Which of the following commands should the administrator run next to further analyze the compromised system?

A security analyst is investigating a compromised Linux server.

The analyst issues the ps command and receives the following output:

手机屏幕的截图

描述已自动生成

Which of the following commands should the administrator run next to further analyze the compromised system?
A . gbd /proc/1301
B . rpm -V openssh-server
C . /bin/Is -1 /proc/1301/exe
D . kill -9 1301

Answer: A

Explanation:

/bin/ls -1 /proc/1301/exe is the command that will show the absolute path to the executed binary file associated with the process ID 1301, which is ./usr/sbin/sshd. This information can help the security analyst determine if the binary is an official version and has not been modified, which could be an indicator of a compromise. /proc/1301/exe is a special symbolic link that points to the executable file that was used to start the process 1301.

Reference: https://unix.stackexchange.com/questions/197854/how-does-the-proc-pid-exe-symlink-differ-from-ordinary-symlinks

Latest CS0-003 Dumps Valid Version with 128 Q&As

Latest And Valid Q&A | Instant Download | Once Fail, Full Refund

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments