D:    Data being retrieved from 63.226.81.13
 
         

 
 

Diffence opinion in Correct Answer or any comment?
Vote / Comment for correct Answer



Comunity Comments:

Deepti on 06/05/2025
Opted Answer: B
Alert Type: nops-x86 suggests this is a NOP sled attack or part of a buffer overflow attempt targeting x86 architecture.

















WELCOME TO ONLINE EXAM PREPARATION SYSTEM

Certification Examinations