CompTIA Security Plus Mock Test Q697

An administrator is investigating a system that may potentially be compromised, and sees the following log entries on the router.
*Jul 15 14:47:29.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 3 packets.
*Jul 15 14:47:38.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 6 packets.
*Jul 15 14:47:45.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 8 packets.
Which of the following BEST describes the compromised system?

A. It is running a rogue web server
B. It is being used in a man-in-the-middle attack
C. It is participating in a botnet
D. It is an ARP poisoning attack

Correct Answer: C
Section: Threats and Vulnerabilities

Explanation:
In this question, we have a source computer (192.10.3.204) sending data to a single destination IP address 10.10.1.5. No data is being received back by source computer which
suggests the data being sent is some kind of Denial-of-service attack. This is common practice for computers participating in a botnet. The port used is TCP 6667 which is IRC
(Internet Relay Chat). This port is used by many Trojans and is commonly used for DoS attacks.
Software running on infected computers called zombies is often known as a botnet. Bots, by themselves, are but a form of software that runs automatically and autonomously. (For
example, Google uses the Googlebot to find web pages and bring back values for the index.)
Botnet, however, has come to be the word used to describe malicious software running on a zombie and under the control of a bot-herder.
Denial-of-service attacks — DoS and DDoS — can be launched by botnets, as can many forms of adware, spyware, and spam (via spambots). Most bots are written to run in the
background with no visible evidence of their presence. Many malware kits can be used to create botnets and modify existing ones.

Incorrect Answers:
A: The compromised system is not running a rogue web server. The ports used are not ports used by a web server (typically TCP ports 80 and 443). Furthermore, the computer is not
responding to a web request. It is just sending out data.
B: If the compromised computer was being used in a man-in-the-middle attack, it would be receiving data, not just sending it.
D: Address Resolution Protocol poisoning (ARP poisoning) is a form of attack in which an attacker changes the Media Access Control (MAC) address and attacks an Ethernet LAN by
changing the target computer’s ARP cache with a forged ARP request and reply packets. This is not what is happening in this question.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 309