CompTIA Security+ (SY0-701) — Question 271

A company web server is initiating outbound traffic to a low-reputation, public IP on non-standard pat. The web server is used to present an unauthenticated page to clients who upload images the company. An analyst notices a suspicious process running on the server hat was not created by the company development team. Which of the following is the most likely explanation for his security incident?

Answer options

• A. A web shell has been deployed to the server through the page.
• B. A vulnerability has been exploited to deploy a worm to the server.
• C. Malicious insiders are using the server to mine cryptocurrency.
• D. Attackers have deployed a rootkit Trojan to the server over an exposed RDP port.

Correct answer: A

Explanation

The correct answer is A, as a web shell could be uploaded through the unauthenticated image upload feature, allowing attackers to gain control of the server. Option B is less likely because deploying a worm typically involves exploiting a known vulnerability, which isn't indicated here. Option C, while possible, does not fit the scenario of suspicious outbound traffic and an unauthenticated page as closely as a web shell. Option D is also unlikely without evidence of RDP exposure in this context.