ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam SY0-501 All Questions

View all questions & answers for the SY0-501 exam
Go to Exam

Exam SY0-501 topic 1 question 564 discussion

Actual exam question from CompTIA's SY0-501
Question #: 564
Topic #: 1
[All SY0-501 Questions]

DRAG DROP -
A security auditor is reviewing the following output from file integrity monitoring software installed on a very busy server at a large service provider. The server has not been updated since it was installed. Drag and drop the log entry that identifies the first instance of server compromise.
Select and Place:

Show Suggested Answer Hide Answer
Suggested Answer:
by mindtricks at May 17, 2021, 1:49 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
mindtricks
Highly Voted 3 years, 11 months ago
Boot init should not change. I guess thats why answer is correct.
upvoted 8 times
...
monkeyyyyy
Highly Voted 3 years, 10 months ago
"I think this answer is correct. /etc/passwd changes a lot (adding users, etc) so the hash can be expected to change. iptables-save doesn’t change often since ACLs are generally not edited all the time. initrd.img is part of the boot loader, which shouldn’t change at all. The hash on it changes at 3:30 and that’s why it’s the time of the compromise. Passwd: Changes often IPTables: Doesn’t change often, but can change initrd: Shouldn’t change at all" Source: https://vceguide.com/drag-drop-616/
upvoted 6 times
...
StickyMac231
Most Recent 3 years, 10 months ago
The server has not been updated since it was installed, So, /boot/initrd.img-2.6..., hashes in that sector should not changed at all. because there was no updates after it is installed. So, when you see 1/1/2016 time 3:30:00 hash has been changed, it means that hash got compromised.
upvoted 3 times
...
mindtricks
3 years, 10 months ago
Etc Password hashes should all be different. (because they are passwords) So nothing it that. Nothing has changed in iptables per the hash. The init image clearly has a different hash at 3:30. Which is why that is the answer. That is the hash of your computers image if i'm not mistaken. It shouldn't just change.
upvoted 4 times
...
sukhpal
3 years, 11 months ago
Please explain the answer.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago