4. How should an internal network alert be handled, and what is the general process?
Identify the specific machine and vulnerability type; apply patch.
Use webshell/antivirus tools to check and clean the system; inspect /tmp for obfuscated trojans.
On full‑traffic analysis device, verify if other machines were traversed.
Obtain attacker IP and check threat intelligence (360, ThreatBook) to see if it is a VPS, compromised host, or personal cloud server.
For personal servers, use WHOIS to find domain, email, then social engineering to find mobile number and possibly full identity through credential stuffing.