A system administrator discovers that the homepage of a public-facing Linux web server has been defaced. The administrator immediately takes the server offline. To determine the extent of the unauthorized changes and confirm which files were altered, which of the following actions should the administrator perform FIRST?
Run a port scanner to identify all open ports on the server.
Use a file integrity monitoring tool to compare file checksums against a previously established baseline.
Analyze web server access logs to identify the source IP address of the attack.
Perform a full anti-malware scan of the server's file systems.
The correct action is to use a file integrity monitoring (FIM) tool. In the event of a security breach like a website defacement, the immediate priority is to understand the scope of the compromise. An FIM tool compares the current checksums of critical files against a known-good baseline created when the server was in a secure state. This process quickly and accurately identifies all modified, added, or deleted files, which is essential for both remediation and forensic analysis. Running a port scanner is useful for identifying the attack vector but does not identify which specific files were compromised. Analyzing logs helps trace the attacker's origin but may not reveal all file system changes. An anti-malware scan is important but may not detect a simple file modification if no traditional malware was used to make the change.