An analyst runs the netstat command on a web server. Based on the output, which connection is the MOST suspicious?
203.0.113.5 is a TEST-NET address (RFC 5737) rarely used in production, and source port 8080 is atypical for a client.
Why this answer
Option B is correct because the external IP 203.0.113.5 from the documentation range is connecting on an unusual source port (8080), which is often used for proxies or tunneling. Option A is wrong because 192.168.1.10 is a private IP with a high ephemeral port, typical. Option C is wrong because 10.0.2.50 is internal.
Option D is wrong because the listening port is expected.