The following scenario will be used for questions 29 and 30. John is a network administrator and has been told by one of his net

admin2013-12-19  62

问题 The following scenario will be used for questions 29 and 30.
John is a network administrator and has been told by one of his network staff members that two servers on the network have recently had suspicious traffic traveling to them and then from them in a sporadic manner. The traffic has been mainly ICMP, but the patterns were unusual compared to other servers over the last 30 days. John lists the directories and subdirectories on the systems and finds nothing unusual. He inspects the running processes and again finds nothing suspicious. He sees that the systems’ NICs are not in promiscuous mode, so he is assured that sniffers have not been planted.
Which of the following best explains why John does not see anything suspicious on the reported systems?

选项 A、The systems have not yet been infected.
B、He is not running the correct tools. He needs to carry out a penetration test on the two systems.
C、Trojaned files have been loaded and executed.
D、A back door has been installed and the attacker enters the system sporadically.

答案C

解析 C正确。rootkit中的其他工具可能会不同,但通常都会包含用于掩盖攻击者行踪的实用程序。例如,每个操作系统都会包含一些供根用户或管理员用户用来检测rootki的基本实用程序、已安装的监听器和后门。黑客会使用名称相同的新的实用程序来替换这些默认的实用程序。它们就叫“特洛伊程序”,因为它们将执行预期的功能,在后台进行一些恶意行为。
A不正确。因为这不是最佳答案。因为系统很有可能没有被病毒感染,而这个问题问的是最可能的情况是什么。
B不正确。因为绝大多数rootkit都具有替换这些实用程序的特洛伊程序,因为根用户可以运行ps或top查看是否有后门服务在运行,进而检测出某个攻击。绝大多数rootkit也包含嗅探器,所以攻击者可以捕获并检查数据。要想嗅探器工作,系统的NIC必须被设置为混杂模式,这意味着NIC可以“听到”网络连接上的所有流量。默认的ipconfig实用程序允许根用户使用特定的参数查看NIC是否运行在混杂模式。所以rootkit也会包含一个ipconfig程序,它可以掩盖。NIC处于混杂模式的事实。
D不正确。因为这些服务器上很有可能不只是被安装了后门。rootkit包含允许攻击者远程控制被破坏系统的后门程序,但是rootkit中还包括许多其他工具。
转载请注明原文地址:https://jikaoti.com/ti/1tO7FFFM
0

最新回复(0)