ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CAS-004 All Questions

View all questions & answers for the CAS-004 exam
Go to Exam

Exam CAS-004 topic 1 question 203 discussion

Actual exam question from CompTIA's CAS-004
Question #: 203
Topic #: 1
[All CAS-004 Questions]

A security operations center analyst is investigating anomalous activity between a database server and an unknown external IP address and gathered the following data:

• dbadmin last logged in at 7:30 a.m. and logged out at 8:05 a.m.
• A persistent TCP/6667 connection to the external address was established at 7:55 a.m. The connection is still active.
• Other than bytes transferred to keep the connection alive, only a few kilobytes of data transfer every hour since the start of the connection.
• A sample outbound request payload from PCAP showed the ASCII content: "JOIN #community".

Which of the following is the MOST likely root cause?

  • A. A SQL injection was used to exfiltrate data from the database server.
  • B. The system has been hijacked for cryptocurrency mining.
  • C. A botnet Trojan is installed on the database server.
  • D. The dbadmin user is consulting the community for help via Internet Relay Chat.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Serliop378 at March 9, 2023, 2:45 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
isaphiltrick
Highly Voted 10 months ago
Selected Answer: C
A botnet Trojan is installed on the database server as evidenced by the persistent TCP/6667 connection established to an external address at 7:55 a.m. This type of connection is commonly associated with botnets using Internet Relay Chat (IRC) channels for command and control (C&C) purposes. The ASCII content "JOIN #community" captured in outbound requests from PCAP further supports this conclusion, indicating active participation in an IRC channel. The dbadmin's log-in and log-out times (7:30 a.m. to 8:05 a.m.) suggest that the Trojan or malware was likely activated after the user logged out, exploiting the server's resources for unauthorized external communication.
upvoted 5 times
...
Kabbath1986
Most Recent 1 year, 3 months ago
Selected Answer: D
JOIN #Community is 100% and Internet relay chat command... it could be botnet or the DBA looking for info
upvoted 2 times
...
BiteSize
1 year, 9 months ago
Selected Answer: C
Persistence has been made.. active ephemeral port. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
upvoted 4 times
Meep123
1 year, 7 months ago
I don't think this is an ephemeral port, but rather a commonly used port for trojans. https://www.speedguide.net/port.php?port=6667
upvoted 1 times
...
...
splink
2 years, 1 month ago
Selected Answer: C
So, if the connection is still running, they have some sort of backdoor access or some kind of persistent access into the device, right? C is the only one that "jives" with the provided prompt.
upvoted 3 times
...
Serliop378
2 years, 2 months ago
Selected Answer: C
The Dbadmin already logged out but the port IRC is still active. If you look up the port 6667bon internet, it is used by many Trojans.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago