When unknown files are found in the root directory of a Linux FTP server, what is the most appropriate initial action for a network administrator?

Unknown files appearing in the root directory of a Linux FTP server can indicate a compromise, backdoor, or malware. The most appropriate initial action is to quarantine the system and preserve evidence for analysis. This ensures you don’t alter or destroy artifacts that investigators will need to determine how the incident occurred, what was accessed, and what data may have been affected. Preserving evidence also helps maintain a proper chain of custody for any potential legal or policy implications. In practice, this means isolating the server from the network or restricting access, capturing a forensic image of the disk, collecting volatile data (like running processes and open connections), and securing relevant logs and file metadata. After the system is contained and the evidence is preserved, a focused analysis can follow to identify the attacker’s method and scope. Deleting the files or rebooting could erase critical forensic data, and ignoring the issue or simply monitoring without containment could allow the attacker to cause further harm.