File Zilla Server Log Analysys Report

FileZilla Server (FTP server) - Report
The below are the initial findings from the IEBC FileZilla Server log:
Foreign IP addresses accessed the server

The below IP addresses accessed the file server even though they do not belong to the IEBC IP
address inventory:
1. 41.60.238.138 - liquid telecoms : user jlimaris@iebc.or.ke
2. 41.212.16.248 - wananchi network : user wchebukati@iebc.or.ke
(000857) 8/8/2017 23:39:51 PM - (not logged in) (41.60.238.138)> USER Jlimaris@iebc.or.ke

(000857) 8/8/2017 23:39:51 PM - (not logged in) (41.60.238.138)> 331 Password required for
jlimaris@iebc.or.ke
(000857) 8/8/2017 23:39:51 PM - jlimaris@iebc.or.ke (41.60.238.138)> 230 Logged on
(000857) 8/8/2017 23:39:51 PM - jlimaris@iebc.or.ke (41.60.238.138)> PBSZ 0
(000857) 8/8/2017 23:39:51 PM - jlimaris@iebc.or.ke (41.60.238.138)> 200 PBSZ=0
(000857) 8/8/2017 23:39:52 PM - jlimaris@iebc.or.ke (41.60.238.138)> PROT P
(000857) 8/8/2017 23:39:52 PM - jlimaris@iebc.or.ke (41.60.238.138)> 200 Protection level set
to P
(000857) 8/8/2017 23:39:52 PM - jlimaris@iebc.or.ke (41.60.238.138)> CWD /
(000857) 8/8/2017 23:39:52 PM - jlimaris@iebc.or.ke (41.60.238.138)> 250 CWD successful. "/"
is current directory.
(000857) 8/8/2017 23:39:53 PM - jlimaris@iebc.or.ke (41.60.238.138)> TYPE I
(000857) 8/8/2017 23:39:53 PM - jlimaris@iebc.or.ke (41.60.238.138)> 200 Type set to I
(000857) 8/8/2017 23:39:53 PM - jlimaris@iebc.or.ke (41.60.238.138)> PASV
(000857) 8/8/2017 23:39:53 PM - jlimaris@iebc.or.ke (41.60.238.138)> 227 Entering Passive
Mode (197,156,132,102,202,81)
(000857) 8/8/2017 23:39:53 PM - jlimaris@iebc.or.ke (41.60.238.138)> MLSD
(000857) 8/8/2017 23:39:53 PM - jlimaris@iebc.or.ke (41.60.238.138)> 150 Opening data
channel for directory listing of "/"
(000857) 8/8/2017 23:39:54 PM - jlimaris@iebc.or.ke (41.60.238.138)> TLS connection for data
connection established
(000857) 8/8/2017 23:39:54 PM - jlimaris@iebc.or.ke (41.60.238.138)> 226 Successfully
transferred "/"
(000857) 8/8/2017 23:41:54 PM - jlimaris@iebc.or.ke (41.60.238.138)> 421 Connection timed
out.
(000857) 8/8/2017 23:41:54 PM - jlimaris@iebc.or.ke (41.60.238.138)> disconnected.
(019996) 8/11/2017 15:01:23 PM - (not logged in) (105.166.213.156)> USER
Jlimaris@iebc.or.ke
(019996) 8/11/2017 15:01:23 PM - (not logged in) (105.166.213.156)> 331 Password required
for jlimaris@iebc.or.ke
Jlimaris@iebc.or.ke
(020003) 8/11/2017 15:02:15 PM - (not logged in) (105.166.213.156)> 331 Password required
for jlimaris@iebc.or.ke
(020003) 8/11/2017 15:02:15 PM - jlimaris@iebc.or.ke (105.166.213.156)> SYST
(020003) 8/11/2017 15:02:15 PM - jlimaris@iebc.or.ke (105.166.213.156)> 215 UNIX emulated
by FileZilla
(020003) 8/11/2017 15:02:15 PM - jlimaris@iebc.or.ke (105.166.213.156)> FEAT
(020003) 8/11/2017 15:02:15 PM - jlimaris@iebc.or.ke (105.166.213.156)> 211-Features:
Multiple IP addresses from one user
Some of the CECs appear to have multiple The user Jlimaris@iebc.or.ke has used multiple IP
addresses though the KIEMS are meant to have static IP addresses (a static IP is fixed on a
device and cannot change). One possibillity is that a different KIEM was granted access to the
system using the account name of Jlimaris@iebc.or.ke
a. 196.105.148.200 (safaricom)
b. 105.165.241.210 (safaricom)
c. 196.103.120.89 (safaricom)
d. 196.103.126.199 (safaricom)
e. 41.60.238.138 (KENET)
f. 105.166.213.156 (safaricom)
g. 105.163.223.186 (safaricom)
h. 197.179.77.21 (safaricom)
i. 105.165.95.155 (safaricom)
j. 105.160.184.138 (safaricom)

channel for file upload to server of "/F34A-040-229-1147-079-01.pdf"
transferred "/F34A-040-229-1147-076-01.pdf"
transferred "/F34A-040-229-1147-079-01.pdf"
(021177) 8/11/2017 18:50:56 PM - jlimaris@iebc.or.ke (105.163.223.186)> PASV
(021177) 8/11/2017 18:50:56 PM - jlimaris@iebc.or.ke (105.163.223.186)> 227 Entering
Passive Mode (197,156,132,102,200,253)
channel for directory listing of "/"
transferred "/"
(021133) 8/11/2017 18:54:47 PM - jlimaris@iebc.or.ke (105.163.223.186)> 421 No-transfer-time
exceeded. Closing control connection.
(027920) 8/14/2017 18:26:29 PM - (not logged in) (197.179.77.21)> USER Jlimaris@iebc.or.ke
jlimaris@iebc.or.ke
(027920) 8/14/2017 18:26:30 PM - jlimaris@iebc.or.ke (197.179.77.21)> SYST
(027920) 8/14/2017 18:26:30 PM - jlimaris@iebc.or.ke (197.179.77.21)> 215 UNIX emulated by
FileZilla
(027920) 8/14/2017 18:26:31 PM - jlimaris@iebc.or.ke (197.179.77.21)> FEAT
(027920) 8/14/2017 18:26:31 PM - jlimaris@iebc.or.ke (197.179.77.21)> 211-Features:
(027920) 8/14/2017 18:26:31 PM - jlimaris@iebc.or.ke (197.179.77.21)> MDTM
(027920) 8/14/2017 18:26:31 PM - jlimaris@iebc.or.ke (197.179.77.21)> REST STREAM
(027920) 8/14/2017 18:26:31 PM - jlimaris@iebc.or.ke (197.179.77.21)> SIZE
(027920) 8/14/2017 18:26:31 PM - jlimaris@iebc.or.ke (197.179.77.21)> MLST
type*;size*;modify*;
(027920) 8/14/2017 18:26:31 PM - jlimaris@iebc.or.ke (197.179.77.21)> UTF8
No Data From Polling Stations

From the filezilla server log, there is no trace of data that originated from the polling station
returning officers as earlier indicated by IEBC. All the uploads came from CECs. raising the
question on whether the data on their server came from the polling stations as stipulated by the
regulations.
No form 34Bs from some constituencies
As per the logs, some constituencies do not have any trace of form 34Bs uploaded:
E.g. In Busia county, Matayo constituency, the CEC did not upload the form 34b for that
constituency from the logs. He however uploaded form 34 As only.
Same form 34B uploaded multiple times
On the 8/11/2017 between 1:44:57 AM and 2:12:29 AM the CEC for Kibwezi East uploaded the
same form 34b more than once at different times. This action compromises the integrity of the
file. The same user name goes ahead and changes the same file again on the date 8/12/2017
at 10:51:45 AM using a different IP and again on the date 8/13/2017 at 20:09:28 PM. This
confirms that the integrity of the file is compromised.
(014787) 8/11/2017 1:44:57 AM - fwaitah@iebc.or.ke (105.48.47.48)> 226 Successfully

transferred "/F35B/F34B-088-KIBWEZIEAST(pg2).pdf"
transferred "/F35B/F34B-088-KIBWEZIEAST.pdf"

(026882) 8/13/2017 19:53:24 PM - fwaitah@iebc.or.ke (105.57.220.23)> 226 Successfully
transferred "/F35B/F34A-017-088-KIBWEZIEAST"
transferred "/F35B/F34A-017-088-KIBWEZIEAST"
Form 34b for jomvu constituency was uploaded by multiple users including wchebukati as
indicated by the logs below Users nmaftah@iebc.or.ke and wchebukati@iebc.or.ke did multiple
suspicious operations on jomvu constituency form 34b
(001858) 8/9/2017 21:17:19 PM - nmaftah@iebc.or.ke (105.50.66.83)> STOR F34B-001-

JOMVU.pdf
(001858) 8/9/2017 21:17:19 PM - nmaftah@iebc.or.ke (105.50.66.83)> 150 Opening data
channel for file upload to server of "/F34B-001-JOMVU.pdf"
JOMVU.pdf
JOMVU-2.pdf
channel for file upload to server of "/F34B-001-JOMVU-2.pdf"
JOMVU-1.pdf
channel for file upload to server of "/F34B-001-JOMVU-1.pdf"
JOMVU-2.pdf
JOMVU-1.pdf
(002106) 8/9/2017 23:33:58 PM - wchebukati@iebc.or.ke (197.156.132.178)> RETR F34B-001-
JOMVU-1.pdf
(002106) 8/9/2017 23:33:58 PM - wchebukati@iebc.or.ke (197.156.132.178)> 150 Opening
data channel for file download from server of "/JOMVU/F34B-001-JOMVU-1.pdf"
(002106) 8/9/2017 23:34:00 PM - wchebukati@iebc.or.ke (197.156.132.178)> 226 Successfully
transferred "/JOMVU/F34B-001-JOMVU-1.pdf"
(003429) 8/10/2017 13:56:54 PM - jnsogomoa@iebc.or.ke (105.230.73.10)> STOR F34B-001-
006.xls
(003429) 8/10/2017 13:56:54 PM - jnsogomoa@iebc.or.ke (105.230.73.10)> 150 Opening data
channel for file upload to server of "/F34B-001-006.xls"
(027169) 8/14/2017 9:04:02 AM - nmaftah@iebc.or.ke (105.49.84.101)> STOR F34B-001-
JOMVU.pdf
(027169) 8/14/2017 9:04:02 AM - nmaftah@iebc.or.ke (105.49.84.101)> 150 Opening data
channel for file upload to server of "/F34B-001-JOMVU.pdf"
(027169) 8/14/2017 9:04:21 AM - nmaftah@iebc.or.ke (105.49.84.101)> 226 Successfully
transferred "/F34B-001-JOMVU.pdf"
(027168) 8/14/2017 9:04:41 AM - nmaftah@iebc.or.ke (105.49.84.101)> DELE F34B-001-
JOMVU-2.pdf
(027168) 8/14/2017 9:04:49 AM - nmaftah@iebc.or.ke (105.49.84.101)> DELE F34B-001-
JOMVU-1.pdf
(028075) 8/15/2017 0:00:20 AM - nmaftah@iebc.or.ke (105.161.64.140)> STOR F34B-001-
002.pdf
(000351) 8/2/2017 17:04:13 PM - nmaftah@iebc.or.ke (105.52.103.97)> STOR Jomvu-002.xlsx

channel for file upload to server of "/Jomvu-002.xlsx"
(000351) 8/2/2017 17:04:15 PM - nmaftah@iebc.or.ke (105.52.103.97)> 226 Successfully
transferred "/Jomvu-002.xlsx"
(000409) 8/2/2017 17:29:18 PM - nmaftah@iebc.or.ke (105.230.218.47)> RETR Jomvu-
002.xlsx
channel for file download from server of "/Jomvu-002.xlsx"
002.xlsx
002.xlsx
(000416) 8/2/2017 17:31:05 PM - nmaftah@iebc.or.ke (105.230.218.47)> DELE Jomvu-
002.xlsx
JOMVU-B.pdf
Deletion of files from ftp server by various users
There were approximately 8300 delete commands run on the filezilla ftp server between
8/8/2017 22:32:59 PM and 8/17/2017 13:09:55 PM. out of the 8300, 7954 were successfully
executed. This shows that the integrity of the ftp server was weak (if there was any at all). 1582
delete requests were for form 34a, 147 delete requests were for 34b
(000142) 8/2/2017 14:21:36 PM - jmuyekho@iebc.or.ke (197.248.100.158)> DELE test.txt
(000179) 8/2/2017 14:43:20 PM - wchebukati@iebc.or.ke (105.162.113.194)> DELE RO.csv
(000213) 8/2/2017 15:12:23 PM - asenge@iebc.or.ke (197.180.213.212)> DELE F34B-001-
Changamwe.xlsx
Changamwe.xlsx
(000238) 8/2/2017 15:26:49 PM - hnjuguna@iebc.or.ke (105.50.8.3)> DELE form 34B
Dummy.pdf
(000242) 8/2/2017 15:35:06 PM - hnjuguna@iebc.or.ke (105.50.8.3)> DELE form 34B
Dummy.pdf
(000253) 8/2/2017 15:44:27 PM - ekitum@iebc.or.ke (196.103.250.178)> DELE F34B-151-
TINDERET.docx
(000253) 8/2/2017 15:44:27 PM - ekitum@iebc.or.ke (196.103.250.178)> DELE FORM 34
B_Constituency.docx
TINDERET.docx
(000253) 8/2/2017 15:44:39 PM - ekitum@iebc.or.ke (196.103.250.178)> DELE FORM 34
B_Constituency.docx
(000264) 8/2/2017 15:50:41 PM - mgandani@iebc.or.ke (105.50.75.71)> DELE PRE FILLED
FORMS.docx
(000264) 8/2/2017 15:51:03 PM - mgandani@iebc.or.ke (105.50.75.71)> DELE PRE FILLED
FORMS.docx
(000344) 8/2/2017 16:59:05 PM - gengor@iebc.or.ke (105.165.71.113)> DELE FUNYULA-
F34B.jpeg
(000373) 8/2/2017 17:15:31 PM - jkerich@iebc.or.ke (105.166.4.77)> DELE F34B-228-.pdf
(000416) 8/2/2017 17:31:05 PM - nmaftah@iebc.or.ke (105.230.218.47)> DELE Jomvu-
002.xlsx
(000546) 8/2/2017 18:40:39 PM - mkaranja@iebc.or.ke (197.182.239.57)> DELE F34B-081-
MACHAKOS TOWN.pdf
(000548) 8/2/2017 18:49:37 PM - mchenger@iebc.or.ke (197.183.221.198)> DELE F34B-028-
149-0000-000-01.pdf
(000121) 8/4/2017 21:44:13 PM - ajarso@iebc.or.ke (196.97.147.195)> DELE KIEMS
TRAINING - Final_CLERKS.ppt
(000090) 8/5/2017 16:21:07 PM - awekesa@iebc.or.ke (196.98.95.80)> DELE KIEMS KITS
WITH DATA INITIALIZATION ISSUES-maragwa.xlsx
(000141) 8/5/2017 17:26:34 PM - amusau@iebc.or.ke (105.62.78.107)> DELE F34B-097-
OTHAYA.jpg
(000159) 8/5/2017 17:32:03 PM - mnandokha@iebc.or.ke (105.164.168.143)> DELE F34B-234-
ALEGO USONGA.pdf
(000173) 8/5/2017 17:40:23 PM - gatieno@iebc.or.ke (105.56.8.62)> DELE F34B-179-NAROK
NORTH.pdf
(000173) 8/5/2017 17:40:35 PM - gatieno@iebc.or.ke (105.56.8.62)> DELE F34B-179-NAROK
NORTH.pdf
(000196) 8/5/2017 17:56:43 PM - mmalonza@iebc.or.ke (196.101.35.204)> DELE
2017KIEMS_IEBC_ID Clerk_EVI_Memo_5.3.pdf
(000196) 8/5/2017 17:58:00 PM - mmalonza@iebc.or.ke (196.101.35.204)> DELE
2017KIEMS_IEBC_ID Clerk_EVI_Memo_5.3.pdf
(000217) 8/5/2017 19:31:07 PM - egitau@iebc.or.ke (196.98.40.239)> DELE F34-101-
MARAGWA.pdf
(000237) 8/5/2017 20:59:01 PM - pmauta@iebc.or.ke (105.163.251.70)> DELE desktop.ini
(000306) 8/5/2017 22:54:15 PM - mmaalim@iebc.or.ke (105.162.226.165)> DELE F34B-031-
FAFI.pdf
(000346) 8/6/2017 10:04:06 AM - rngeny@iebc.or.ke (196.101.94.134)> DELE ANNEX - RTS
QRC for Transmission 08_Jul_2017 (2).pptx
(000349) 8/6/2017 10:10:55 AM - wchebukati@iebc.or.ke (41.212.16.248)> DELE ANNEX -
RTS QRC for Transmission 08_Jul_2017 (2).pptx
(000350) 8/6/2017 10:15:18 AM - tmuhu@iebc.or.ke (105.166.218.253)> DELE
20170806020030.pdf
(000179) 8/7/2017 9:00:04 AM - dmbui@iebc.or.ke (196.105.98.123)> DELE s
(000409) 8/7/2017 16:27:38 PM - (not logged in) (165.227.28.39)> DELE EPRT EPSV
FEAT HASH HELP LIST MDTM
(000802) 8/8/2017 22:32:59 PM - anankeyai@iebc.or.ke (105.62.214.31)> DELE FORM 32A
(1).docx
(000914) 8/9/2017 1:25:00 AM - rmakazi@iebc.or.ke (196.104.202.131)> DELE FRM
34A04929214510101.pdf
(000914) 8/9/2017 1:25:00 AM - rmakazi@iebc.or.ke (196.104.202.131)> DELE FRM
34A04929214510111.pdf
(000962) 8/9/2017 3:04:03 AM - jgitagama@iebc.or.ke (196.106.121.156)> DELE KIEMS
RETRIEVAL.pdf
(000962) 8/9/2017 3:04:28 AM - jgitagama@iebc.or.ke (196.106.121.156)> DELE KIEMS
RETRIEVAL.pdf
(001126) 8/9/2017 12:24:41 PM - wchebukati@iebc.or.ke (197.156.132.178)> DELE F34B-191-
Bureti.pdf
(001218) 8/9/2017 15:26:36 PM - robari@iebc.or.ke (105.162.191.232)> DELE edms4 -
Shortcut.lnk
(001253) 8/9/2017 16:57:31 PM - schepchumba@iebc.or.ke (196.100.29.56)> DELE F34B-196-
BOMET EAST.pdf
BOMET EAST.pdf
BOMET EAST.pdf
BOMET EAST.pdf
BOMET EAST_1.pdf
(001551) 8/9/2017 18:38:48 PM - bevelya@iebc.or.ke (196.105.141.6)> DELE F34B-193-
Sigowet Soin.pdf
SIGOWETSOIN.pdf
Sigowet Soin.pdf
SIGOWETSOIN.pdf
Sigowet Soin.pdf
(001770) 8/9/2017 20:11:15 PM - gengor@iebc.or.ke (196.96.215.186)> DELE F34B-230-
FUNYULA2.pdf
(001796) 8/9/2017 20:34:11 PM - gengor@iebc.or.ke (196.96.215.186)> DELE F34B-230-
FUNYULA2.pdf
(001804) 8/9/2017 20:38:24 PM - ewanjohi@iebc.or.ke (105.57.181.194)> DELE F34B-098-
MUKURWEI-INI.pdf
(001839) 8/9/2017 21:10:02 PM - lmogoi@iebc.or.ke (196.105.222.122)> DELE F34B-254-
AWENDO.pdf.pdf
AWENDO.pdf
AWENDO.pdf.pdf
AWENDO.pdf
AWENDO.pdf.pdf
AWENDO.pdf
AWENDO.pdf.pdf
(001956) 8/9/2017 22:02:27 PM - lokoth@iebc.or.ke (196.98.142.161)> DELE F34A-033-178-
0887-001-01.pdf
0887-002-01.pdf
0887-002-02.pdf
0887-006-02.pdf
0887-011-01.pdf
The user jmwii@iebc.or.ke who is a CEC for LAIKIPIA WEST contituency logged into the
system on the 8/10/2017 at 17:12:22 PM and deleted the file F34B-163-LAIKIPIAWEST.pdf
(CEC ) should not be able to DELETE (Poor security measure). He then renamed the file F34B-
031-163-LAIKIPIAWEST.pdf. This compromises on the integrity of the file
(004192) 8/10/2017 17:12:22 PM - (not logged in) (41.81.109.161)> USER jmwii@iebc.or.ke

jmwii@iebc.or.ke
(004192) 8/10/2017 17:12:22 PM - jmwii@iebc.or.ke (41.81.109.161)> 230 Logged on
(004192) 8/10/2017 17:12:22 PM - jmwii@iebc.or.ke (41.81.109.161)> CWD /
(004192) 8/10/2017 17:12:22 PM - jmwii@iebc.or.ke (41.81.109.161)> 250 CWD successful. "/"
is current directory.
(004192) 8/10/2017 17:12:23 PM - jmwii@iebc.or.ke (41.81.109.161)> DELE F34B-163-
LAIKIPIAWEST.pdf
(004192) 8/10/2017 17:12:23 PM - jmwii@iebc.or.ke (41.81.109.161)> 250 File deleted
successfully
(004184) 8/10/2017 17:12:51 PM - jmwii@iebc.or.ke (41.81.109.161)> disconnected.
(004192) 8/10/2017 17:12:54 PM - jmwii@iebc.or.ke (41.81.109.161)> RNFR F34B-031-163-
LAIKIPIAWEST.pdf
(004192) 8/10/2017 17:12:54 PM - jmwii@iebc.or.ke (41.81.109.161)> 350 File exists, ready for
destination name.
(004192) 8/10/2017 17:12:54 PM - jmwii@iebc.or.ke (41.81.109.161)> RNTO F34B-163-
LAIKIPIAWEST.pdf
(004192) 8/10/2017 17:12:54 PM - jmwii@iebc.or.ke (41.81.109.161)> 250 file renamed
successfully
(004192) 8/10/2017 17:14:55 PM - jmwii@iebc.or.ke (41.81.109.161)> 421 Connection timed
out.
(004192) 8/10/2017 17:14:55 PM - jmwii@iebc.or.ke (41.81.109.161)> disconnected.
(019028) 8/11/2017 13:13:38 PM - (not logged in) (105.165.157.174)> USER jmwii@iebc.or.ke
The below logs show deletion commands on files uploaded. Form 34B for changamwe appears
to be a .xlsx formatted file which indicates that the system had no mechanism of ensuring that
only images were uploaded. This further challenges the integrity of the system, plus the ability of
CECs to delete data. Docx files present in uploads. (compared to images docx and xlsx files
cannot have the barcodes for authentication and can be edited easily)
(000204) 8/2/2017 15:07:35 PM - asenge@iebc.or.ke (197.180.213.212)> STOR F34B-001-
Changamwe.xlsx
(000204) 8/2/2017 15:07:35 PM - asenge@iebc.or.ke (197.180.213.212)> 150 Opening data
channel for file upload to server of "/F34B-001-Changamwe.xlsx"
(000204) 8/2/2017 15:07:36 PM - asenge@iebc.or.ke (197.180.213.212)> 226 Successfully
transferred "/F34B-001-Changamwe.xlsx"
Changamwe.xlsx
Changamwe.xlsx
Changamwe.xlsx
Changamwe.xlsx
TINDERET.docx
TINDERET.docx
(000336) 8/2/2017 16:54:30 PM - mlempaka@iebc.or.ke (105.166.230.78)> STOR F34B-179-
NAROK NORTH.pdf
(000336) 8/2/2017 16:54:30 PM - mlempaka@iebc.or.ke (105.166.230.78)> 150 Opening data
channel for file upload to server of "/F34B-179-NAROK NORTH.pdf"
(000336) 8/2/2017 16:54:36 PM - mlempaka@iebc.or.ke (105.166.230.78)> 226 Successfully
transferred "/F34B-179-NAROK NORTH.pdf"
(000343) 8/2/2017 16:57:39 PM - mgandani@iebc.or.ke (105.50.75.71)> STOR F34B-001-004-
0016-001-01.jpg
(000343) 8/2/2017 16:57:39 PM - mgandani@iebc.or.ke (105.50.75.71)> 150 Opening data
channel for file upload to server of "/F34B-001-004-0016-001-01.jpg"
(000343) 8/2/2017 16:59:40 PM - mgandani@iebc.or.ke (105.50.75.71)> 226 Successfully
transferred "/F34B-001-004-0016-001-01.jpg"
(000354) 8/2/2017 17:06:43 PM - mgandani@iebc.or.ke (105.50.75.71)> STOR F34B-001-004-
0016-001-01.pdf
From the logs, on the 8/9/2017 the user wchebukati@iebc.or.ke retrieves the file F34B-191-
Bureti.pdf at 10:28:31 AM, The user ponyango@iebc.or.ke uploaded the file at 11:00:53 AM and
again at 11:01:22 AM . The user wchebukati@iebc.or.ke retrieved the file at 12:02:13 PM then
uploaded it at 12:02:20 PM. He then renamed the file, uploads it again then deletes it then
uploads it again using an IP address that is not part of the infrastructure (41.212.16.248 -
wananchi network) (the users at the national tally centre should only have read access to the
data as outlined in the IEBC business requirements) This clearly shows how the system was
compromised.
(001093) 8/9/2017 10:28:31 AM - wchebukati@iebc.or.ke (197.156.132.178)> RETR F34B-191-
Bureti.pdf
(001108) 8/9/2017 11:00:53 AM - ponyango@iebc.or.ke (105.162.252.214)> STOR F34B-191-
Bureti.pdf
(001109) 8/9/2017 11:01:22 AM - ponyango@iebc.or.ke (105.162.252.214)> STOR F34B-191-
Bureti.pdf
Bureti.pdf
(001115) 8/9/2017 12:02:20 PM - wchebukati@iebc.or.ke (197.156.132.178)> STOR F34B-191-
Bureti.pdf
Bureti.pdf
Bureti.pdf
Bureti.pdf
(001119) 8/9/2017 12:07:57 PM - wchebukati@iebc.or.ke (197.156.132.178)> RNFR F34B-191-
Bureti.pdf
Bureti.pdf
Bureti.pdf
Bureti.pdf
Bureti.pdf
Bureti.pdf
(001126) 8/9/2017 12:24:41 PM - wchebukati@iebc.or.ke (197.156.132.178)> DELE F34B-191-
Bureti.pdf
Bureti.pdf
Bureti.pdf
Usage of the user wchebukati@iebc.or.ke from the external IP address
One thing that is noticed is that the user wchebukati@iebc.or.ke on numerous occasions logged
into the ftp server using the IP address 41.212.16.248(assigned to wananchi telecoms and not
part of the IEBC network). From the logs, it is evident that the user chebukati using the IP
address 41.212.16.248 used the system extensively between 8/6/2017 10:10:43 AM and
8/13/2017 16:15:50 PM. The logs below demonstrate the events (subset):
(000349) 8/6/2017 10:10:43 AM - (not logged in) (41.212.16.248)> Connected on port 21,
sending welcome message...
(000349) 8/6/2017 10:10:43 AM - (not logged in) (41.212.16.248)> 220-FileZilla Server 0.9.60
beta
(000349) 8/6/2017 10:10:43 AM - (not logged in) (41.212.16.248)> 220-written by Tim Kosse
(tim.kosse@filezilla-project.org)
(000349) 8/6/2017 10:10:43 AM - (not logged in) (41.212.16.248)> 220 Please visit
https://filezilla-project.org/
(000349) 8/6/2017 10:10:43 AM - (not logged in) (41.212.16.248)> AUTH TLS
(000349) 8/6/2017 10:10:43 AM - (not logged in) (41.212.16.248)> 234 Using authentication
type TLS
(000349) 8/6/2017 10:10:43 AM - (not logged in) (41.212.16.248)> TLS connection established
(000349) 8/6/2017 10:10:43 AM - (not logged in) (41.212.16.248)> USER
wchebukati@iebc.or.ke
(000349) 8/6/2017 10:10:43 AM - (not logged in) (41.212.16.248)> 331 Password required for
wchebukati@iebc.or.ke
(000349) 8/6/2017 10:10:43 AM - (not logged in) (41.212.16.248)> PASS **************
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> 230 Logged on
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> SYST
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> 215 UNIX emulated
by FileZilla
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> FEAT
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> 211-Features:
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> MDTM
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> REST STREAM
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> SIZE
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> MLST
type*;size*;modify*;
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> MLSD
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> AUTH SSL
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> AUTH TLS
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> PROT
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> PBSZ
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> UTF8
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> CLNT
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> MFMT
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> EPSV
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> EPRT
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> 211 End
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> PBSZ 0
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> 200 PBSZ=0
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> PROT P
(000349) 8/6/2017 10:10:43 AM - wchebukati@iebc.or.ke (41.212.16.248)> 200 Protection level
set to P
(026679) 8/13/2017 16:05:50 PM - wchebukati@iebc.or.ke (41.212.16.248)> TYPE I
(026679) 8/13/2017 16:05:50 PM - wchebukati@iebc.or.ke (41.212.16.248)> 200 Type set to I
(026679) 8/13/2017 16:05:50 PM - wchebukati@iebc.or.ke (41.212.16.248)> PASV
(026679) 8/13/2017 16:05:50 PM - wchebukati@iebc.or.ke (41.212.16.248)> 227 Entering
Passive Mode (197,156,132,102,252,219)
(026679) 8/13/2017 16:05:50 PM - wchebukati@iebc.or.ke (41.212.16.248)> MLSD
(026679) 8/13/2017 16:05:50 PM - wchebukati@iebc.or.ke (41.212.16.248)> 150 Opening data
channel for directory listing of "/KISUMU CENTRAL"
(026679) 8/13/2017 16:05:50 PM - wchebukati@iebc.or.ke (41.212.16.248)> 226 Successfully
transferred "/KISUMU CENTRAL"
(026679) 8/13/2017 16:15:50 PM - wchebukati@iebc.or.ke (41.212.16.248)> 421 No-transfer-
time exceeded. Closing control connection.
(026679) 8/13/2017 16:15:50 PM - wchebukati@iebc.or.ke (41.212.16.248)> disconnected.
Various modified forms in the system
The command for renaming files RNFR was executed 188 times by various users between
8/2/2017 17:15:18 PM and 8/16/2017 9:52:27 AM
(008284) 8/10/2017 21:30:05 PM - fmugo@iebc.or.ke (196.100.175.139)> RNFR F34-014-063-

0311-008-01.pdf
(008392) 8/10/2017 21:30:27 PM - fmugo@iebc.or.ke (196.100.175.139)> RNFR F34-014-063-
0311-008-01.pdf
(008392) 8/10/2017 21:33:33 PM - fmugo@iebc.or.ke (196.100.175.139)> RNFR F34A-014-
063-013-064-02.pdf
(012923) 8/11/2017 0:23:39 AM - ajarso@iebc.or.ke (196.99.108.83)> RNFR F34B-014-064-
RUNYENJES.pdf
(014932) 8/11/2017 6:00:07 AM - smeiguran@iebc.or.ke (196.103.25.211)> RNFR FORM 34B
043-252-SUBA SOUTH.pdf
(014932) 8/11/2017 6:01:17 AM - smeiguran@iebc.or.ke (196.103.25.211)> RNFR FORM _34B
043-252-SUBA SOUTH.pdf
043-252 SUBA SOUTH P3.pdf
043-252 SUBA SOUTH.pdf
(015469) 8/11/2017 8:49:12 AM - fmugo@iebc.or.ke (105.161.122.163)> RNFR F34A-014-063-
01313-064-02.pdf
(017333) 8/11/2017 10:23:27 AM - jmasindet@iebc.or.ke (196.98.156.70)> RNFR F34A-030-
158-0788-004-01.pdf
158-0788-020-01.pdf
158-0788-020-01.pdf
(018296) 8/11/2017 12:05:18 PM - msimiyu@iebc.or.ke (105.231.168.48)> RNFR 2017GE
FORM 34A SCANNED
(018669) 8/11/2017 12:36:57 PM - irutto@iebc.or.ke (105.163.119.120)> RNFR New folder
(018773) 8/11/2017 12:50:56 PM - irutto@iebc.or.ke (105.163.119.120)> RNFR form32A
(019028) 8/11/2017 13:17:26 PM - jmwii@iebc.or.ke (105.165.157.174)> RNFR EDMS
(019539) 8/11/2017 14:08:56 PM - lseina@iebc.or.ke (196.96.36.68)> RNFR F34A-030-161-
0803-087-01.pdf
(019844) 8/11/2017 14:38:55 PM - mwekesa@iebc.or.ke (105.50.179.149)> RNFR F34-147-
MARAKET-EAST
(019915) 8/11/2017 14:49:01 PM - jmugambi@iebc.or.ke (196.97.255.40)> RNFR F34A-019-
099-0493-039-02.pdf
(020166) 8/11/2017 15:29:10 PM - irutto@iebc.or.ke (105.160.230.130)> RNFR form32Amalava
(020705) 8/11/2017 17:56:41 PM - jnamunyak@iebc.or.ke (105.161.216.149)> RNFR F34
(020786) 8/11/2017 18:05:48 PM - nnamu@iebc.or.ke (196.106.82.215)> RNFR F34A-093-
0462-009-02.pdf
0462-017-01.pdf
0462-019-01.pdf
0462-020-01.pdf
0463-021-01.pdf
0463-022-01.pdf
0463-025-02.pdf
0463-027-01.pdf
0463-029-02.pdf
0464-036-01.pdf
(021244) 8/11/2017 18:59:44 PM - pmuigai@iebc.or.ke (105.62.15.82)> RNFR F34A-087-
KIBWEZIWEST (10).pdf
(024189) 8/12/2017 9:38:30 AM - emaru@iebc.or.ke (196.105.78.81)> RNFR F43A-045-268-
1337-003-02.pdf
1340-060-01.pdf
1337-001-01.pdf
1337-004-01.pdf
1337-005-01.pdf
1337-005-02.pdf
1337-006-02.pdf
1337-008-01.pdf
1337-010-03.pdf
1337-016-02.pdf
1337-021-02.pdf
1338-022-01.pdf
1338-026-01.pdf
1338-028-01.pdf
1338-029-01.pdf
1338-031-01.pdf
1338-032-01.pdf
1338-033-01.pdf
1338-034-02.pdf
1338-035-01.pdf
1338-036-02.pdf
1338-040-01.pdf
1340-063-01.pdf
1340-063-02.pdf
1340-066-01.pdf
1338-036-01.pdf
1339-048-01.pdf
1337-021-02.pdf
1340-060-01.pdf
(025943) 8/12/2017 20:01:15 PM - bchesang@iebc.or.ke (105.49.8.70)> RNFR FORM 34Bs
(025943) 8/12/2017 20:05:47 PM - bchesang@iebc.or.ke (105.49.8.70)> RNFR FORM34B-027-
144-(PRESIDENT AINABKOI CONSTITUENCY).pdf
144-SENATOR, UG COUNTY.pdf
GOVERNOR, UG COUNTY.pdf
WOMEN, UG COUNTY.pdf
144-MNA AINABKOI CONSTITUENCY.pdf
144-0719(KAPSOYA WARD).pdf
144-0720(KAPTAGAT WARD).pdf
144-0721(AINABKOI OLARE WARD).pdf
144 FOR GOVERNOR UG COUNTY.pdf
144-SENATOR, UG COUNTY.pdf
GOVERNOR, UG COUNTY.pdf
WOMEN, UG COUNTY.pdf
(026040) 8/12/2017 21:04:21 PM - lmbithe@iebc.or.ke (197.179.133.123)> RNFR F34A-016-
075-0375-124-01.pdf
(026199) 8/13/2017 6:15:17 AM - gnoor@iebc.or.ke (105.49.14.54)> RNFR PRESIDENT
(026581) 8/13/2017 14:57:26 PM - anankeyai@iebc.or.ke (154.122.194.105)> RNFR F39A-
183-1911-KAJIADONORTH.pdf
(026742) 8/13/2017 17:22:55 PM - jmasindet@iebc.or.ke (105.166.96.106)> RNFR F34A-158 -
Baringo North
(026740) 8/13/2017 17:23:38 PM - lseina@iebc.or.ke (105.166.96.106)> RNFR F34A-030-161-
0000-000-00
(027661) 8/14/2017 15:41:39 PM - lchebii@iebc.or.ke (196.99.43.8)> RNFR F34A FINAL
(027673) 8/14/2017 15:52:39 PM - nmaftah@iebc.or.ke (105.230.89.142)> RNFR Invalid
Results Declaration forms
(027701) 8/14/2017 16:14:36 PM - lchebii@iebc.or.ke (196.106.153.96)> RNFR F38A
(027701) 8/14/2017 16:14:40 PM - lchebii@iebc.or.ke (196.106.153.96)> RNFR F38A
(027915) 8/14/2017 18:22:25 PM - rnjoki@iebc.or.ke (196.97.139.47)> RNFR F34A-022-0592-
012-01.pdf
(028105) 8/15/2017 9:18:24 AM - vlekopole@iebc.or.ke (105.61.27.42)> RNFR F34A-021-`110-
0545-010-1.pdf
(028380) 8/15/2017 10:41:11 AM - vlekopole@iebc.or.ke (105.63.18.81)> RNFR F34A-021-
`110-0545-010-1.pdf
(028911) 8/15/2017 12:30:42 PM - rnjoki@iebc.or.ke (105.59.221.129)> RNFR F34A-022-199-
0591-003-05.pdf
(029015) 8/15/2017 12:55:12 PM - anankeyai@iebc.or.ke (154.122.58.26)> RNFR F36A-034-
183-0911-008-003.pdf
183-0911_001-01.pdf
183-0911_001-02.pdf
Mismatch in file types uploaded to FTP server
There was a mismatch in file types uploaded on the server, i.e. .docx, .pdf, .jpg, .xslx
If the images were scanned, then we expect .jpg only! .docx and .xslx file formats are
modifiable.
(029108) 8/15/2017 13:20:41 PM - bmutali@iebc.or.ke (105.162.12.247)> 150 Opening data

channel for file upload to server of "/F34A-125-TURKANA CENTRAL/~$rm 34A.docx"
(029108) 8/15/2017 13:20:41 PM - bmutali@iebc.or.ke (105.162.12.247)> 226 Successfully
transferred "/F34A-125-TURKANA CENTRAL/~$rm 34A.docx"
(029108) 8/15/2017 13:21:11 PM - bmutali@iebc.or.ke (105.162.12.247)> RETR ~$rm
34A.docx
(029108) 8/15/2017 13:21:11 PM - bmutali@iebc.or.ke (105.162.12.247)> 150 Opening data
channel for file download from server of "/F34A-125-TURKANA CENTRAL/~$rm 34A.docx"
(029108) 8/15/2017 13:21:11 PM - bmutali@iebc.or.ke (105.162.12.247)> 226 Successfully
transferred "/F34A-125-TURKANA CENTRAL/~$rm 34A.docx"
(000173) 8/1/2017 21:03:22 PM - skurui@iebc.or.ke (154.122.122.67)> DELE ITIL-
Practioner.pdf
(000280) 8/2/2017 10:40:32 AM - wchebukati@iebc.or.ke (10.1.18.216)> RETR IEBC CRMS
GUIDE.pdf
(000280) 8/2/2017 10:40:32 AM - wchebukati@iebc.or.ke (10.1.18.216)> 150 Opening data
channel for file download from server of "/AINAMOI/IEBC CRMS GUIDE.pdf"
(000280) 8/2/2017 10:40:32 AM - wchebukati@iebc.or.ke (10.1.18.216)> 226 Successfully
transferred "/AINAMOI/IEBC CRMS GUIDE.pdf"
(000083) 8/2/2017 13:28:44 PM - egitau@iebc.or.ke (197.180.129.47)> STOR F34-101-
MARAGWA.pdf
(000083) 8/2/2017 13:28:44 PM - egitau@iebc.or.ke (197.180.129.47)> 150 Opening data
channel for file upload to server of "/F34-101-MARAGWA.pdf"
(000083) 8/2/2017 13:28:45 PM - egitau@iebc.or.ke (197.180.129.47)> 226 Successfully
transferred "/F34-101-MARAGWA.pdf"
(000112) 8/2/2017 13:47:52 PM - ponyango@iebc.or.ke (196.101.30.170)> STOR Program at
the Bomas Tallying Center.pdf
(000112) 8/2/2017 13:47:52 PM - ponyango@iebc.or.ke (196.101.30.170)> 150 Opening data
channel for file upload to server of "/Program at the Bomas Tallying Center.pdf"
(000112) 8/2/2017 13:47:58 PM - ponyango@iebc.or.ke (196.101.30.170)> 226 Successfully
transferred "/Program at the Bomas Tallying Center.pdf"
(000234) 8/2/2017 15:25:16 PM - hnjuguna@iebc.or.ke (105.50.8.3)> STOR form 34B
Dummy.pdf
Changamwe.xlsx
(000204) 8/2/2017 15:07:35 PM - asenge@iebc.or.ke (197.180.213.212)> 150 Opening data
channel for file upload to server of "/F34B-001-Changamwe.xlsx"
(000204) 8/2/2017 15:07:36 PM - asenge@iebc.or.ke (197.180.213.212)> 226 Successfully
transferred "/F34B-001-Changamwe.xlsx"
Changamwe.xlsx
Changamwe.xlsx
Changamwe.xlsx
Changamwe.xlsx
(000351) 8/2/2017 17:04:13 PM - nmaftah@iebc.or.ke (105.52.103.97)> STOR Jomvu-002.xlsx
Admin access to server by CEC from Bomet by the user name vkimelil@iebc.or.ke
The user vkimelil@iebc.or.ke who is a CEC did a lot of modifications from 8/1/2017 20:34:28
PM to 8/11/2017 4:41:00 AM . the user also uses different IP addresses at some point even a
reserved IP 10.0.1.16 ( Not accessible via the internet)
The user vkimelil@iebc.or.ke also installs applications on the server as per the logs. Installation
of software applications should be only done by the admin or superuser.
(001459) 8/9/2017 18:10:24 PM - vkimelil@iebc.or.ke (196.104.216.23)> SIZE

/Desktop/CANON/SW_DVD5_Win_Pro_7w_SP1_64BIT_English_-2_MLF_X17-59279.ISO
(001459) 8/9/2017 18:10:25 PM - vkimelil@iebc.or.ke (196.104.216.23)> STOR
/Desktop/WINDOWS/SOURCES/MIGISOL.DLL
/Desktop/WINDOWS/SOURCES/MIGISOL.DLL
/Desktop/WINDOWS/SUPPORT/MIGWIZ/MIGISOL.DLL
/Desktop/WINDOWS/SUPPORT/MIGWIZ/MIGISOL.DLL
(001456) 8/9/2017 18:10:00 PM - vkimelil@iebc.or.ke (196.104.216.23)> 550 Can't create
directory. Permission denied
(001456) 8/9/2017 18:10:00 PM - vkimelil@iebc.or.ke (196.104.216.23)> CWD
/Desktop/CANON
(001456) 8/9/2017 18:10:00 PM - vkimelil@iebc.or.ke (196.104.216.23)> 550 CWD failed.
"/Desktop/CANON": directory not found.
(001456) 8/9/2017 18:10:00 PM - vkimelil@iebc.or.ke (196.104.216.23)> CWD /Desktop
"/Desktop": directory not found.
VKimelil@IEBC.OR.KE
vkimelil@iebc.or.ke
VKimelil@IEBC.OR.KE
vkimelil@iebc.or.ke
(001459) 8/9/2017 18:10:24 PM - vkimelil@iebc.or.ke (196.104.216.23)> 230 Logged on
(001460) 8/9/2017 18:10:24 PM - vkimelil@iebc.or.ke (196.104.216.23)> 230 Logged on
(001459) 8/9/2017 18:10:24 PM - vkimelil@iebc.or.ke (196.104.216.23)> PBSZ 0
(001459) 8/9/2017 18:10:24 PM - vkimelil@iebc.or.ke (196.104.216.23)> 200 PBSZ=0
(001460) 8/9/2017 18:10:24 PM - vkimelil@iebc.or.ke (196.104.216.23)> PBSZ 0
(001460) 8/9/2017 18:10:24 PM - vkimelil@iebc.or.ke (196.104.216.23)> 200 PBSZ=0
(001459) 8/9/2017 18:10:24 PM - vkimelil@iebc.or.ke (196.104.216.23)> PROT P
(001459) 8/9/2017 18:10:24 PM - vkimelil@iebc.or.ke (196.104.216.23)> 200 Protection level
set to P
(001460) 8/9/2017 18:10:24 PM - vkimelil@iebc.or.ke (196.104.216.23)> PROT P
(001460) 8/9/2017 18:10:24 PM - vkimelil@iebc.or.ke (196.104.216.23)> 200 Protection level
set to P
/Desktop/CANON
(001459) 8/9/2017 18:10:24 PM - vkimelil@iebc.or.ke (196.104.216.23)> CWD /
(001459) 8/9/2017 18:10:24 PM - vkimelil@iebc.or.ke (196.104.216.23)> 250 CWD successful.
"/" is current directory.
(001460) 8/9/2017 18:10:24 PM - vkimelil@iebc.or.ke (196.104.216.23)> CWD /
(001460) 8/9/2017 18:10:24 PM - vkimelil@iebc.or.ke (196.104.216.23)> 250 CWD successful.
"/" is current directory.
(001459) 8/9/2017 18:10:24 PM - vkimelil@iebc.or.ke (196.104.216.23)> MKD Desktop
(001460) 8/9/2017 18:10:24 PM - vkimelil@iebc.or.ke (196.104.216.23)> MKD Desktop
/Desktop/CANON
/Desktop/CANON
(001459) 8/9/2017 18:10:24 PM - vkimelil@iebc.or.ke (196.104.216.23)> 550 File not found
(001459) 8/9/2017 18:10:24 PM - vkimelil@iebc.or.ke (196.104.216.23)> TYPE I

File Zilla Server Log Analysys Report

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

File Zilla Server Log Analysys Report

Încărcat de

Drepturi de autor:

Formate disponibile

FileZilla Server (FTP server) - Report

Foreign IP addresses accessed the server

(000857) 8/8/2017 23:39:51 PM - (not logged in) (41.60.238.138)> USER Jlimaris@iebc.or.ke

Multiple IP addresses from one user

(021186) 8/11/2017 18:50:52 PM - jlimaris@iebc.or.ke (105.163.223.186)> 150 Opening data

No Data From Polling Stations

No form 34Bs from some constituencies

Same form 34B uploaded multiple times

(014787) 8/11/2017 1:44:57 AM - fwaitah@iebc.or.ke (105.48.47.48)> 226 Successfully

(024231) 8/12/2017 10:51:41 AM - fwaitah@iebc.or.ke (41.81.18.147)> 226 Successfully

(001858) 8/9/2017 21:17:19 PM - nmaftah@iebc.or.ke (105.50.66.83)> STOR F34B-001-

(000351) 8/2/2017 17:04:13 PM - nmaftah@iebc.or.ke (105.52.103.97)> STOR Jomvu-002.xlsx

Deletion of files from ftp server by various users

(004192) 8/10/2017 17:12:22 PM - (not logged in) (41.81.109.161)> USER jmwii@iebc.or.ke

Usage of the user wchebukati@iebc.or.ke from the external IP address

Various modified forms in the system

(008284) 8/10/2017 21:30:05 PM - fmugo@iebc.or.ke (196.100.175.139)> RNFR F34-014-063-

Mismatch in file types uploaded to FTP server

(029108) 8/15/2017 13:20:41 PM - bmutali@iebc.or.ke (105.162.12.247)> 150 Opening data

(001459) 8/9/2017 18:10:24 PM - vkimelil@iebc.or.ke (196.104.216.23)> SIZE

S-ar putea să vă placă și