Scenario
SFTP and web logs show several internal users making updates, repeated failed logins from one address, HTTP 404s from another, and one successful external SFTP login using user sjames that modified index.html.
Your task: Review the evidence and select the best analyst response for each field.
| Evidence | Details |
|---|---|
| Internal activity | 192.168.10.32 modified about_us.html; 192.168.10.37 modified index |
| External success | 41.21.18.102 logged in as sjames and modified index.html |
| Noise | 32.111.16.37 mostly failed logins; 52.110.26.27 only HTTP 404s |
Analyst Decisions
Instructor Answer
- 41.21.18.102 is external and successfully logged in with sjames.
- Changing index.html is a strong website compromise indicator.
- Resetting the account password and blocking external SFTP access directly address the likely attack path.