Refer to the exhibit. The output is from a Linux system running `netstat -an`. Which of the following ports is likely being used for remote command-and-control communication?
High port 54321 used in an established connection to an external IP is anomalous and could be C2.
Why this answer
Port 54321 is a high-numbered ephemeral port that is not associated with any standard service, making it a common choice for malware or remote access tools (RATs) to establish command-and-control (C2) communication. In the netstat -an output, an established connection on a non-standard high port from the local system to a remote IP is a strong indicator of C2 activity, as legitimate services typically use well-known ports.
Exam trap
CompTIA often tests the concept that high-numbered ephemeral ports (above 1024) with no associated standard service are strong indicators of C2 activity, tricking candidates into choosing common service ports like 22, 53, or 80 because they are familiar, even though those are legitimate and monitored.
How to eliminate wrong answers
Option B is wrong because port 22 is the default for SSH, a legitimate remote administration protocol, and while it can be abused for C2, it is not the likely port for covert C2 communication in this context. Option C is wrong because port 53 is used for DNS, which is essential for name resolution; although DNS can be tunnelled for C2, the direct use of port 53 for an established connection (not just queries) is less common and would be more conspicuous. Option D is wrong because port 80 is the standard HTTP port for web traffic; while HTTP can be used for C2, it is a well-known port that is heavily monitored and less likely to be used for stealthy C2 compared to a non-standard high port.