A security administrator receives reports from various organizations that a system on the company network is port scanning hosts on various networks across the
Internet. The administrator determines that the compromised system is a Linux host and notifies the owner that the system will be quarantined and isolated from the
network. The system does not contain confidential data, and the root user was not compromised. The administrator would like to know how the system was
compromised, what the attackers did, and what remnants the attackers may have left behind. Which of the following are the administrator’s NEXT steps in the
investigation? (Select TWO).

A.
Reinstall the procps package in case system utilities were modified.

B.
Look for recently modified files in user and tmp directories.

C.
Switch SELinux to enforcing mode and reboot.

D.
Monitor perimeter firewall for suspicious traffic from the system.

E.
Check running processes and kernel modules.

F.
Remove unnecessary accounts and services.