Malware is suspected on a server in the environment. The analyst
is provided with the output of commands
from servers in the environment and needs to review all output
files in order to determine which process
running on one of the servers may be malware.
Instructions:
Servers 1, 2 and 4 are clickable. Select the Server which hosts the
malware, and select the process which
hosts this malware.
If any time you would like to bring back the initial state of the
simulation, please select the Reset button. When
01FBAEF084FA42B3BDA0C32C94CD0BF3
you have completed the simulation, please select the Done button to
submit. Once the simulation is submitted, please select the Next
button to continue.
Have to pick either server 1, server 2, or server 4. Than pick one process from the process list.
The correct answer to the question is Server 4 & the process infected is Svchost.exe
Explaination:-
As per the question in logical perspective, server can be the webserver where svchost.exe is listening to different port rather than 443 & server 1(on DMZ) is trying to access internal network on Server4 [which is malicious]
if you see in the netstat command output you can see the established connection with the IP 172.30.0.148:49242 with process ID 348 and 172.30.0.101:445 with process ID 4 where this IPs are unknown with the given network diagram so this looks suspecious.
now find its process name using tasklist output with process id 348 is mapped with svchost.exe file and process id 4 is mapped with system services.
if you have any doubt then please ask me without any hesitation in
the comment section below , if you like my answer then please
thumbs up for the answer , before giving thumbs down please discuss
the question it may possible that we may understand the question
different way and i can edit and change the answers if you argue,
thanks :)
Malware is suspected on a server in the environment. The analystis provided with the output...