An administrator is investigating a system that may potentially be compromised, and sees the following log entries on the router. *Jul 15 14:47:29.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 3 packets. *Jul 15 14:47:38.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 6 packets. *Jul 15 14:47:45.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 8 packets. Which of the following BEST describes the compromised system?
A. It is running a rogue web server B. It is being used in a man-in-the-middle attack C. It is participating in a botnet D. It is an ARP poisoning attack
Answer: C
Explanation: In this question, we have a source computer (192.10.3.204) sending data to a single destination IP address 10.10.1.5. No data is being received back by source computer which suggests the data being sent is some kind of Denial-of-service attack. This is common practice for computers participating in a botnet. The port used is TCP 6667 which is IRC (Internet Relay Chat). This port is used by many Trojans and is commonly used for DoS attacks.
Software running on infected computers called zombies is often known as a botnet. Bots, by themselves, are but a form of software that runs automatically and autonomously. (For example, Google uses the Googlebot to find web pages and bring back values for the index.) Botnet, however, has come to be the word used to describe malicious software running on a zombie and under the control of a bot-herder. Denial-of-service attacks—DoS and DDoS—can be launched by botnets, as can many forms of adware, spyware, and spam (via spambots). Most bots are written to run in the background with no visible evidence of their presence. Many malware kits can be used to create botnets and modify existing ones.