312-50 EC-Council Exam Questions and Free Practice Test

Question 133

- (Topic 23)
Attacking well-known system defaults is one of the most common hacker attacks. Most software is shipped with a default configuration that makes it easy to install and setup the application. You should change the default settings to secure the system.
Which of the following is NOT an example of default installation?

A. Many systems come with default user accounts with well-known passwords that administrators forget to change

B. Often, the default location of installation files can be exploited which allows a hacker to retrieve a file from the system

C. Many software packages come with "samples" that can be exploited, such as the sample programs on IIS web services

D. Enabling firewall and anti-virus software on the local system

Correct Answer:D

Question 134

- (Topic 23)
Maintaining a secure Web server requires constant effort, resources, and vigilance from an organization. Securely administering a Web server on a daily basis is an essential aspect of Web server security.
Maintaining the security of a Web server will usually involve the following steps:
1. Configuring, protecting, and analyzing log files
2. Backing up critical information frequently
3. Maintaining a protected authoritative copy of the organization's Web content
4. Establishing and following procedures for recovering from compromise
5. Testing and applying patches in a timely manner
6. Testing security periodically.
In which step would you engage a forensic investigator?

A. 1

B. 2

C. 3

D. 4

E. 5

F. 6

Correct Answer:D

Question 135

- (Topic 5)
What is the BEST alternative if you discover that a rootkit has been installed on one of your computers?

A. Copy the system files from a known good system

B. Perform a trap and trace

C. Delete the files and try to determine the source

D. Reload from a previous backup

E. Reload from known good media

Correct Answer:E
If a rootkit is discovered, you will need to reload from known good media. This typically means performing a complete reinstall.

Question 136

- (Topic 12)
Ivan is auditing a corporate website. Using Winhex, he alters a cookie as shown below.
Before Alteration: Cookie: lang=en-us; ADMIN=no; y=1 ; time=10:30GMT ; After Alteration: Cookie: lang=en-us; ADMIN=yes; y=1 ; time=12:30GMT ; What attack is being depicted here?

A. Cookie Stealing

B. Session Hijacking

C. Cross Site Scripting

D. Parameter Manipulation

Correct Answer:D
Cookies are the preferred method to maintain state in the stateless HTTP protocol. They are however also used as a convenient mechanism to store user preferences and other data including session tokens. Both persistent and non-persistent cookies, secure or insecure can be modified by the client and sent to the server with URL requests. Therefore any malicious user can modify cookie content to his advantage. There is a popular misconception that non-persistent cookies cannot be modified but this is not true; tools like Winhex are freely available. SSL also only protects the cookie in transit.

Question 137

- (Topic 19)
Carl has successfully compromised a web server from behind a firewall by exploiting a vulnerability in the web server program. He wants to proceed by installing a backdoor program. However, he is aware that not all inbound ports on the firewall are in the open state.
From the list given below, identify the port that is most likely to be open and allowed to reach the server that Carl has just compromised.

A. 53

B. 110

C. 25

D. 69

Correct Answer:A
Port 53 is used by DNS and is almost always open, the problem is often that the port is opened for the hole world and not only for outside DNS servers.

Question 138

- (Topic 19)
What type of attack changes its signature and/or payload to avoid detection by antivirus programs?

A. Polymorphic

B. Rootkit

C. Boot sector

D. File infecting

Correct Answer:A
In computer terminology, polymorphic code is code that mutates while keeping the original algorithm intact. This technique is sometimes used by computer viruses, shellcodes and computer worms to hide their presence.

START 312-50 EXAM