Which of the following is the MOST likely explanation of what is occurring and the BEST immediate response?

A security administrator is shown the following log excerpt from a Unix system:

2013 Oct 10 07:14:57 web14 sshd[1632]: Failed password for root from 198.51.100.23 port 37914 ssh2

2013 Oct 10 07:14:57 web14 sshd[1635]: Failed password for root from 198.51.100.23 port 37915 ssh2

2013 Oct 10 07:14:58 web14 sshd[1638]: Failed password for root from 198.51.100.23 port 37916 ssh2

2013 Oct 10 07:15:59 web14 sshd[1640]: Failed password for root from 198.51.100.23 port 37918 ssh2

2013 Oct 10 07:16:00 web14 sshd[1641]: Failed password for root from 198.51.100.23 port 37920 ssh2

2013 Oct 10 07:16:00 web14 sshd[1642]: Successful login for root from 198.51.100.23 port 37924 ssh2

Which of the following is the MOST likely explanation of what is occurring and the BEST immediate response? (Select TWO).
A . An authorized administrator has logged into the root account remotely.
B . The administrator should disable remote root logins.
C . Isolate the system immediately and begin forensic analysis on the host.
D . A remote attacker has compromised the root account using a buffer overflow in sshd.
E . A remote attacker has guessed the root password using a dictionary attack.
F . Use iptables to immediately DROP connections from the IP 198.51.100.23.
G . A remote attacker has compromised the private key of the root account.
H . Change the root password immediately to a password not found in a dictionary.

View Answer

Answer: C, E

Explanation:

The log shows six attempts to log in to a system. The first five attempts failed due to ‘failed password’. The sixth attempt was a successful login. Therefore, the MOST likely explanation of what is occurring is that a remote attacker has guessed the root password using a dictionary attack.

The BEST immediate response is to isolate the system immediately and begin forensic analysis on the host. You should isolate the system to prevent any further access to it and prevent it from doing any damage to other systems on the network. You should perform a forensic analysis on the system to determine what the attacker did on the system after gaining access.

Incorrect Answers:

A: It is unlikely that an authorized administrator has logged into the root account remotely. It is unlikely that an authorized administrator would enter an incorrect password five times.

B: Disabling remote root logins is not the best course of action. The attacker has already gained access to the system so potentially the damage is already done.

D: The log does not suggest a buffer overflow attack; the failed passwords suggest a dictionary attack.

F: Using iptables to immediately DROP connections from the IP 198.51.100.23 is not the best course of action. The attacker has already gained access to the system so potentially the damage is already done.

G: The log does not suggest a remote attacker has compromised the private key of the root account;

the failed passwords suggest a dictionary attack.

H: Changing the root password is a good idea but it is not the best course of action. The attacker has already gained access to the system so potentially the damage is already done.