Study the log given below and answer the following questions.
 

Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169
Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482
Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53
Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21
Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53
Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111
Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80
Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)
Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080
Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558

What can you infer from the above log?
 
A.  The system is a windows system which is being scanned unsuccessfully.
B.  The system is a web application server compromised through SQL injection.
C.  The system has been compromised and backdoored by the attacker.
D.  The actual IP of the successful attacker is 24.9.255.53.
 
 
Answer: A


It looks like one attack was successful and the hacker has access to server. I think the answer is C. Maybe a real snort user can anlyse this log better than me.

The CEH exam may give this same log in 2-3 questions and ask different questions form it.

regards

I agree that the Answer would be C.

But sorry Negrita, I somewhat disagree with your explanation because:

1) though it is still possible it's not very likely that somebody still has valid accounts/passwords in the dummy passwd file used by most ftp-servers
2) why an attacker would wait more than 36 hours to login after retrieving a valid account ? (sure it could have happened that way, but I don't think so.)

Look at these entries:

It looks like an attacker has first discovered a certain version of DNS-server-software (most likely some vulnerable version of bind), then exploited a buffer overflow (NOPs are often part of the payload to exploit buffer overflows) and then logged in first with an unprivileged account and then su'ed to a privileged account...

BTW, I found that log somewhat familiar - if you are interested in the whole story have a look here

I don't think that sig is apart of current ruleset
http://www.snort.org/pub-bin/sigs-search.cgi?sid=WEB

My guess is that its a sig that just looks for ' *', which would probably be
GET *

I think in older versions of CGI you could also execute CGI's by using the wildcard.