Examice

Exam CAS-004 All QuestionsBrowse all questions from this exam

Question 203

A security operations center analyst is investigating anomalous activity between a database server and an unknown external IP address and gathered the following data:

• dbadmin last logged in at 7:30 a.m. and logged out at 8:05 a.m.

• A persistent TCP/6667 connection to the external address was established at 7:55 a.m. The connection is still active.

• Other than bytes transferred to keep the connection alive, only a few kilobytes of data transfer every hour since the start of the connection.

• A sample outbound request payload from PCAP showed the ASCII content: "JOIN #community".

Which of the following is the MOST likely root cause?

A SQL injection was used to exfiltrate data from the database server.

The system has been hijacked for cryptocurrency mining.

A botnet Trojan is installed on the database server.

The dbadmin user is consulting the community for help via Internet Relay Chat.

Correct Answer: C

A persistent TCP/6667 connection to an external address, particularly on port 6667, which is commonly associated with Internet Relay Chat (IRC), suggests the presence of a botnet Trojan. The fact that the connection remains active with minimal data transfer to keep it alive points to a command and control (C&C) channel typical of botnet activity. Additionally, the ASCII content 'JOIN #community' aligns with IRC commands used by botnets to join channels where they can receive instructions. These details indicate that the database server has likely been compromised by a botnet Trojan.

Discussion

splinkOption: C

So, if the connection is still running, they have some sort of backdoor access or some kind of persistent access into the device, right? C is the only one that "jives" with the provided prompt.

Serliop378Option: C

The Dbadmin already logged out but the port IRC is still active. If you look up the port 6667bon internet, it is used by many Trojans.

isaphiltrickOption: C

A botnet Trojan is installed on the database server as evidenced by the persistent TCP/6667 connection established to an external address at 7:55 a.m. This type of connection is commonly associated with botnets using Internet Relay Chat (IRC) channels for command and control (C&C) purposes. The ASCII content "JOIN #community" captured in outbound requests from PCAP further supports this conclusion, indicating active participation in an IRC channel. The dbadmin's log-in and log-out times (7:30 a.m. to 8:05 a.m.) suggest that the Trojan or malware was likely activated after the user logged out, exploiting the server's resources for unauthorized external communication.

BiteSizeOption: C

Persistence has been made.. active ephemeral port. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)

Meep123

I don't think this is an ephemeral port, but rather a commonly used port for trojans. https://www.speedguide.net/port.php?port=6667

Kabbath1986Option: D

JOIN #Community is 100% and Internet relay chat command... it could be botnet or the DBA looking for info