GIAC Certified Incident Handler (GCIH) — Question 46

An organization has an SSH server that was compromised, but later eradicated and recovered. The system disks were wiped clean, the OS reinstalled, and patches re-applied. After this process is complete, a security analyst noticed multiple simultaneous SSH logins from a single, valid, user-account on that system.
Which of the following is the most likely explanation?

Answer options

• A. Proper action was not taken on the firewall or router to block SSH traffic
• B. An attacker is accessing the system through a backdoor using netcat
• C. Not all of the attackers artifacts have been removed from the system
• D. The SSH user account credentials have been compromised

Correct answer: D

Explanation

The correct answer is D because multiple simultaneous SSH logins from one user account suggest that the credentials for that account have likely been compromised. Options A, B, and C do not directly explain the specific behavior of multiple logins from a single account, indicating that the issue is related to credential security rather than network configuration or remnants of the attack.