Exam CS0-002 topic 1 question 122 discussion

Looks like a SQL database with a web front-end. All ports are necessary except port 2222 which is making an outbound SSH connection. This is indicative of a reverse shell exploit.

There arent any indicators of compromise as far as i can tell.

In the provided Nmap scan output, there is no clear evidence suggesting that the system has been compromised. The services mentioned, such as HTTP, HTTPS, SSH, and MySQL, seem to be running on expected ports. There are no unusual or unexpected services or ports mentioned in the scan. Therefore, the correct answer is: B. There are no indicators of compromise on this system. It's essential to note that the presence of open ports or services alone does not necessarily indicate a compromise. However, further analysis, such as reviewing logs, monitoring network traffic, and conducting a thorough investigation, would be necessary to assess the security of the system.

CVE-2007-0655 : The MicroWorld Agent service (MWAGENT.EXE) in MicroWorld Technologies eScan 8.0.671.1, and possibly other versions, allows remote or local attackers to gain privileges and execute arbitrary commands by connecting directly to TCP port 2222.

This was on the exam. Went with A on this

Answer is B. ssh listening on port 2222 is a standard security practice.

https://resources.infosecinstitute.com/topics/threat-hunting/threat-hunting-for-mismatched-port-application-traffic/ if an application is using an unusual port which pretends to be a normal application port, then it indicates a sign of compromise. Therefore, this indication of compromise is said to be a “Mismatch Port / Application Traffic”.

I believe the correct answer is D If we look at the output we see that while port 443 is filtered, port 80 is not. This doesn't make much sense and I could think that the attacker opened it. In a default configuration for the SSH service port 22 is used. If you want to harden the system you will open the service on another port (2222). Complicated question

I'm going with D - HTTP and HTTPS both of them doesn't need to be opened at the same time

As others have rightly said, this has reverse shell written all over it

SSH shell is 22. So this is a reverse shell exploit. Port 2222 Details The MicroWorld Agent service (MWAGENT. EXE) in MicroWorld Technologies eScan, allows remote or local attackers to gain privileges and execute arbitrary commands by connecting directly to TCP port 2222.

I also go with B as there is no indication of compromise. Nmap is just a port scanner.

SSH is working on a non-standard port 2222. looks like reverse shell

the reason why the analyst conducted the SCAN in the first place is a report of high Latency. High Latency usually occur because of 1- high download volume 2- many application an browser tabs 3- malware 4- streaming services. i would say that SSH operating on port 2222 is definitely doing some funky shit, i would close that.

I'd go with B. There's no indication it got compromised. Just that it has open ports.

Is port 3306 necessary? In general, you should not open port 3306 as it can make your server vulnerable to attack. If you need to connect to your database remotely, there are more secure options than opening port 3306, such as using an SSH tunnel.

While, yes, you should close plain text http... That's not what was asked. There's no indications that the box was compromised...