Outline a quick triage on a suspicious Linux host before full forensics.

Problem Statement

Explanation

First, avoid tipping off the attacker. Record who and what: users logged in, recent auth failures, and sudo history. Capture process trees with command lines, open network sockets, and recent cron or systemd timer entries. Check new or altered binaries in sensitive paths, unusual SUID files, and changes in /etc. Preserve memory if feasible to catch file-less tricks. Finally, isolate the host from the network while keeping analyst access. This snapshot informs whether you escalate to full acquisition.

Code Solution

SolutionRead Only

Handy cmds: who; last -n 20; sudo -l; ps -ef; ss -antup; crontab -l; ls -al /etc/cron.*; systemctl list-timers; find / -perm -4000 -type f 2>/dev/null

Practice Sets

This question appears in the following practice sets:

Detect & Respond

Next Question

Master Interviews
Anywhere, Anytime

Outline a quick triage on a suspicious Linux host before full forensics.

Problem Statement

Explanation

Code Solution

Practice Sets

Related Questions

What does the CIA triad stand for in information security?

What is the primary purpose of a firewall in network security?

Which device or service filters HTTP(S) traffic specifically to protect web applications?

What best describes an SQL injection attack?

What principle underpins the Zero Trust security model?

More from System Security

Master Interviews Anywhere, Anytime

Outline a quick triage on a suspicious Linux host before full forensics.

Problem Statement

Explanation

Code Solution

Practice Sets

Related Questions

What does the CIA triad stand for in information security?

What is the primary purpose of a firewall in network security?

Which device or service filters HTTP(S) traffic specifically to protect web applications?

What best describes an SQL injection attack?

What principle underpins the Zero Trust security model?

More from System Security

Master Interviews
Anywhere, Anytime