Free PBQ Demo · Foundation

Log Analysis

Read realistic /var/log/auth.log entries and answer 4 questions about the attack pattern.

Tests: Pattern recognition in log data, attack identification, incident-response triage.

~5 minNo signup needed

Scenario

Review the following /var/log/auth.log entries from a Linux server and identify the attack pattern.

system.log
May 12 08:41:02 server sshd[1234]: Failed password for root from 203.0.113.50 port 54321 ssh2
May 12 08:41:04 server sshd[1234]: Failed password for root from 203.0.113.50 port 54321 ssh2
May 12 08:41:06 server sshd[1234]: Failed password for admin from 203.0.113.50 port 54322 ssh2
May 12 08:41:08 server sshd[1234]: Failed password for admin from 203.0.113.50 port 54322 ssh2
May 12 08:41:10 server sshd[1234]: Failed password for user from 203.0.113.50 port 54323 ssh2
May 12 08:41:12 server sshd[1234]: Failed password for user from 203.0.113.50 port 54323 ssh2
May 12 08:41:14 server sshd[1234]: Failed password for root from 203.0.113.50 port 54321 ssh2
May 12 08:41:16 server sshd[1234]: Failed password for root from 203.0.113.50 port 54321 ssh2
May 12 08:41:18 server sshd[1234]: Accepted password for root from 203.0.113.50 port 54321 ssh2
May 12 08:42:05 server sshd[1234]: session opened for user root by (uid=0)

1. What type of attack is evident in these log entries?

2. What is the IP address of the attacker?

3. What was the final outcome of the attack?

Liked this PBQ? There are 80+ more inside.

Sign up free to take full timed exams with mixed MCQs and all 6 PBQ types — across 10 CompTIA and Cisco certifications.