CompTIA Server+ SK0-005 Practice Question

A system administrator discovers that the homepage of a public-facing Linux web server has been defaced. The administrator immediately takes the server offline. To determine the extent of the unauthorized changes and confirm which files were altered, which of the following actions should the administrator perform FIRST?

Perform a full anti-malware scan of the server's file systems.
Analyze web server access logs to identify the source IP address of the attack.
Use a file integrity monitoring tool to compare file checksums against a previously established baseline.
Run a port scanner to identify all open ports on the server.

Report Issue

Answer Description

The correct action is to use a file integrity monitoring (FIM) tool. In the event of a security breach like a website defacement, the immediate priority is to understand the scope of the compromise. An FIM tool compares the current checksums of critical files against a known-good baseline created when the server was in a secure state. This process quickly and accurately identifies all modified, added, or deleted files, which is essential for both remediation and forensic analysis. Running a port scanner is useful for identifying the attack vector but does not identify which specific files were compromised. Analyzing logs helps trace the attacker's origin but may not reveal all file system changes. An anti-malware scan is important but may not detect a simple file modification if no traditional malware was used to make the change.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.