Documente Academic
Documente Profesional
Documente Cultură
The below are the initial findings from the IEBC FileZilla Server log:
Some of the CECs appear to have multiple The user Jlimaris@iebc.or.ke has used multiple IP
addresses though the KIEMS are meant to have static IP addresses (a static IP is fixed on a
device and cannot change). One possibillity is that a different KIEM was granted access to the
system using the account name of Jlimaris@iebc.or.ke
a. 196.105.148.200 (safaricom)
b. 105.165.241.210 (safaricom)
c. 196.103.120.89 (safaricom)
d. 196.103.126.199 (safaricom)
e. 41.60.238.138 (KENET)
f. 105.166.213.156 (safaricom)
g. 105.163.223.186 (safaricom)
h. 197.179.77.21 (safaricom)
i. 105.165.95.155 (safaricom)
j. 105.160.184.138 (safaricom)
As per the logs, some constituencies do not have any trace of form 34Bs uploaded:
E.g. In Busia county, Matayo constituency, the CEC did not upload the form 34b for that
constituency from the logs. He however uploaded form 34 As only.
On the 8/11/2017 between 1:44:57 AM and 2:12:29 AM the CEC for Kibwezi East uploaded the
same form 34b more than once at different times. This action compromises the integrity of the
file. The same user name goes ahead and changes the same file again on the date 8/12/2017
at 10:51:45 AM using a different IP and again on the date 8/13/2017 at 20:09:28 PM. This
confirms that the integrity of the file is compromised.
Form 34b for jomvu constituency was uploaded by multiple users including wchebukati as
indicated by the logs below Users nmaftah@iebc.or.ke and wchebukati@iebc.or.ke did multiple
suspicious operations on jomvu constituency form 34b
There were approximately 8300 delete commands run on the filezilla ftp server between
8/8/2017 22:32:59 PM and 8/17/2017 13:09:55 PM. out of the 8300, 7954 were successfully
executed. This shows that the integrity of the ftp server was weak (if there was any at all). 1582
delete requests were for form 34a, 147 delete requests were for 34b
(000142) 8/2/2017 14:21:36 PM - jmuyekho@iebc.or.ke (197.248.100.158)> DELE test.txt
(000170) 8/2/2017 14:34:48 PM - jmuyekho@iebc.or.ke (197.248.100.158)> DELE test.txt
(000179) 8/2/2017 14:43:20 PM - wchebukati@iebc.or.ke (105.162.113.194)> DELE RO.csv
(000213) 8/2/2017 15:12:23 PM - asenge@iebc.or.ke (197.180.213.212)> DELE F34B-001-
Changamwe.xlsx
(000213) 8/2/2017 15:12:34 PM - asenge@iebc.or.ke (197.180.213.212)> DELE F34B-001-
Changamwe.xlsx
(000238) 8/2/2017 15:26:49 PM - hnjuguna@iebc.or.ke (105.50.8.3)> DELE form 34B
Dummy.pdf
(000242) 8/2/2017 15:35:06 PM - hnjuguna@iebc.or.ke (105.50.8.3)> DELE form 34B
Dummy.pdf
(000253) 8/2/2017 15:44:27 PM - ekitum@iebc.or.ke (196.103.250.178)> DELE F34B-151-
TINDERET.docx
(000253) 8/2/2017 15:44:27 PM - ekitum@iebc.or.ke (196.103.250.178)> DELE FORM 34
B_Constituency.docx
(000253) 8/2/2017 15:44:39 PM - ekitum@iebc.or.ke (196.103.250.178)> DELE F34B-151-
TINDERET.docx
(000253) 8/2/2017 15:44:39 PM - ekitum@iebc.or.ke (196.103.250.178)> DELE FORM 34
B_Constituency.docx
(000264) 8/2/2017 15:50:41 PM - mgandani@iebc.or.ke (105.50.75.71)> DELE PRE FILLED
FORMS.docx
(000264) 8/2/2017 15:51:03 PM - mgandani@iebc.or.ke (105.50.75.71)> DELE PRE FILLED
FORMS.docx
(000277) 8/2/2017 15:56:21 PM - jmuyekho@iebc.or.ke (197.248.100.158)> DELE test.txt
(000344) 8/2/2017 16:59:05 PM - gengor@iebc.or.ke (105.165.71.113)> DELE FUNYULA-
F34B.jpeg
(000373) 8/2/2017 17:15:31 PM - jkerich@iebc.or.ke (105.166.4.77)> DELE F34B-228-.pdf
(000373) 8/2/2017 17:16:01 PM - jkerich@iebc.or.ke (105.166.4.77)> DELE F34B-228-.pdf
(000373) 8/2/2017 17:16:19 PM - jkerich@iebc.or.ke (105.166.4.77)> DELE F34B-228-.pdf
(000416) 8/2/2017 17:31:05 PM - nmaftah@iebc.or.ke (105.230.218.47)> DELE Jomvu-
002.xlsx
(000546) 8/2/2017 18:40:39 PM - mkaranja@iebc.or.ke (197.182.239.57)> DELE F34B-081-
MACHAKOS TOWN.pdf
(000548) 8/2/2017 18:49:37 PM - mchenger@iebc.or.ke (197.183.221.198)> DELE F34B-028-
149-0000-000-01.pdf
(000121) 8/4/2017 21:44:13 PM - ajarso@iebc.or.ke (196.97.147.195)> DELE KIEMS
TRAINING - Final_CLERKS.ppt
(000090) 8/5/2017 16:21:07 PM - awekesa@iebc.or.ke (196.98.95.80)> DELE KIEMS KITS
WITH DATA INITIALIZATION ISSUES-maragwa.xlsx
(000141) 8/5/2017 17:26:34 PM - amusau@iebc.or.ke (105.62.78.107)> DELE F34B-097-
OTHAYA.jpg
(000159) 8/5/2017 17:32:03 PM - mnandokha@iebc.or.ke (105.164.168.143)> DELE F34B-234-
ALEGO USONGA.pdf
(000173) 8/5/2017 17:40:23 PM - gatieno@iebc.or.ke (105.56.8.62)> DELE F34B-179-NAROK
NORTH.pdf
(000173) 8/5/2017 17:40:35 PM - gatieno@iebc.or.ke (105.56.8.62)> DELE F34B-179-NAROK
NORTH.pdf
(000196) 8/5/2017 17:56:43 PM - mmalonza@iebc.or.ke (196.101.35.204)> DELE
2017KIEMS_IEBC_ID Clerk_EVI_Memo_5.3.pdf
(000196) 8/5/2017 17:58:00 PM - mmalonza@iebc.or.ke (196.101.35.204)> DELE
2017KIEMS_IEBC_ID Clerk_EVI_Memo_5.3.pdf
(000217) 8/5/2017 19:31:07 PM - egitau@iebc.or.ke (196.98.40.239)> DELE F34-101-
MARAGWA.pdf
(000237) 8/5/2017 20:59:01 PM - pmauta@iebc.or.ke (105.163.251.70)> DELE desktop.ini
(000306) 8/5/2017 22:54:15 PM - mmaalim@iebc.or.ke (105.162.226.165)> DELE F34B-031-
FAFI.pdf
(000346) 8/6/2017 10:04:06 AM - rngeny@iebc.or.ke (196.101.94.134)> DELE ANNEX - RTS
QRC for Transmission 08_Jul_2017 (2).pptx
(000349) 8/6/2017 10:10:55 AM - wchebukati@iebc.or.ke (41.212.16.248)> DELE ANNEX -
RTS QRC for Transmission 08_Jul_2017 (2).pptx
(000350) 8/6/2017 10:15:18 AM - tmuhu@iebc.or.ke (105.166.218.253)> DELE
20170806020030.pdf
(000179) 8/7/2017 9:00:04 AM - dmbui@iebc.or.ke (196.105.98.123)> DELE s
(000409) 8/7/2017 16:27:38 PM - (not logged in) (165.227.28.39)> DELE EPRT EPSV
FEAT HASH HELP LIST MDTM
(000802) 8/8/2017 22:32:59 PM - anankeyai@iebc.or.ke (105.62.214.31)> DELE FORM 32A
(1).docx
(000914) 8/9/2017 1:25:00 AM - rmakazi@iebc.or.ke (196.104.202.131)> DELE FRM
34A04929214510101.pdf
(000914) 8/9/2017 1:25:00 AM - rmakazi@iebc.or.ke (196.104.202.131)> DELE FRM
34A04929214510111.pdf
(000962) 8/9/2017 3:04:03 AM - jgitagama@iebc.or.ke (196.106.121.156)> DELE KIEMS
RETRIEVAL.pdf
(000962) 8/9/2017 3:04:28 AM - jgitagama@iebc.or.ke (196.106.121.156)> DELE KIEMS
RETRIEVAL.pdf
(001126) 8/9/2017 12:24:41 PM - wchebukati@iebc.or.ke (197.156.132.178)> DELE F34B-191-
Bureti.pdf
(001218) 8/9/2017 15:26:36 PM - robari@iebc.or.ke (105.162.191.232)> DELE edms4 -
Shortcut.lnk
(001253) 8/9/2017 16:57:31 PM - schepchumba@iebc.or.ke (196.100.29.56)> DELE F34B-196-
BOMET EAST.pdf
(001253) 8/9/2017 16:58:16 PM - schepchumba@iebc.or.ke (196.100.29.56)> DELE F34B-196-
BOMET EAST.pdf
(001257) 8/9/2017 17:01:21 PM - schepchumba@iebc.or.ke (196.100.29.56)> DELE F34B-196-
BOMET EAST.pdf
(001324) 8/9/2017 17:27:12 PM - schepchumba@iebc.or.ke (196.100.29.56)> DELE F34B-196-
BOMET EAST.pdf
(001335) 8/9/2017 17:33:11 PM - schepchumba@iebc.or.ke (196.100.29.56)> DELE F34B-196-
BOMET EAST_1.pdf
(001551) 8/9/2017 18:38:48 PM - bevelya@iebc.or.ke (196.105.141.6)> DELE F34B-193-
Sigowet Soin.pdf
(001551) 8/9/2017 18:38:55 PM - bevelya@iebc.or.ke (196.105.141.6)> DELE F34B-193-
SIGOWETSOIN.pdf
(001551) 8/9/2017 18:39:08 PM - bevelya@iebc.or.ke (196.105.141.6)> DELE F34B-193-
Sigowet Soin.pdf
(001551) 8/9/2017 18:39:09 PM - bevelya@iebc.or.ke (196.105.141.6)> DELE F34B-193-
SIGOWETSOIN.pdf
(001617) 8/9/2017 18:52:21 PM - bevelya@iebc.or.ke (196.104.194.114)> DELE F34B-193-
Sigowet Soin.pdf
(001770) 8/9/2017 20:11:15 PM - gengor@iebc.or.ke (196.96.215.186)> DELE F34B-230-
FUNYULA2.pdf
(001796) 8/9/2017 20:34:11 PM - gengor@iebc.or.ke (196.96.215.186)> DELE F34B-230-
FUNYULA2.pdf
(001804) 8/9/2017 20:38:24 PM - ewanjohi@iebc.or.ke (105.57.181.194)> DELE F34B-098-
MUKURWEI-INI.pdf
(001839) 8/9/2017 21:10:02 PM - lmogoi@iebc.or.ke (196.105.222.122)> DELE F34B-254-
AWENDO.pdf.pdf
(001849) 8/9/2017 21:14:32 PM - lmogoi@iebc.or.ke (196.105.222.122)> DELE F34B-254-
AWENDO.pdf
(001849) 8/9/2017 21:14:34 PM - lmogoi@iebc.or.ke (196.105.222.122)> DELE F34B-254-
AWENDO.pdf.pdf
(001849) 8/9/2017 21:16:38 PM - lmogoi@iebc.or.ke (196.105.222.122)> DELE F34B-254-
AWENDO.pdf
(001849) 8/9/2017 21:16:38 PM - lmogoi@iebc.or.ke (196.105.222.122)> DELE F34B-254-
AWENDO.pdf.pdf
(001887) 8/9/2017 21:30:26 PM - lmogoi@iebc.or.ke (196.105.222.122)> DELE F34B-254-
AWENDO.pdf
(001887) 8/9/2017 21:30:26 PM - lmogoi@iebc.or.ke (196.105.222.122)> DELE F34B-254-
AWENDO.pdf.pdf
(001956) 8/9/2017 22:02:27 PM - lokoth@iebc.or.ke (196.98.142.161)> DELE F34A-033-178-
0887-001-01.pdf
(001956) 8/9/2017 22:02:27 PM - lokoth@iebc.or.ke (196.98.142.161)> DELE F34A-033-178-
0887-002-01.pdf
(001956) 8/9/2017 22:02:27 PM - lokoth@iebc.or.ke (196.98.142.161)> DELE F34A-033-178-
0887-002-02.pdf
(001956) 8/9/2017 22:02:27 PM - lokoth@iebc.or.ke (196.98.142.161)> DELE F34A-033-178-
0887-006-02.pdf
(001956) 8/9/2017 22:02:28 PM - lokoth@iebc.or.ke (196.98.142.161)> DELE F34A-033-178-
0887-011-01.pdf
The user jmwii@iebc.or.ke who is a CEC for LAIKIPIA WEST contituency logged into the
system on the 8/10/2017 at 17:12:22 PM and deleted the file F34B-163-LAIKIPIAWEST.pdf
(CEC ) should not be able to DELETE (Poor security measure). He then renamed the file F34B-
031-163-LAIKIPIAWEST.pdf. This compromises on the integrity of the file
The below logs show deletion commands on files uploaded. Form 34B for changamwe appears
to be a .xlsx formatted file which indicates that the system had no mechanism of ensuring that
only images were uploaded. This further challenges the integrity of the system, plus the ability of
CECs to delete data. Docx files present in uploads. (compared to images docx and xlsx files
cannot have the barcodes for authentication and can be edited easily)
(000204) 8/2/2017 15:07:35 PM - asenge@iebc.or.ke (197.180.213.212)> STOR F34B-001-
Changamwe.xlsx
(000204) 8/2/2017 15:07:35 PM - asenge@iebc.or.ke (197.180.213.212)> 150 Opening data
channel for file upload to server of "/F34B-001-Changamwe.xlsx"
(000204) 8/2/2017 15:07:36 PM - asenge@iebc.or.ke (197.180.213.212)> 226 Successfully
transferred "/F34B-001-Changamwe.xlsx"
(000208) 8/2/2017 15:09:27 PM - asenge@iebc.or.ke (197.180.213.212)> STOR F34B-001-
Changamwe.xlsx
(000214) 8/2/2017 15:11:53 PM - asenge@iebc.or.ke (197.180.213.212)> STOR F34B-001-
Changamwe.xlsx
(000213) 8/2/2017 15:12:23 PM - asenge@iebc.or.ke (197.180.213.212)> DELE F34B-001-
Changamwe.xlsx
(000213) 8/2/2017 15:12:34 PM - asenge@iebc.or.ke (197.180.213.212)> DELE F34B-001-
Changamwe.xlsx
(000253) 8/2/2017 15:44:27 PM - ekitum@iebc.or.ke (196.103.250.178)> DELE F34B-151-
TINDERET.docx
(000253) 8/2/2017 15:44:39 PM - ekitum@iebc.or.ke (196.103.250.178)> DELE F34B-151-
TINDERET.docx
(000336) 8/2/2017 16:54:30 PM - mlempaka@iebc.or.ke (105.166.230.78)> STOR F34B-179-
NAROK NORTH.pdf
(000336) 8/2/2017 16:54:30 PM - mlempaka@iebc.or.ke (105.166.230.78)> 150 Opening data
channel for file upload to server of "/F34B-179-NAROK NORTH.pdf"
(000336) 8/2/2017 16:54:36 PM - mlempaka@iebc.or.ke (105.166.230.78)> 226 Successfully
transferred "/F34B-179-NAROK NORTH.pdf"
(000343) 8/2/2017 16:57:39 PM - mgandani@iebc.or.ke (105.50.75.71)> STOR F34B-001-004-
0016-001-01.jpg
(000343) 8/2/2017 16:57:39 PM - mgandani@iebc.or.ke (105.50.75.71)> 150 Opening data
channel for file upload to server of "/F34B-001-004-0016-001-01.jpg"
(000343) 8/2/2017 16:59:40 PM - mgandani@iebc.or.ke (105.50.75.71)> 226 Successfully
transferred "/F34B-001-004-0016-001-01.jpg"
(000354) 8/2/2017 17:06:43 PM - mgandani@iebc.or.ke (105.50.75.71)> STOR F34B-001-004-
0016-001-01.pdf
From the logs, on the 8/9/2017 the user wchebukati@iebc.or.ke retrieves the file F34B-191-
Bureti.pdf at 10:28:31 AM, The user ponyango@iebc.or.ke uploaded the file at 11:00:53 AM and
again at 11:01:22 AM . The user wchebukati@iebc.or.ke retrieved the file at 12:02:13 PM then
uploaded it at 12:02:20 PM. He then renamed the file, uploads it again then deletes it then
uploads it again using an IP address that is not part of the infrastructure (41.212.16.248 -
wananchi network) (the users at the national tally centre should only have read access to the
data as outlined in the IEBC business requirements) This clearly shows how the system was
compromised.
(001093) 8/9/2017 10:28:31 AM - wchebukati@iebc.or.ke (197.156.132.178)> RETR F34B-191-
Bureti.pdf
(001108) 8/9/2017 11:00:53 AM - ponyango@iebc.or.ke (105.162.252.214)> STOR F34B-191-
Bureti.pdf
(001109) 8/9/2017 11:01:22 AM - ponyango@iebc.or.ke (105.162.252.214)> STOR F34B-191-
Bureti.pdf
(001115) 8/9/2017 12:02:13 PM - wchebukati@iebc.or.ke (197.156.132.178)> RETR F34B-191-
Bureti.pdf
(001115) 8/9/2017 12:02:20 PM - wchebukati@iebc.or.ke (197.156.132.178)> STOR F34B-191-
Bureti.pdf
(001115) 8/9/2017 12:03:10 PM - wchebukati@iebc.or.ke (197.156.132.178)> RETR F34B-191-
Bureti.pdf
(001120) 8/9/2017 12:06:54 PM - wchebukati@iebc.or.ke (197.156.132.178)> RETR F34B-191-
Bureti.pdf
(001120) 8/9/2017 12:07:13 PM - wchebukati@iebc.or.ke (197.156.132.178)> RETR F34B-191-
Bureti.pdf
(001119) 8/9/2017 12:07:57 PM - wchebukati@iebc.or.ke (197.156.132.178)> RNFR F34B-191-
Bureti.pdf
(001119) 8/9/2017 12:08:13 PM - wchebukati@iebc.or.ke (197.156.132.178)> RNFR F34B-191-
Bureti.pdf
(001121) 8/9/2017 12:08:32 PM - wchebukati@iebc.or.ke (197.156.132.178)> RNFR F34B-191-
Bureti.pdf
(001122) 8/9/2017 12:18:13 PM - wchebukati@iebc.or.ke (197.156.132.178)> STOR F34B-191-
Bureti.pdf
(001123) 8/9/2017 12:18:34 PM - wchebukati@iebc.or.ke (197.156.132.178)> STOR F34B-191-
Bureti.pdf
(001127) 8/9/2017 12:24:18 PM - wchebukati@iebc.or.ke (197.156.132.178)> STOR F34B-191-
Bureti.pdf
(001126) 8/9/2017 12:24:41 PM - wchebukati@iebc.or.ke (197.156.132.178)> DELE F34B-191-
Bureti.pdf
(001130) 8/9/2017 12:25:40 PM - wchebukati@iebc.or.ke (197.156.132.178)> STOR F34B-191-
Bureti.pdf
(026419) 8/13/2017 12:57:44 PM - wchebukati@iebc.or.ke (41.212.16.248)> RETR F34B-191-
Bureti.pdf
One thing that is noticed is that the user wchebukati@iebc.or.ke on numerous occasions logged
into the ftp server using the IP address 41.212.16.248(assigned to wananchi telecoms and not
part of the IEBC network). From the logs, it is evident that the user chebukati using the IP
address 41.212.16.248 used the system extensively between 8/6/2017 10:10:43 AM and
8/13/2017 16:15:50 PM. The logs below demonstrate the events (subset):
(000349) 8/6/2017 10:10:43 AM - (not logged in) (41.212.16.248)> Connected on port 21,
sending welcome message...
(000349) 8/6/2017 10:10:43 AM - (not logged in) (41.212.16.248)> 220-FileZilla Server 0.9.60
beta
(000349) 8/6/2017 10:10:43 AM - (not logged in) (41.212.16.248)> 220-written by Tim Kosse
(tim.kosse@filezilla-project.org)
(000349) 8/6/2017 10:10:43 AM - (not logged in) (41.212.16.248)> 220 Please visit
https://filezilla-project.org/
(000349) 8/6/2017 10:10:43 AM - (not logged in) (41.212.16.248)> AUTH TLS
(000349) 8/6/2017 10:10:43 AM - (not logged in) (41.212.16.248)> 234 Using authentication
type TLS
(000349) 8/6/2017 10:10:43 AM - (not logged in) (41.212.16.248)> TLS connection established
(000349) 8/6/2017 10:10:43 AM - (not logged in) (41.212.16.248)> USER
wchebukati@iebc.or.ke
(000349) 8/6/2017 10:10:43 AM - (not logged in) (41.212.16.248)> 331 Password required for
wchebukati@iebc.or.ke
(000349) 8/6/2017 10:10:43 AM - (not logged in) (41.212.16.248)> PASS **************
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> 230 Logged on
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> SYST
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> 215 UNIX emulated
by FileZilla
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> FEAT
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> 211-Features:
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> MDTM
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> REST STREAM
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> SIZE
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> MLST
type*;size*;modify*;
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> MLSD
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> AUTH SSL
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> AUTH TLS
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> PROT
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> PBSZ
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> UTF8
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> CLNT
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> MFMT
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> EPSV
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> EPRT
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> 211 End
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> PBSZ 0
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> 200 PBSZ=0
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> PROT P
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> 200 Protection level
set to P
(026679) 8/13/2017 16:05:50 PM - wchebukati@iebc.or.ke (41.212.16.248)> TYPE I
(026679) 8/13/2017 16:05:50 PM - wchebukati@iebc.or.ke (41.212.16.248)> 200 Type set to I
(026679) 8/13/2017 16:05:50 PM - wchebukati@iebc.or.ke (41.212.16.248)> PASV
(026679) 8/13/2017 16:05:50 PM - wchebukati@iebc.or.ke (41.212.16.248)> 227 Entering
Passive Mode (197,156,132,102,252,219)
(026679) 8/13/2017 16:05:50 PM - wchebukati@iebc.or.ke (41.212.16.248)> MLSD
(026679) 8/13/2017 16:05:50 PM - wchebukati@iebc.or.ke (41.212.16.248)> 150 Opening data
channel for directory listing of "/KISUMU CENTRAL"
(026679) 8/13/2017 16:05:50 PM - wchebukati@iebc.or.ke (41.212.16.248)> 226 Successfully
transferred "/KISUMU CENTRAL"
(026679) 8/13/2017 16:15:50 PM - wchebukati@iebc.or.ke (41.212.16.248)> 421 No-transfer-
time exceeded. Closing control connection.
(026679) 8/13/2017 16:15:50 PM - wchebukati@iebc.or.ke (41.212.16.248)> disconnected.
The command for renaming files RNFR was executed 188 times by various users between
8/2/2017 17:15:18 PM and 8/16/2017 9:52:27 AM
There was a mismatch in file types uploaded on the server, i.e. .docx, .pdf, .jpg, .xslx
If the images were scanned, then we expect .jpg only! .docx and .xslx file formats are
modifiable.
Admin access to server by CEC from Bomet by the user name vkimelil@iebc.or.ke
The user vkimelil@iebc.or.ke who is a CEC did a lot of modifications from 8/1/2017 20:34:28
PM to 8/11/2017 4:41:00 AM . the user also uses different IP addresses at some point even a
reserved IP 10.0.1.16 ( Not accessible via the internet)
The user vkimelil@iebc.or.ke also installs applications on the server as per the logs. Installation
of software applications should be only done by the admin or superuser.