CompTIA CASP+ (CAS-004) — Question 185

A security operations center analyst is investigating anomalous activity between a database server and an unknown external IP address and gathered the following data:

• dbadmin last logged in at 7:30 a.m. and logged out at 8:05 a.m.
• A persistent TCP/6667 connection to the external address was established at 7:55 a.m. The connection is still active.
• Other than bytes transferred to keep the connection alive, only a few kilobytes of data transfer every hour since the start of the connection.
• A sample outbound request payload from PCAP showed the ASCII content: "JOIN #community".

Which of the following is the MOST likely root cause?

Answer options

• A. A SQL injection was used to exfiltrate data from the database server.
• B. The system has been hijacked for cryptocurrency mining.
• C. A botnet Trojan is installed on the database server.
• D. The dbadmin user is consulting the community for help via Internet Relay Chat.

Correct answer: C

Explanation

The correct answer is C because the persistent connection on TCP/6667 indicates usage of Internet Relay Chat (IRC), commonly used for botnets to communicate. The presence of minimal data transfer and the specific payload suggest that the server may have been compromised and is part of a botnet. The other options do not align with the evidence of an IRC connection and its typical use in botnet operations.