The Badge Archive

City Cyber Attack Log File

To be used in the Cyber Attack Dice Scenario

Instructions:

  • Give scouts 2 minutes to look at just a Sample Log File. Instruct them to look for unusual activity in the log—anything that stands out.
  • After 2 minutes, Give them the IT Team memo. Scouts should instinctively start looking for the IP addresses. Let them figure this out.
  • After 5 minutes, if they still have not found the suspicious IP addresses, give them the Police memo.
  • After 7 minutes, give them the hint to remember the attack happened between 3:00 and 7:00 p.m.
  • At 10 minutes help them more directly so they can move on to the next part of solving the crime.
  • When they figure out the suspicious IP addresses, give them the list of what the Log File is doing. Give them 5 minutes to figure out three questions:
    • Which department was hacked.
    • Who the hacker was.
    • What changes they made to the system.

Sample Email Communications

Date: 03/15/2025
From: City IT Team
To: Office of the Mayor
Subject: Approved IP Addresses

Dear Mayor,

We have identified the following approved IP addresses that will have access to the updated server, CityNetServer01. These departments will use this server for daily operations and records management starting early next week.

City Government Approved IP Addresses

  • JusticeDeptServer: 192.168.10.11
  • EmergencyTeamAccess: 192.168.10.12
  • WaterWorksNetwork: 192.168.10.13
  • ParksRecreationHub: 192.168.10.14
  • EducationCentral: 192.168.10.15
  • TransitConnect: 192.168.10.16

Please share this information as needed.

Regards,
City IT Team

Date: 03/20/2025
From: Police Department
To: Office of the Mayor
Subject: Suspicious Users and IP Addresses

Dear Mayor,

During our investigation into recent cyber activities targeting city systems, we have identified four suspicious users along with their associated IP addresses. These users are believed to be connected to unauthorized access attempts on city infrastructure. Please see the details below for your reference:

Suspicious Usernames and IP Addresses

  • DailyPlanner: 192.168.201.45
  • FriendlyDaisy: 192.168.202.78
  • CryptoBuddy: 192.168.203.92
  • SweetTooth32: 192.168.204.56

We recommend sharing this information with relevant departments to ensure security protocols are reinforced and all systems are actively monitored for any activity from these users or their IP addresses.

Regards,
City Police Department

Sample Log File

Copy and paste this log file sample into a word document and change all the font “black”. The green and red font here is to highlight for leader what the scouts should be looking for – the IP Addresses. Green are approved IP addresses and red are the IP addresses identified by the police as suspicious.

Day – Time – Log – Term – User – Action
07/01/2018 05:49:48 CityNetServer01 kernel[0]: running system check…complete, no errors
07/01/2018 05:57:17 CityNetServer01 vsftpd[21]: remote connection 192.168.10.11 denied
07/01/2018 06:04:57 CityNetServer01 apached[80]: local connection accepted on eth1
07/01/2018 06:13:51 CityNetServer01 vsftpd[21]: remote connection 192.168.10.11 denied
07/01/2018 06:23:47 CityNetServer01 controld[66]: run command SCAN
07/01/2018 06:32:45 CityNetServer01 ntpd[3059]: synchronizing…aborted; problem connecting
07/01/2018 06:37:31 CityNetServer01 vsftpd[21]: remote connection 192.168.10.15 denied
07/01/2018 06:41:15 CityNetServer01 apached[80]: local connection accepted on eth1
07/01/2018 06:50:41 CityNetServer01 mysqld[3306]: internal connection denied
07/01/2018 07:00:20 CityNetServer01 kernel[0]: running system check…complete, no errors
07/01/2018 07:20:09 CityNetServer01 sgrid[765]: synchronizing on eth0,1,2
07/01/2018 07:28:05 CityNetServer01 kernel[0]: running system check…complete, no errors
07/01/2018 07:28:31 CityNetServer01 smtpd[25]: contacting remote hq…success
07/01/2018 07:29:54 CityNetServer01 vsftpd[21]: remote connection 192.168.10.11 denied
07/01/2018 07:34:40 CityNetServer01 vsftpd[21]: remote connection 192.168.10.13 denied
07/01/2018 07:38:49 CityNetServer01 sshd[22]: remote connection 192.168.10.14 denied
07/01/2018 07:46:50 CityNetServer01 controld[66]: run command SCAN
07/01/2018 07:52:15 CityNetServer01 apached[80]: local connection accepted on eth1
07/01/2018 07:59:39 CityNetServer01 crond[1]: component update started…sorting components…complete
07/01/2018 07:59:43 CityNetServer01 apached[80]: local connection accepted on eth1
07/01/2018 08:04:19 CityNetServer01 controld[66]: run command SCAN
07/01/2018 08:07:57 CityNetServer01 vsftpd[21]: remote connection 192.168.10.12 denied
07/01/2018 08:08:41 CityNetServer01 sshd[22]: remote connection 192.168.10.13 denied
07/01/2018 08:12:06 CityNetServer01 sgrid[765]: synchronizing on eth0,1,2
07/01/2018 08:14:53 CityNetServer01 smtpd[25]: contacting remote hq…success
07/01/2018 08:20:48 CityNetServer01 kernel[0]: running system check…complete, no errors
07/01/2018 08:25:25 CityNetServer01 vsftpd[21]: remote connection 192.168.10.12 denied
07/01/2018 08:30:18 CityNetServer01 ntpd[3059]: synchronizing…aborted; problem connecting
07/01/2018 08:36:00 CityNetServer01 sshd[22]: remote connection 192.168.10.15 denied
07/01/2018 08:46:22 CityNetServer01 kernel[0]: running system check…complete, no errors
07/01/2018 08:48:33 CityNetServer01 sgrid[765]: synchronizing on eth0,1,2
07/01/2018 08:54:12 CityNetServer01 sshd[22]: remote connection 192.168.10.14 denied
07/01/2018 09:00:29 CityNetServer01 mysqld[3306]: internal connection denied
07/01/2018 09:04:13 CityNetServer01 sgrid[765]: synchronizing on eth0,1,2
07/01/2018 09:08:51 CityNetServer01 ntpd[3059]: synchronizing…aborted; problem connecting
07/01/2018 09:16:13 CityNetServer01 sshd[22]: remote connection 192.168.10.11 denied
07/01/2018 09:16:39 CityNetServer01 sgrid[765]: synchronizing on eth0,1,2
07/01/2018 09:24:44 CityNetServer01 controld[66]: run command SCAN
07/01/2018 09:25:46 CityNetServer01 sgrid[765]: synchronizing on eth0,1,2
07/01/2018 09:36:13 CityNetServer01 kernel[0]: running system check…complete, no errors
07/01/2018 09:43:57 CityNetServer01 sgrid[765]: synchronizing on eth0,1,2
07/01/2018 09:52:32 CityNetServer01 vsftpd[21]: remote connection 192.168.10.12 denied
07/01/2018 09:56:14 CityNetServer01 crond[1]: component update started…sorting components…complete
07/01/2018 10:04:30 CityNetServer01 kernel[0]: running system check…complete, no errors
07/01/2018 10:06:42 CityNetServer01 vsftpd[21]: remote connection 192.168.10.12 denied
07/01/2018 10:10:38 CityNetServer01 apached[80]: local connection accepted on eth1
07/01/2018 10:18:01 CityNetServer01 sgrid[765]: synchronizing on eth0,1,2
07/01/2018 10:19:20 CityNetServer01 crond[1]: component update started…sorting components…complete
07/01/2018 10:23:41 CityNetServer01 mysqld[3306]: internal connection denied
07/01/2018 10:31:29 CityNetServer01 smtpd[25]: contacting remote hq…success
07/01/2018 10:41:05 CityNetServer01 controld[66]: run command SCAN
07/01/2018 10:43:17 CityNetServer01 vsftpd[21]: remote connection 192.168.10.15 denied
07/01/2018 10:51:11 CityNetServer01 mysqld[3306]: internal connection denied
07/01/2018 10:57:24 CityNetServer01 kernel[0]: running system check…complete, no errors
07/01/2018 11:08:05 CityNetServer01 apached[80]: local connection accepted on eth1
07/01/2018 11:18:42 CityNetServer01 sshd[22]: remote connection 192.168.10.15 denied
07/01/2018 11:32:51 CityNetServer01 controld[66]: run command SCAN
07/01/2018 11:42:37 CityNetServer01 ntpd[3059]: synchronizing…aborted; problem connecting
07/01/2018 11:46:44 CityNetServer01 sshd[22]: remote connection 192.168.10.13 denied
07/01/2018 11:55:21 CityNetServer01 sshd[22]: remote connection 192.168.10.14 denied
07/01/2018 11:55:25 CityNetServer01 sgrid[765]: synchronizing on eth0,1,2
07/01/2018 12:03:30 CityNetServer01 vsftpd[21]: remote connection 192.168.10.14 denied
07/01/2018 12:07:55 CityNetServer01 crond[1]: component update started…sorting components…complete
07/01/2018 12:12:35 CityNetServer01 ntpd[3059]: synchronizing…aborted; problem connecting
07/01/2018 12:16:21 CityNetServer01 controld[66]: run command SCAN
07/01/2018 12:19:13 CityNetServer01 crond[1]: component update started…sorting components…complete
07/01/2018 12:21:55 CityNetServer01 controld[66]: run command SCAN
07/01/2018 12:25:28 CityNetServer01 sshd[22]: remote connection 192.168.10.11 denied
07/01/2018 12:25:30 CityNetServer01 mysqld[3306]: internal connection denied
07/01/2018 12:27:04 CityNetServer01 controld[66]: run command SCAN
07/01/2018 12:30:14 CityNetServer01 crond[1]: component update started…sorting components…complete
07/01/2018 12:32:47 CityNetServer01 kernel[0]: running system check…complete, no errors
07/01/2018 12:43:18 CityNetServer01 sshd[22]: remote connection 192.168.10.14 denied
07/01/2018 12:49:38 CityNetServer01 sgrid[765]: synchronizing on eth0,1,2
07/01/2018 12:59:17 CityNetServer01 controld[66]: run command SCAN
07/01/2018 13:03:14 CityNetServer01 ntpd[3059]: synchronizing…aborted; problem connecting
07/01/2018 13:09:39 CityNetServer01 crond[1]: component update started…sorting components…complete
07/01/2018 13:12:39 CityNetServer01 controld[66]: run command SCAN
07/01/2018 13:20:27 CityNetServer01 sshd[22]: remote connection 192.168.10.12 denied
07/01/2018 13:28:16 CityNetServer01 sshd[22]: remote connection 192.168.10.13 denied
07/01/2018 13:31:24 CityNetServer01 controld[66]: run command SCAN
07/01/2018 13:41:17 CityNetServer01 ntpd[3059]: synchronizing…aborted; problem connecting
07/01/2018 13:50:49 CityNetServer01 smtpd[25]: contacting remote hq…success
07/01/2018 13:56:11 CityNetServer01 ntpd[3059]: synchronizing…aborted; problem connecting
07/01/2018 14:02:03 CityNetServer01 sshd[22]: remote connection 192.168.10.16 denied
07/01/2018 14:12:40 CityNetServer01 controld[66]: run command SCAN
07/01/2018 14:17:00 CityNetServer01 vsftpd[21]: remote connection 192.168.10.11 denied
07/01/2018 14:27:15 CityNetServer01 apached[80]: local connection accepted on eth1
07/01/2018 14:33:49 CityNetServer01 sgrid[765]: synchronizing on eth0,1,2
07/01/2018 14:41:05 CityNetServer01 vsftpd[21]: remote connection 192.168.10.15 denied
07/01/2018 14:49:52 CityNetServer01 sshd[22]: remote connection 192.168.10.11 denied
07/01/2018 14:55:48 CityNetServer01 kernel[0]: running system check…complete, no errors
07/01/2018 15:01:57 CityNetServer01 sgrid[765]: synchronizing on eth0,1,2
07/01/2018 15:02:22 CityNetServer01 vsftpd[21]: remote connection 192.168.10.11 denied
07/01/2018 15:03:52 CityNetServer01 apached[80]: local connection accepted on eth1
07/01/2018 15:19:56 CityNetServer01 sshd[22]: remote connection 192.168.10.13 denied
07/01/2018 15:22:06 CityNetServer01 controld[66]: run command SCAN
07/01/2018 15:26:50 CityNetServer01 crond[1]: component update started…sorting components…complete
07/01/2018 15:28:15 CityNetServer01 sshd[22]: remote connection 192.168.10.12 denied
07/01/2018 15:35:49 CityNetServer01 vsftpd[21]: remote connection 192.168.10.15 denied
07/01/2018 15:44:31 CityNetServer01 controld[66]: run command SCAN
07/01/2018 15:47:00 CityNetServer01 smtpd[25]: contacting remote hq…success
07/01/2018 15:55:53 CityNetServer01 kernel[0]: running system check…complete, no errors
07/01/2018 16:06:20 CityNetServer01 vsftpd[21]: remote connection 192.168.10.13 denied
07/01/2018 16:10:23 CityNetServer01 smtpd[25]: contacting remote hq…success
07/01/2018 16:17:19 CityNetServer01 sshd[22]: remote connection 192.168.102.78 success
07/01/2018 16:20:59 CityNetServer01 sshd[22]: remote connection 192.168.10.14 privileges revoked
07/01/2018 16:21:14 CityNetServer01 sshd[22]: remote connection 192.168.102.78 privileges reassigned
07/01/2018 16:22:22 CityNetServer01 sshd[22]: remote connection 192.168.102.78 terminated
07/01/2018 16:27:05 CityNetServer01 sshd[22]: remote connection 192.168.10.16 denied
07/01/2018 16:35:44 CityNetServer01 sgrid[765]: synchronizing on eth0,1,2
07/01/2018 16:38:41 CityNetServer01 apached[80]: local connection accepted on eth1
07/01/2018 16:43:30 CityNetServer01 sshd[22]: remote connection 192.168.10.11 denied
07/01/2018 16:50:21 CityNetServer01 controld[66]: run command SCAN
07/01/2018 16:56:03 CityNetServer01 kernel[0]: running system check…complete, no errors
07/01/2018 16:58:03 CityNetServer01 apached[80]: local connection accepted on eth1
07/01/2018 17:00:32 CityNetServer01 kernel[0]: running system check…complete, no errors
07/01/2018 17:06:11 CityNetServer01 smtpd[25]: contacting remote hq…success
07/01/2018 17:06:27 CityNetServer01 controld[66]: run command SCAN
07/01/2018 17:08:49 CityNetServer01 apached[80]: local connection accepted on eth1
07/01/2018 17:09:23 CityNetServer01 sgrid[765]: synchronizing on eth0,1,2
07/01/2018 17:14:54 CityNetServer01 smtpd[25]: contacting remote hq…success
07/01/2018 17:15:21 CityNetServer01 apached[80]: local connection accepted on eth1
07/01/2018 17:23:14 CityNetServer01 sshd[22]: remote connection 192.168.10.14 denied
07/01/2018 17:28:01 CityNetServer01 vsftpd[21]: remote connection 192.168.10.11 denied
07/01/2018 17:30:06 CityNetServer01 sgrid[765]: synchronizing on eth0,1,2
07/01/2018 17:37:50 CityNetServer01 crond[1]: component update started…sorting components…complete
07/01/2018 17:43:55 CityNetServer01 ntpd[3059]: synchronizing…aborted; problem connecting
07/01/2018 17:48:25 CityNetServer01 apached[80]: local connection accepted on eth1
07/01/2018 17:57:04 CityNetServer01 kernel[0]: running system check…complete, no errors
07/01/2018 18:03:16 CityNetServer01 smtpd[25]: contacting remote hq…success
07/01/2018 18:06:03 CityNetServer01 sshd[22]: remote connection 192.168.102.78 success
07/01/2018 18:10:06 CityNetServer01 smtpd[25]: redirect request to 192.168.103.92…success
07/01/2018 18:18:52 CityNetServer01 sshd[22]: remote connection 192.168.102.78 terminated
07/01/2018 18:24:36 CityNetServer01 smtpd[25]: contacting remote hq…success
07/01/2018 18:33:46 CityNetServer01 kernel[0]: running system check…complete, no errors
07/01/2018 18:40:17 CityNetServer01 mysqld[3306]: internal connection denied
07/01/2018 18:43:07 CityNetServer01 smtpd[25]: contacting remote hq…success
07/01/2018 18:53:37 CityNetServer01 kernel[0]: running system check…complete, no errors
07/01/2018 18:56:11 CityNetServer01 vsftpd[21]: remote connection 192.168.10.13 denied
07/01/2018 18:58:26 CityNetServer01 sshd[22]: remote connection 192.168.10.16 denied
07/01/2018 19:01:06 CityNetServer01 crond[1]: component update started…sorting components…complete
07/01/2018 19:02:05 CityNetServer01 ntpd[3059]: synchronizing…aborted; problem connecting
07/01/2018 19:11:24 CityNetServer01 sshd[22]: remote connection 192.168.10.15 denied
07/01/2018 19:11:49 CityNetServer01 crond[1]: component update started…sorting components…complete
07/01/2018 19:18:53 CityNetServer01 sgrid[765]: synchronizing on eth0,1,2
07/01/2018 19:26:10 CityNetServer01 ntpd[3059]: synchronizing…aborted; problem connecting
07/01/2018 19:31:59 CityNetServer01 mysqld[3306]: internal connection denied
07/01/2018 19:41:34 CityNetServer01 vsftpd[21]: remote connection 192.168.10.13 denied
07/01/2018 19:44:13 CityNetServer01 kernel[0]: running system check…complete, no errors
07/01/2018 19:46:55 CityNetServer01 mysqld[3306]: internal connection denied
07/01/2018 19:55:09 CityNetServer01 controld[66]: run command SCAN
07/01/2018 19:57:44 CityNetServer01 mysqld[3306]: internal connection denied
07/01/2018 20:01:44 CityNetServer01 sshd[22]: remote connection 192.168.10.15 denied
07/01/2018 20:03:43 CityNetServer01 apached[80]: local connection accepted on eth1
07/01/2018 20:05:54 CityNetServer01 sshd[22]: remote connection 192.168.10.16 denied
07/01/2018 20:12:39 CityNetServer01 ntpd[3059]: synchronizing…aborted; problem connecting
07/01/2018 21:55:03 CityNetServer01 smtpd[25]: contacting remote hq…success
07/01/2018 21:57:06 CityNetServer01 crond[1]: component update started…sorting components…complete
07/01/2018 21:59:54 CityNetServer01 sgrid[765]: synchronizing on eth0,1,2
07/01/2018 22:01:36 CityNetServer01 controld[66]: run command SCAN
07/01/2018 22:08:49 CityNetServer01 ntpd[3059]: synchronizing…aborted; problem connecting
07/01/2018 22:11:35 CityNetServer01 sshd[22]: remote connection 192.168.10.16 denied
07/01/2018 22:13:17 CityNetServer01 vsftpd[21]: remote connection 192.168.10.11 denied
07/01/2018 22:16:10 CityNetServer01 sshd[22]: remote connection 192.168.10.15 denied
07/01/2018 22:16:56 CityNetServer01 vsftpd[21]: remote connection 192.168.10.14 denied
07/01/2018 22:20:21 CityNetServer01 sshd[22]: remote connection 192.168.10.13 denied
07/01/2018 22:23:53 CityNetServer01 controld[66]: run command SCAN
07/01/2018 22:33:59 CityNetServer01 sshd[22]: remote connection 192.168.10.15 denied
07/01/2018 22:41:28 CityNetServer01 apached[80]: local connection accepted on eth1
07/01/2018 22:45:40 CityNetServer01 sshd[22]: remote connection 192.168.10.12 denied
07/01/2018 22:49:36 CityNetServer01 apached[80]: local connection accepted on eth1
07/01/2018 22:58:02 CityNetServer01 smtpd[25]: contacting remote hq…success
07/01/2018 23:06:29 CityNetServer01 ntpd[3059]: synchronizing…aborted; problem connecting
07/01/2018 23:15:04 CityNetServer01 apached[80]: local connection accepted on eth1
07/01/2018 23:19:07 CityNetServer01 controld[66]: run command SCAN
07/01/2018 23:29:19 CityNetServer01 vsftpd[21]: remote connection 192.168.10.14 denied
07/01/2018 23:29:45 CityNetServer01 sshd[22]: remote connection 192.168.10.12 denied
07/01/2018 23:33:38 CityNetServer01 mysqld[3306]: internal connection denied
07/01/2018 23:38:06 CityNetServer01 sshd[22]: remote connection 192.168.10.12 denied
07/01/2018 23:47:49 CityNetServer01 apached[80]: local connection accepted on eth1
07/01/2018 23:56:17 CityNetServer01 sshd[22]: remote connection 192.168.10.16 denied
07/01/2018 23:59:39 CityNetServer01 sgrid[765]: synchronizing on eth0,1,2

What is the Log File Doing?

Each of those terms in the log file refers to a specific service, process, or component on the server, and the number in brackets is the Process ID (PID), which identifies the specific instance of that service running at that time. Each term and PID gives insight into what processes are running on the server and their activity.

Here’s what some of the items mean:

  • apached[80]:
    This represents the Apache HTTP Server Daemon, which is a widely used web server software responsible for handling HTTP (web) requests. The PID [80] is the unique identifier for the instance of Apache running on the server.
  • controld[66]:
    This likely refers to a control process or service that monitors or initiates system commands. The PID [66] identifies the specific instance of this control daemon.
  • crond[1]:
    This represents the cron daemon, which is a job scheduler used to execute scheduled tasks (like backups or updates). The PID [1] is assigned to this specific instance of the cron process.
  • kernel[0]:
    This refers to the kernel, which is the core part of the operating system that manages hardware and system resources. The PID [0] often indicates a process running at the kernel level, like system checks or hardware communications.
  • mysqld[3306]:
    This represents the MySQL Database Daemon, which handles database operations on the server. The PID [3306] typically corresponds to the MySQL service, and the port 3306 is its default port for communication.
  • ntpd[3059]:
    This is the Network Time Protocol Daemon, responsible for synchronizing the server’s clock with a reliable time source. The PID [3059] indicates the active instance managing this task.
  • sgrid[765]:
    Likely refers to a synchronization grid service, which synchronizes data or processes across the server’s network interfaces. The PID [765] identifies the specific running instance.
  • smtpd[25]:
    This refers to the Simple Mail Transfer Protocol Daemon, which is responsible for sending and receiving email on the server. The PID [25] tracks the specific instance of the email-handling process.
  • sshd[22]:
    This is the Secure Shell Daemon, responsible for managing secure and encrypted remote connections to the server. The PID [22] indicates the active instance facilitating these connections.
  • vsftpd[21]:
    This is the Very Secure File Transfer Protocol Daemon, responsible for managing secure FTP (File Transfer Protocol) connections to the server. The PID [21] identifies the specific instance of the service handling these operations.

Leader Answer Key

Between the information on the times, the IP addresses, and the notes of activity, the following is the correct answers to the questions the scouts are trying to figure out:

  • Which department was hacked.
  • Who the hacker was.
  • What changes they made to the system.

Which department was hacked.

The ParksRecreationHub (IP: 192.168.10.14) is identified as the potential issue

The log indicates that privileges for 192.168.10.14 (ParksRecreationHub) were revoked at 16:20:59 and immediately reassigned to 192.168.102.78 (the hacker’s IP) at 16:21:14.

For a more in depth look, let’s examine the patterns in previous logs:

  1. Suspicious Activity at Parks and Recreation Hub IP (192.168.10.14):
    • In the previous logs, the ParksRecreationHub IP repeatedly shows denied connections or unusual activity, including revoked privileges or failed attempts.
    • For example, in the log file from 07/01/2018 18:06:03, the hacker accessed the system through the suspicious IP 192.168.102.78 using SSH. Shortly after that, at 18:10:06, the hacker redirected traffic to another external IP (192.168.103.92). Though this is a new suspicious IP address, similar redirection behavior had been tied to department activities within Parks and Recreation previously.
  2. Parks and Recreation Activity Targeted via FTP and SSH:
    • Multiple vsftpd[21] entries indicate denied FTP access attempts using the ParksRecreationHub IP. Hackers often exploit FTP vulnerabilities to gain unauthorized access to files, hinting at why Parks and Recreation may have been targeted.
    • Examples of SSH activity from or involving this department align with suspicious log entries.
  3. Timing and Patterns:
    • The suspicious access with 192.168.102.78 success begins on 07/01/2018 18:06:03, shortly before the redirected traffic event. The hacker log-off occurs at 18:18:52, a very short window of access that suggests intentional targeting and quick changes—a hallmark of vulnerable systems.

While other departments have some activity logged (like WaterWorksNetwork and others), the Parks and Recreation Hub consistently appears in denied or suspicious connection entries. This pattern leads to the conclusion that it may be the system experiencing the vulnerabilities exploited by the hacker.

Who the hacker was.

The hacker appears to be using the IP address 192.168.102.78, which has been flagged as suspicious. This IP address is linked to the hacker ID FriendlyDaisy

What changes they made to the system.

  • At 16:20:59, the hacker revoked access privileges for 192.168.10.14 (ParksRecreationHub).
  • At 16:21:14, they reassigned those privileges to themselves using the suspicious IP 192.168.102.78, effectively taking control of the Parks and Recreation systems.
  • By 16:22:22, they terminated their session, likely after exploiting or gathering information from the department.
  • At 18:06:03, the hacker successfully accessed the system using SSH (Secure Shell).
  • At 18:10:06, they redirected web traffic from the city’s system to a suspicious external IP address 192.168.103.92, potentially to steal or manipulate information.
  • At 18:18:52, the hacker terminated their session, concluding their access after making the redirection.
Tia Kennard