A security analyst is investigating a compromised Linux server.
The analyst issues the ps command and receives the following output:
Which of the following commands should the administrator run next to further analyze the compromised system?
A . gbd /proc/1301
B . rpm -V openssh-server
C . /bin/Is -1 /proc/1301/exe
D . kill -9 1301
Answer: A
Explanation:
/bin/ls -1 /proc/1301/exe is the command that will show the absolute path to the executed binary file associated with the process ID 1301, which is ./usr/sbin/sshd. This information can help the security analyst determine if the binary is an official version and has not been modified, which could be an indicator of a compromise. /proc/1301/exe is a special symbolic link that points to the executable file that was used to start the process 1301.
Reference: https://unix.stackexchange.com/questions/197854/how-does-the-proc-pid-exe-symlink-differ-from-ordinary-symlinks
Latest CS0-003 Dumps Valid Version with 128 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund