Fountain and plaques at a Buddhist temple.

Answer #9 — CompTIA Security+ Guidance

Answer #9

LAST WEEK:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842

TODAY:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	cfc34c90281bbed47540c6288ec975a4602ee3df
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842 

You are examining records from a busy server that is critical to your organization's financial well-being. What should you report to management?

A: Everything seems to be fine.
B: A user is violating the AUP.
C: An intruder has gained administrative access and changed the system configuration.
D: An intruder has gained administrative access and replaced operating system components, and we can no longer trust the operating system itself or any programs installed there.

This is worst of all! Someone has replaced the file containing the kernel. Once you reboot after such a change, you are running the intruder's operating system. This is a sign of a root kit.