Saturday, April 9, 2011

Admin Mischief?

Four of the new accounts set up by Danileo and JudyOkla were given admin powers;  EvaMarie (8036), kaydaniels (8101), roseym (8102) and kaydaniels (8106).  It is not possible to know exactly what every action was from this record.  It seems to me that if the actions were legitimate, they would not have been done with false identities.   All four performed actions that would not be possible if they had only the permissions of a registered user.

These tables are in chronological order.  I have included the actions used to give the other new accounts admin powers, as shown in the previous blog,  I have also included some actions that JudyOkla did from her own account.

The first action by kaydaniels (user id = 8101) in the admin log was at 7:44 pm on July 18th. These actions were done using JudyOkla’s IP address.  Kaydaniels was active in the stats, moderate and announcement scripts.

admin
logid
userid
dateline
script
action
Extra
info
ipaddress
48017
8101
(kaydaniels)
1279500279
07 / 18 / 10 @
7:44:39pm EST
stats.php
index

9x.xxx.xxx.x7
(JudyOkla)
48018
8101
(kaydaniels)
1279500291
moderate.php
posts

9x.xxx.xxx.x7
(JudyOkla)
48022
8101
(kaydaniels)
1279500600
07 / 18 / 10 @ 7:50:00pm EST
announcement
.php
modify

9x.xxx.xxx.x7
(JudyOkla)
48023
8101
(kaydaniels)
1279500605
moderate.php
posts

9x.xxx.xxx.x7
(JudyOkla)
48025
8101
(kaydaniels)
1279500617
stats.php
index

9x.xxx.xxx.x7
(JudyOkla)
48029
8101
(kaydaniels)
1279500786
07 / 18 / 10 @ 7:53:06pm EST
moderate.php
posts

9x.xxx.xxx.x7
(JudyOkla)
48030
8101
(kaydaniels)
1279500792
moderate.php
attachments

9x.xxx.xxx.x7
(JudyOkla)
48031
8101
(kaydaniels)
1279500795
moderate.php
events

9x.xxx.xxx.x7
(JudyOkla)
48032
8101
(kaydaniels)
1279500798
moderate.php
messages

9x.xxx.xxx.x7
(JudyOkla)
48037
8101
(kaydaniels)
1279500878
07 / 18 / 10 @ 7:54:38pm EST
announcement
.php
modify

9x.xxx.xxx.x7
(JudyOkla)
48038
8101
(kaydaniels)
1279500884
announcement
.php
add

9x.xxx.xxx.x7
(JudyOkla)
48040
8101
(kaydaniels)
1279500924
07 / 18 / 10 @ 7:55:24pm EST
announcement
.php
modify

9x.xxx.xxx.x7
(JudyOkla)
48046
8101
(kaydaniels)
1279501115
07 / 18 / 10 @ 7:58:35pm EST
moderate.php
posts

9x.xxx.xxx.x7
(JudyOkla)
48047
8101
(kaydaniels)
1279501121
07 / 18 / 10 @ 7:58:41pm EST
stats.php
index

9x.xxx.xxx.x7
(JudyOkla)

At 8:22, JudyOkla returned to her own account.  She modified the account of larryf.  As you recall, his join date was altered to hide the fact that he had just joined the forum. LarryF first posted at 9:29 pm.   JudyOkla edited her own account, including her admin permissions.

admin
logid
userid
dateline
script
action
extrainfo
ipaddress
48075
250
(JudyOkla)
1279502538
07 / 18 / 10 @ 8:22:18pm EST
user.php
modify
user id = 8105
 (larryF)
9x.xxx.xxx.x7
(JudyOkla)
48076
250
(JudyOkla)
1279502623
access
mask.php
modify

9x.xxx.xxx.x7
(JudyOkla)
48080
250
(JudyOkla)
1279502709
user.php
edit
user id = 250
 (JudyOkla)
9x.xxx.xxx.x7
(JudyOkla)
48081
250
(JudyOkla)
1279502730
user.php
find

9x.xxx.xxx.x7
(JudyOkla)
48082
250
(JudyOkla)
1279502730
07 / 18 / 10 @ 8:25:30pm EST
user.php
edit
user id = 250 (JudyOkla)
9x.xxx.xxx.x7
(JudyOkla)
48083
250
(JudyOkla)
1279502742
help.php
answer

9x.xxx.xxx.x7
(JudyOkla)
48084
250
(JudyOkla)
1279502747
help.php
answer

9x.xxx.xxx.x7
(JudyOkla)
48085
250
(JudyOkla)
1279502762
07 / 18 / 10 @ 8:26:02pm EST
admin
permissions
.php
edit
user id = 250 (JudyOkla)
9x.xxx.xxx.x7
(JudyOkla)
48086
250
(JudyOkla)
1279502807
07 / 18 / 10 @ 8:26:47pm EST
admin
permissions
.php
edit
user id = 250 (JudyOkla)
9x.xxx.xxx.x7
(JudyOkla)

Danileo used EvaMarie’s account to get rid of the first kaydaniels account that they had both worked on and that JudyOkla had used less than an hour before.

admin
logid
userid
dateline
script
action
extrainfo
ipaddress
48090
8036
(EvaMarie)
1279502992
07 / 18 / 10 @ 8:29:52pm EST
user.php
modify

6x.xxx.xx.xx7
(Danileo)
48091
8036
(EvaMarie)
1279503005
user.php
find

6x.xxx.xx.xx7
(Danileo)
48092
8036
(EvaMarie)
1279503005
user.php
edit
user id = 8101
(kaydaniels)
6x.xxx.xx.xx7
(Danileo)
48093
8036
(EvaMarie)
1279503027
user.php
remove
user id = 8101
(kaydaniels)
6x.xxx.xx.xx7
(Danileo)
48094
8036
(EvaMarie)
1279503037
07 / 18 / 10 @ 8:30:37pm EST
user.php
kill
user id = 8101
(kaydaniels)
6x.xxx.xx.xx7
(Danileo)
48095
8036
(EvaMarie)
1279503039
user.php
modify

6x.xxx.xx.xx7
(Danileo)

JudyOkla edited the admin permissions for DocRobbie (who had not been on the forum  for over two months).  She also edited the admin permissions of lchris.

admin
logid
userid
dateline
script
action
extrainfo
ipaddress
48106
250
(JudyOkla)
1279503453
07 / 18 / 10 @ 8:37:33pm EST
admin
permissions
.php


9x.xxx.xxx.x7
(JudyOkla)
48107
250
(JudyOkla)
1279503519
07 / 18 / 10 @ 8:38:39pm EST
admin
permissions
.php
edit
user id = 14
(DocRobbie)
9x.xxx.xxx.x7
(JudyOkla)
48108
250
(JudyOkla)
1279503549
07 / 18 / 10 @ 8:39:09pm EST
admin
permissions
.php
edit
user id = 99 (lchris)
9x.xxx.xxx.x7
(JudyOkla)

At 8:41 pm JudyOkla switched from her own account to that of roseym (8102).  What was she doing that she could not do under her own name?

admin
logid
userid
dateline
script
action
extrainfo
ipaddress
48109
8102
(roseym)
127950369207 / 18 / 10 @ 8:41:32pm EST
stats.php
index

9x.xxx.xxx.x7
(JudyOkla)
48110
8102
(roseym)
1279503699
cronlog.php
choose

9x.xxx.xxx.x7
(JudyOkla)
48111
8102
(roseym)
1279503702
plugin.php
files

9x.xxx.xxx.x7
(JudyOkla)
48112
8102
(roseym)
127950372407 / 18 / 10 @ 8:42:04pm EST
moderate.php
posts

9x.xxx.xxx.x7
(JudyOkla)
48113
8102
(roseym)
1279503745
repair.php
list

9x.xxx.xxx.x7
(JudyOkla)
48114
8102
(roseym)
1279503752
misc.php
chooser

9x.xxx.xxx.x7
(JudyOkla)
48115
8102
(roseym)
1279503756
queries.php
modify

9x.xxx.xxx.x7
(JudyOkla)
48116
8102
(roseym)
1279503759
repair.php
list

9x.xxx.xxx.x7
(JudyOkla)
48117
8102
(roseym)
1279503770
07 / 18 / 10 @ 8:42:50pm EST
stats.php
index

9x.xxx.xxx.x7
(JudyOkla)
48118
8102
(roseym)
1279504395
07 / 18 / 10 @ 8:53:15pm EST
stats.php
index

9x.xxx.xxx.x7
(JudyOkla)
48119
8102
(roseym)
1279504397
07 / 18 / 10 @ 8:53:17pm EST
stats.php
index

9x.xxx.xxx.x7
(JudyOkla)

At 8:54 pm, JudyOkla again switched identities, now using her own.  She edited the account of Nugget, a second account used by Hulapig.  At 9:11, she edited her own admin permissions again.

admin
logid
userid
dateline
script
action
extrainfo
ipaddress
48120
250
(JudyOkla)
1279504449
07 / 18 / 10 @ 8:54:09pm EST
user.php
modify

9x.xxx.xxx.x7
(JudyOkla)
48121
250
(JudyOkla)
1279504454
user.php
find

9x.xxx.xxx.x7
(JudyOkla)
48122
250
(JudyOkla)
1279504455
07 / 18 / 10 @ 8:54:15pm EST
user.php
edit
user id = 7876 (Nugget)
9x.xxx.xxx.x7
(JudyOkla)
48123
250
(JudyOkla)
1279505443
user.php
update
user id = 7876 (Nugget)
9x.xxx.xxx.x7
(JudyOkla)
48124
250
(JudyOkla)
1279505444
user.php
modify
user id = 7876 (Nugget)
9x.xxx.xxx.x7
(JudyOkla)
48125
250
(JudyOkla)
1279505453
07 / 18 / 10 @ 9:10:53pm EST
user.php
modify

9x.xxx.xxx.x7
(JudyOkla)
48126
250
(JudyOkla)
1279505462
user.php
find

9x.xxx.xxx.x7
(JudyOkla)
48127
250
(JudyOkla)
1279505462
07 / 18 / 10 @ 9:11:02pm EST
user.php
edit
user id = 250 (JudyOkla)
9x.xxx.xxx.x7
(JudyOkla)
48128
250
(JudyOkla)
1279505473
07 / 18 / 10 @ 9:11:13pm EST
admin
permissions
.php
edit
user id = 250 (JudyOkla)
9x.xxx.xxx.x7
(JudyOkla)

Danileo, using the account of EvaMarie, modified and edited the account of the second kaydaniels.

admin
logid
userid
dateline
script
action
extrainfo
ipaddress
48129
8036
(EvaMarie)
1279505533
07 / 18 / 10 @ 9:12:13pm EST
user.php
add

6x.xxx.xx.xx7
(Danileo)
48149
8036
(EvaMarie)
1279506046
user.php
update

6x.xxx.xx.xx7
(Danileo)
48150
8036
(EvaMarie)
1279506048
user.php
modify
user id = 8106
(kaydaniels)
6x.xxx.xx.xx7
(Danileo)
48152
8036
(EvaMarie)
1279506125
07 / 18 / 10 @ 9:22:05pm EST
user.php
edit
user id = 8106
(kaydaniels)
6x.xxx.xx.xx7
(Danileo)

JudyOkla used access masks to change forum permissions and access.   Access masks override any forum-level usergroup permissions.  They can be set to allow or prohibit access.  JudyOkla edited the access masks for many of the staff room threads.  She also edited access to Members Meets and Greets and to a thread about Japan.

admin
logid
userid
dateline
script
action
extrainfo
ipaddress
48175
250
(JudyOkla)
1279506762
07 / 18 / 10 @ 9:32:42pm EST
access
mask.php
modify

9x.xxx.xxx.x7
(JudyOkla)
48176
250
(JudyOkla)
1279506800
07 / 18 / 10 @ 9:33:20pm EST
access
mask.php
edit
forum id = 84
(Moderators' Memos)
9x.xxx.xxx.x7
(JudyOkla)
48177
250
(JudyOkla)
1279506841
access
mask.php
edit
forum id = 144 /accessmask = 1(Staff Meetings)
9x.xxx.xxx.x7
(JudyOkla)
48178
250
(JudyOkla)
1279506904
07 / 18 / 10 @ 9:35:04pm EST
access
mask.php
edit
forum id = 18 /accessmask = 1(TECHNICAL SUPPORT AND FORUM MODERATING PROCEDURES)
9x.xxx.xxx.x7
(JudyOkla)
48179
250
(JudyOkla)
1279506919
access
mask.php
edit
forum id = 79 /
accessmask = 1(THE STAFF ROOM)
9x.xxx.xxx.x7
(JudyOkla)
48180
250
(JudyOkla)
1279506931
07 / 18 / 10 @ 9:35:31pm EST
access
mask.php
edit
forum id = 79 /
accessmask = 1(THE STAFF ROOM)
9x.xxx.xxx.x7
(JudyOkla)
48181
250
(JudyOkla)
1279506966
access
mask.php
edit
forum id = 18 /
accessmask = 1(TECHNICAL SUPPORT AND FORUM MODERATING PROCEDURES)
9x.xxx.xxx.x7
(JudyOkla)
48182
250
(JudyOkla)
1279506977
07 / 18 / 10 @ 9:36:17pm EST
access
mask.php
edit
forum id = 142 /
accessmask = 1(Members Meets and Greets)
9x.xxx.xxx.x7
(JudyOkla)
48183
250
(JudyOkla)
1279506984
user.php
modify

9x.xxx.xxx.x7
(JudyOkla)
48189
250
(JudyOkla)
1279507037
user.php
edit
user id = 250
9x.xxx.xxx.x7
(JudyOkla)
48190
250
(JudyOkla)
1279507044
07 / 18 / 10 @ 9:37:24pm EST
user.php
edit
access
user id = 250
9x.xxx.xxx.x7
(JudyOkla)
48191
250
(JudyOkla)
1279507058
user.php
modify

9x.xxx.xxx.x7
(JudyOkla)
48197
250
(JudyOkla)
1279507081
access
mask.php
modify

9x.xxx.xxx.x7
(JudyOkla)
48198
250
(JudyOkla)
1279507088
07 / 18 / 10 @ 9:38:08pm EST
access
mask.php
edit
forum id = 129
 accessmask = 1(Japan NHK Kohaku Uta Gassen 31 Dec 2009)
9x.xxx.xxx.x7
(JudyOkla)
48199
250
(JudyOkla)
1279507123
user.php
modify

9x.xxx.xxx.x7
(JudyOkla)
48200
250
(JudyOkla)
1279507129
access
mask.php
modify

9x.xxx.xxx.x7
(JudyOkla)
48201
250
(JudyOkla)
1279507146
07 / 18 / 10 @ 9:39:06pm EST
access
mask.php
edit
forum id = 78
 accessmask = 1(Moderators' Register – Closed and Deleted Threads)
9x.xxx.xxx.x7
(JudyOkla)
48202
250
(JudyOkla)
1279507158
user.php
modify

9x.xxx.xxx.x7
(JudyOkla)
48210
250
(JudyOkla)
1279507187
07 / 18 / 10 @ 9:39:47pm EST
user.php
edit
user id = 250
9x.xxx.xxx.x7
(JudyOkla)

JudyOkla resigned at 11:12 pm.  Danileo resigned at 11:20 pm.  EvaMarie was back on the forum at 11:30 pm, this time with a proxy IP from Woodstock, IL.  She edited the account for Looie (8108).   Looie appeared as an admin in the admin control panel, but there is no record of any actions performed.

admin
logid
userid
dateline
script
action
extrainfo
ipaddress
48297
8036
(EvaMarie)
1279513809
07 / 18 / 10 @ 11:30:09pm EST
user.php
add

67.159.44.51
(proxy)
48298
8036
(EvaMarie)
1279514026
07 / 18 / 10 @ 11:33:46pm EST
user.php
update

67.159.44.51
(proxy)
48299
8036
(EvaMarie)
1279514029
07 / 18 / 10 @ 11:33:49pm EST
user.php
modify
user id = 8108
(Looie)
67.159.44.51
(proxy)
48300
8036
(EvaMarie)
1279514065
user.php
edit
user id = 8108
(Looie)
67.159.44.51
(proxy)
48301
8036
(EvaMarie)
1279514088
user.php
editaccess
user id
(Looie)= 8108
67.159.44.51
(proxy)
48302
8036
(EvaMarie)
1279514103
07 / 18 / 10 @ 11:35:03pm EST
user.php
Update
access
user id
(Looie)= 8108
67.159.44.51
(proxy)
48303
8036
(EvaMarie)
1279514107
07 / 18 / 10 @ 11:35:07pm EST
user.php
edit
user id
(Looie)= 8108
67.159.44.51
(proxy)

Evamarie logged off the forum and returned less than an hour later with an IP address in the UK..  She altered the record of the original (but banned) account of  Clix Pix at 12:15 am on July 19th.  I do not know what she altered. Clix Pix has reported that she was unable to re-register using her old account, so created a new one.  This is not the only time that JudyOkla has altered the history of a member.

EvaMarie modified the banning script, then returned to editing access for Looie.  EvaMarie also edited access for Administrative Announcements and Honorary Membership threads.

admin
logid
userid
dateline
script
action
extrainfo
ipaddress
48310
8036
1279516488
07 / 19 / 10 @ 12:14:48am EST
user.php
modify

9x.xxx.xxx.xx2
(probable
UK proxy)
48311
8036
(EvaMarie)
1279516502
user.php
find

9x.xxx.xxx.xx2
(probable
UK proxy)
48312
8036
(EvaMarie)
1279516503
07 / 19 / 10 @ 12:15:03am EST
user.php
edit
user id = 3614
(Clix Pix)
9x.xxx.xxx.xx2
(probable
UK proxy)
48313
8036
(EvaMarie)
1279516518
07 / 19 / 10 @ 12:15:18am EST
user.php
change
history
user id = 3614
(Clix Pix)
9x.xxx.xxx.xx2
(probable
UK proxy)
48314
8036
(EvaMarie)
1279516621
07 / 19 / 10 @ 12:17:01am EST
banning.php
modify

9x.xxx.xxx.xx2
(probable
UK proxy)
48315
8036
(EvaMarie)
1279516639
banning.php
modify

9x.xxx.xxx.xx2
(probable
UK proxy)
48316
8036
(EvaMarie)
1279516645
banning.php
modify

9x.xxx.xxx.xx2
(probable
UK proxy)
48317
8036
(EvaMarie)
1279516650
07 / 19 / 10 @ 12:17:30am EST
banning.php
modify

9x.xxx.xxx.xx2
(probable
UK proxy)
48318
8036
(EvaMarie)
1279516674
user.php
modify

9x.xxx.xxx.xx2
(probable
UK proxy)
48319
8036
(EvaMarie)
1279516683
user.php
find

9x.xxx.xxx.xx2
(probable
UK proxy)
48320
8036
(EvaMarie)
1279516684
user.php
edit
user id = 8108
(Looie)
9x.xxx.xxx.xx2
(probable
UK proxy)
48321
8036
(EvaMarie)
1279516703
07 / 19 / 10 @ 12:18:23am EST
user.php
edit
access
user id = 8108
(Looie)
9x.xxx.xxx.xx2
(probable
UK proxy)
48322
8036
(EvaMarie)
1279516737
user.php
update
access
user id = 8108
(Looie)
9x.xxx.xxx.xx2
(probable
UK proxy)
48323
8036
(EvaMarie)
1279516739
user.php
edit
user id = 8108
(Looie)
9x.xxx.xxx.xx2
(probable
UK proxy)
48324
8036
(EvaMarie)
1279516819
07 / 19 / 10 @ 12:20:19am EST
access
mask.php
modify

9x.xxx.xxx.xx2
(probable
UK proxy)
48325
8036
(EvaMarie)
1279516841
07 / 19 / 10 @ 12:20:41am EST
access
mask.php
edit
forum id = 81
(Administrative Announcements)
9x.xxx.xxx.xx2
(probable
UK proxy)
48326
8036
(EvaMarie)
1279516925
07 / 19 / 10 @ 12:22:05am EST
access
mask.php
edit
forum id = 127 / accessmask = 1(Honorary Membership)
9x.xxx.xxx.xx2
(probable
UK proxy)
48327
8036
(EvaMarie)
1279517231
user.php
update
user id = 8108
(Looie)
9x.xxx.xxx.xx2
(probable
UK proxy)
48328
8036
(EvaMarie)
1279517233
user.php
modify
user id = 8108
(Looie)
9x.xxx.xxx.xx2
(probable
UK proxy)
48329
8036
(EvaMarie)
1279517408
07 / 19 / 10 @ 12:30:08am EST
user.php
edit
user id = 8108
(Looie)
9x.xxx.xxx.xx2
(probable
UK proxy)
(This table first posted with the upper section missing.  It has been corrected.)

At 12:56 am on July 19, JudyOkla returned as kaydaniels (8106).  She, too, edited Looie’s account.  Then she edited the access to the Red Room.  At 1:24 am, JudyOkla altered the history of another member, Luz.   And finally, she modified the account for jayme.

admin
logid
userid
dateline
script
action
extrainfo
ipaddress
48330
8106
(kaydaniels)
1279519018
07 / 19 / 10 @ 12:56:58am EST
user.php
modify

9x.xxx.xxx.x7
(JudyOkla)
48331
8106
(kaydaniels)
1279519038
user.php
find

9x.xxx.xxx.x7
(JudyOkla)
48332
8106
(kaydaniels)
1279519038
user.php
edit
user id = 8108
(Looie)
9x.xxx.xxx.x7
(JudyOkla)
48333
8106
(kaydaniels)
1279519168
07 / 19 / 10 @ 12:59:28am EST
user.php
edit
access
user id = 8108
(Looie)
9x.xxx.xxx.x7
(JudyOkla)
48334
8106
(kaydaniels)
1279519426
user.php
edit
access
user id = 8108
(Looie)
9x.xxx.xxx.x7
(JudyOkla)
48335
8106
(kaydaniels)
1279519441
user.php
update
access
user id = 8108
(Looie)
9x.xxx.xxx.x7
(JudyOkla)
48336
8106
(kaydaniels)
1279519442
user.php
edit
user id = 8108
(Looie)
9x.xxx.xxx.x7
(JudyOkla)
48337
8106
(kaydaniels)
1279519615
07 / 19 / 10 @ 1:06:55am EST
access
mask.php
modify

9x.xxx.xxx.x7
(JudyOkla)
48338
8106
(kaydaniels)
1279519619
07 / 18 / 10 @ 11:33:46pm EST
access
mask.php
edit
forum id = 112 / accessmask = 1(THE RED ROOM)
9x.xxx.xxx.x7
(JudyOkla)
48339
8106
(kaydaniels)
1279519709
07 / 19 / 10 @ 1:08:29am EST
user.php
modify

9x.xxx.xxx.x7
(JudyOkla)
48340
8106
(kaydaniels)
1279519728
user.php
find

9x.xxx.xxx.x7
(JudyOkla)
48341
8106
(kaydaniels)
1279520056
07 / 19 / 10 @ 1:14:16am EST
user.php
modify

9x.xxx.xxx.x7
(JudyOkla)
48342
8106
(kaydaniels)
1279520088
user.php
find

9x.xxx.xxx.x7
(JudyOkla)
48343
8106
(kaydaniels)
1279520096
user.php
edit
user id = 8099
(Luz)
9x.xxx.xxx.x7
(JudyOkla)
48344
8106
(kaydaniels)
1279520699
07 / 19 / 10 @ 1:24:59am EST
user.php
change
history
user id = 8099
(Luz)
9x.xxx.xxx.x7
(JudyOkla)
48345
8106
(kaydaniels)
1279522040
07 / 19 / 10 @ 1:47:20am EST
user.php
modify

9x.xxx.xxx.x7
(JudyOkla)
48346
8106
(kaydaniels)
1279522052
user.php
add

9x.xxx.xxx.x7
(JudyOkla)
48347
8106
(kaydaniels)
1279522690
07 / 19 / 10 @ 1:58:10am EST
user.php
update

9x.xxx.xxx.x7
(JudyOkla)
48348
8106
(kaydaniels)
1279522692
user.php
modify
user id = 8109
(jayme)
9x.xxx.xxx.x7
(JudyOkla)
48349
8106
(kaydaniels)
1279522724
user.php
modify
user id = 8109
(jayme)
9x.xxx.xxx.x7
(JudyOkla)
48350
8106
(kaydaniels)
1279522728
user.php
edit
user id = 8109
(jayme)
9x.xxx.xxx.x7
(JudyOkla)
48351
8106
(kaydaniels)
1279522780
07 / 19 / 10 @ 1:59:40am EST
user.php
update
user id = 8109
(jayme)
9x.xxx.xxx.x7
(JudyOkla)
48352
8106
(kaydaniels)
1279522781
user.php
modify
user id = 8109
(jayme)
9x.xxx.xxx.x7
(JudyOkla)
48353
8106
(kaydaniels)
1279522794
user.php
find

9x.xxx.xxx.x7
(JudyOkla)
48373
8106
(kaydaniels)
1279559581
07 / 19 / 10 @ 12:13:01pm EST
user.php
modify

9x.xxx.xxx.x7
(JudyOkla)
48374
8106
(kaydaniels)
1279559587
user.php
find

9x.xxx.xxx.x7
(JudyOkla)
48375
8106
(kaydaniels)
1279559587
user.php
edit
user id = 8109
(jayme)
9x.xxx.xxx.x7
(JudyOkla)
48376
8106
(kaydaniels)
1279559601
07 / 19 / 10 @ 12:13:21pm EST
user.php
update
user id = 8109
(jayme)
9x.xxx.xxx.x7
(JudyOkla)
48377
8106
(kaydaniels)
1279559603
07 / 19 / 10 @ 12:13:23pm EST
user.php
modify
user id = 8109
(jayme)
9x.xxx.xxx.x7
(JudyOkla)

After using two different proxies, Danileo logged into the account of EvaMarie from her own IP again.  This time it was to view a member, Monkeytech.

admin
logid
userid
dateline
script
action
extrainfo
ipaddress
48434
8036
(EvaMarie)
1279573080
07 / 19 / 10 @ 3:58:00pm EST
user.php
find

6x.xxx.xx.xx7
(Danileo)
48435
8036
(EvaMarie)
1279573091
user.php
Find
names

6x.xxx.xx.xx7
(Danileo)
48436
8036
(EvaMarie)
1279573093
07 / 19 / 10 @ 3:58:13pm EST
user.php
View
user
user id = 2657 (monkey
tech)
6x.xxx.xx.xx7
(Danileo)

At 11:52 am on July 20th, kaydaniels logged in from the same UK IP address that EvaMarie had used earlier.  The fact that both of these accounts used the same UK address strengthens the suspicion that it was a proxy IP address.  This time kaydaniels visited the moderate script and viewed join requests.

admin
logid
userid
dateline
script
action
extrainfo
ipaddress
48767
8106
(kaydaniels)
1279644757
07 / 20 / 10 @ 11:52:37am EST
moderate.php
events

9x.xxx.xxx.xx2
(probable
UK proxy)
48768
8106
(kaydaniels)
1279644767
moderate.php
events

9x.xxx.xxx.xx2
(probable
UK proxy)
48769
8106
(kaydaniels)
1279644771
moderate.php
events

9x.xxx.xxx.xx2
(probable
UK proxy)
48770
8106
(kaydaniels)
127964477507 / 20 / 10 @ 11:52:55am EST
user.php
viewjoin
requests

9x.xxx.xxx.xx2
(probable
UK proxy)
48771
8106
(kaydaniels)
1279644775
user.php
viewjoin
requests

9x.xxx.xxx.xx2
(probable
UK proxy)
48772
8106
(kaydaniels)
1279644783
user.php
viewjoin
requests

9x.xxx.xxx.xx2
(probable
UK proxy)
48773
8106
(kaydaniels)
1279644783
07 / 20 / 10 @ 11:53:03am EST
moderate.php
events

9x.xxx.xxx.xx2
(probable
UK proxy)

Although I cannot identify every action taken by the new admins, it is clear that they had admin powers and were active in the admin control panel.  I believe some of these actions are responsible for the irregularities on July 18-20th.

One such example is the change of Red Room access. Members reported that they had lost their Red Room privileges.  JudyOkla edited access to the Red Room at 11:33 pm on July 18.

During an MSN chat on August 12, with Pickled Tink, lchris and Truus, both Danileo and JudyOkla admitted to creating new admin accounts. Here are some excerpts.
Judy says:   I felt at this time we were  under a hostile take over and I was an Admin of this site - i created 2 accts myself trying to stay ahead of you and keep you from taking it over
Judy says:   i created kaydaniels and she created another - cant' even remember the name - because they weren't used - i didn't know how to give full permissions 
Judy says:   no, i had to create the accts before you cut me off and i knew you would
How credible are these words?  Considering that there was never any plan for a hostile takeover (contrary to what orgonon and some staff were making up and spreading), I must view them skeptically.  The accounts were used. Any statement claiming otherwise is untrue.  And the claim by JudyOkla that she had to create the accounts before lchris cut off her access is specious.  Lchris cut off the staff access because of the actions of the faux admins.  If they had not done those things, the staff access would not have been restricted.

What did Danileo have to say in that chat?
Dani   says:   i am given to understand that MJ and Chris have issued accusations of various sorts-from hacking the back end to being guilty of fear mongering. Admin mischief is the term being used....
Dani   says:   I want to make it very clear--not only did I not do any of these things, but I consider myself a professional, and would not sully my integrity with these kinds of activities.
 Dani   says:   i created eva marie for the same reasons. I did not change anything as eva marie.
Dani   says:   unbanning really did it for me--i saw clix pix name on the forum--and got very upset that she was here again
Her own activities, from her IP address, show that Danileo’s denials do not hold up.  She did change things as Evamarie.

Her excuse of being upset that Clix Pix was back on the forum is not believable either.  The false admin accounts were created and used well before Clix Pix returned at 9:31 pm on July 18th. Kaydaniels (8101) was active at 7:44 pm.  EvaMarie was active starting at 8:29 pm.  Roseym was active at 8:41 pm.  Only the second kaydaniels account (8106) became active after the appearance of Clix.

Tech staff members JudyOkla and Danileo created new admin accounts.  They used these accounts to make changes that led to confusion and chaos on the forum. They returned using the faux admin accounts after they had supposedly resigned.  Even though they tried to justify their actions, their excuses do not ring true.


Note about times:  The database uses Unix timestamps. They do not take Daylight Savings Time into account.  So if you compare the time in the database to your time, it may be an hour off.  However, all the times of events will be accurate relative to each other.

Posted by at
Labels: , , , , , , ,