Which of the following commands should the administrator run next to further analyze the compromised system?

A security analyst is investigating a compromised Linux server.

The analyst issues the ps command and receives the following output:

Which of the following commands should the administrator run next to further analyze the compromised system?
A . gbd /proc/1301
B . rpm -V openssh-server
C . /bin/Is -1 /proc/1301/exe
D . kill -9 1301

View Answer

Answer: A

Explanation:

/bin/ls -1 /proc/1301/exe is the command that will show the absolute path to the executed binary file associated with the process ID 1301, which is ./usr/sbin/sshd. This information can help the security analyst determine if the binary is an official version and has not been modified, which could be an indicator of a compromise. /proc/1301/exe is a special symbolic link that points to the executable file that was used to start the process 1301.

Reference: https://unix.stackexchange.com/questions/197854/how-does-the-proc-pid-exe-symlink-differ-from-ordinary-symlinks