Using tcpdump -i eth0 port 21 on a compromised jump host yields:
/export/home/ftp/ ├── incoming/ (customer uploads – malware risk) ├── outbound/ (CDRs, alarms – unencrypted PII) ├── config/ (router configs – credentials inside) └── logs/ (plaintext syslog) 3.1 Credential Interception Despite internal VLAN segmentation, ARP spoofing or switch port mirroring inside an Orange data center (e.g., Valence DC) allows attackers to capture FTP credentials in cleartext. orange communication ftp