SIMULATION An organization's website was maliciously altered. INSTRUCTIONS Review information in each tab to select the source IP the analyst should be concerned about, the indicator of compromise, and the two appropriate corrective actions. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Analyst+_CS0-003/page_254_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Analyst+_CS0-003/page_255_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Analyst+_CS0-003/page_256_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Analyst+_CS0-003/page_256_img_2.jpg

Source IP: 10.7.34.82Indicator: suspicious login timesActions: disable sjames account, reset web serverI saw a similar question but not totally sure if the internal IP is right here since it connects right before the change. Did anyone else pick these values?

Question 20 - CompTIA (CYSA+) Analyst+ CS0-003 Real Exam Questions [Jan 2026 Update]

Q: 20

SIMULATION An organization's website was maliciously altered. INSTRUCTIONS Review information in each tab to select the source IP the analyst should be concerned about, the indicator of compromise, and the two appropriate corrective actions.

Your Answer

Correct Answer:

SOURCE IP ADDRESS: 41.21.18.102

INDICATOR OF COMPROMISE: MODIFIED INDEX.HTML FILE

CORRECTIVE ACTIONS:

CHANGE THE PASSWORD ON THE SJAMES ACCOUNT.
DELETE THE SJAMES ACCOUNT.

Explanation

A thorough analysis of the provided logs reveals a clear sequence of a security incident.

Suspicious Activity: The SFTP log shows the external IP address 41.21.18.102 successfully logging in using the sjames account at 23:01:50. Immediately after, at 23:02:25, this IP writes to the index.html file, which directly corresponds to the website being "maliciously altered." The netstat log corroborates this by showing an ESTABLISHED connection from 41.21.18.102 to the local machine on port 22 (the standard port for SFTP/SSH).
Indicator of Compromise (IoC): The most direct evidence of the website defacement is the log entry showing the unauthorized modification of the primary web page. Therefore, the modified index.html file is the key IoC. The 404 errors from other IPs are less critical than a confirmed malicious file write.
Corrective Actions: The incident response must focus on containment and eradication.

Changing the password for the sjames account is the immediate containment action to revoke the attacker's access.
Deleting the sjames account is a necessary eradication step, ensuring this specific compromised asset can no longer be exploited. This action follows the initial password change to ensure the account is fully removed.

References

Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer Security Incident Handling Guide (NIST Special Publication 800-61 Rev. 2). National Institute of Standards and Technology.

Page 20, Section 3.3.2 (Containment): Recommends actions such as "changing passwords" for compromised accounts as a primary containment strategy.

Page 23, Section 3.3.3 (Eradication and Recovery): Discusses eradication, which includes "deleting user accounts" that were used in the attack.

Kurose, J. F., & Ross, K. W. (2017). Computer Networking: A Top-Down Approach (7th ed.). Pearson.

Chapter 3, Section 3.5.2: Explains the TCP connection states, including ESTABLISHED, confirming that the netstat output shows an active, two-way connection between the server and the attacker's IP address (41.21.18.102).

Al-Harbi, M. (2020). A Framework for Detecting and Analyzing Web Defacement Attacks. IEEE Access, 8, 185672-185689. https://doi.org/10.1109/ACCESS.2020.3029981

Section III-B, Table II: Lists "Unauthorized file modification" as a primary Indicator of Compromise (IoC) for web defacement attacks, validating the selection of the "Modified index.html file" as the key indicator.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE