The Quonset Hut

[Mikado14]

Recently, the Hut came under attack from a member. The excuse that was given when it was discovered was that a "button" was there and they pressed it. However, upon checking it was found that this user was checked by IP via the Hosting websites security. Here is an excerpt of the log:

dcooper 72.224.96.8 Fri Aug 31, 2012 6:21 pm Successful administration login
dcooper 72.224.96.8 Thu Aug 30, 2012 5:33 pm Own permissions restored after using permissions from» Mikado14

dcooper 72.224.96.8 Thu Aug 30, 2012 5:28 pm Permissions transferred from » Mikado14

The above IP was traced to a switching station on Bradford Rd near Bangor, Maine

I was notified by an admin that this breach was done and I said to let the kid go and attribute it to a "glitch" and give him the benefit of the doubt.

On September 13th, Linda all of a sudden wished to begin posting again but claimed that her password wouldn't work. Either she forgot it or something else was going on. I went in and reset the password and constructed an email and at the last minute, I thought I better check it's operation out. Good thing I did. It took three tries to get it to work properly and when it did, a strange thing happened.

Linda Brown was afforded full Administrative privileges including founders rights on the website.

No matter what was done, it kept resetting the permissions on her account. I attempted to alter the account by putting a "1" after it but to no avail.

I contacted the site host and their security went into action according to the hosting agreement.

I will be posting more of this when I have time. However, there was an additional IP that came up and is linked to the Maine Department of Education that is implicated in this breach of security.

Needless to say, dcooper is no longer active but isn't strange that he was an active member over the period of the above breach into the admin control panel but hasn't been heard from since September 5th?

dcooper has been permanently banned.

More when I have some time.

Mikado

[Mikado14]

Continuing further:

On Saturday the 14th, the hosting site was contacted and the situation was explained to the security department. An investigation was opened and within several hours, I was sent the results.

Looking through the logs, I see that the IP 72.224.96.8 mostly viewed various topics on the site but never registered for an account. On August 30th we see that this user logged into the dcooper account and from there, they accessed the admin area and modified permissions on the accounts. This suggests that the password for the dcooper user was compromised.

We have reset the following logins:

Username: Hut Master
Password: xxxxxx

Username: Rose
Password: xxxxx

Username Kim
Password: xxxxx

Username Lager:
Password: xxxxx

Please update the following vulneravble software installations to prevent future security compromises:

Here is a sample of some of the logs from the host site:

Logs:

72.224.96.8 - - [31/Aug/2012:18:20:46 -0500] "GET /forum/adm/index.php?i=users&mode=overview&u=55&sid=032ddfb88d23c9a12e1123c1a269c67a HTTP/1.1" 200 12141 "http://www.ttownsendbrown.com/forum/memberlist.php?mode=viewprofile&u=55" "Opera/9.30 (Nintendo Wii; U; ; 3642; en)"
72.224.96.8 - - [31/Aug/2012:18:20:46 -0500] "GET /forum/styles/milky_way_red/theme/images/tbl_f_l.png HTTP/1.1" 404 3354 "http://www.ttownsendbrown.com/forum/adm/index.php?i=users&mode=overview&u=55&sid=032ddfb88d23c9a12e1123c1a269c67a" "Opera/9.30 (Nintendo Wii; U; ; 3642; en)"
72.224.96.8 - - [31/Aug/2012:18:20:46 -0500] "GET /forum/styles/milky_way_red/theme/images/tbl_f_c.png HTTP/1.1" 404 3354 "http://www.ttownsendbrown.com/forum/adm/index.php?i=users&mode=overview&u=55&sid=032ddfb88d23c9a12e1123c1a269c67a" "Opera/9.30 (Nintendo Wii; U; ; 3642; en)"
72.224.96.8 - - [31/Aug/2012:18:20:46 -0500] "GET /forum/styles/milky_way_red/theme/images/tbl_f_r.png HTTP/1.1" 404 3354 "http://www.ttownsendbrown.com/forum/adm/index.php?i=users&mode=overview&u=55&sid=032ddfb88d23c9a12e1123c1a269c67a" "Opera/9.30 (Nintendo Wii; U; ; 3642; en)"
72.224.96.8 - - [31/Aug/2012:18:21:16 -0500] "POST /forum/adm/index.php?sid=032ddfb88d23c9a12e1123c1a269c67a HTTP/1.1" 200 8019 "http://www.ttownsendbrown.com/forum/adm/index.php?

The IP that dcooper originally joined the forum from is 72.224.96.8 and the join date was Fri Jul 06, 2012 4:31 pm. The IP is identical to the intruder's IP.

It should be noted that dcooper has claimed that he always uses his Wii for he can't afford a computer and a Wii is the system that the intrusion originated from.

Later on the same day, the software was updated to correct certain security defects but the "code" that was allowing Linda Brown's account to have full authority remained. To find and remove this code is not cost productive so it will remain but Linda Brown will not have access to the Hut.

As to dcooper admitting that he was in there, here are the communications that occurred between him and one of the admins who monitor this site.

Here he was asked about transferring permissions;

Re: Care to explain?
Sent: Sun Sep 02, 2012 6:27 pm
by dcooper

I was trying to figure out some things on this forum that I am not shore of, Clicked that to see what it was it said needs to be restored...... I am sorry if I cause any trouble, I did not know what it was so I clicked it, I did not know that I was unable to do some things, Agian I'm sorry, If i caused any trouble.
But I still do not know what Permission transferred from Mikado14 I clicked it and said needs to be restored is?
Please do not banned me, I'm sorry -dcooper

It should be noted that even for a Moderator or Admin, the transfer of permissions to check out a members settings can only be done from the admin panel. So, if this young man clicked on anything it is apparent that he was into the admin panel.

And another correspondence:

Re: And yet another
Sent: Sun Sep 02, 2012 6:36 pm
by dcooper

Yes indeed I was viewing a profile, I sometimes do that on linda's forum and the living moon to see when they were last login or/and to see what the post,(quicker results if you wan't to find a post by them) I looked at linda's to see the same thing, I also notice I can not see all the members (to see who's here) Agian I was not aware that I am unable to do that and I'm sorry. I did not ment for trouble. -dcooper

No member should have the permission to view another's profile which proves the logs found by Host Gator that permissions were transferred.

And here is Lager's response:

Re: And yet another
Sent: Sun Sep 02, 2012 10:44 pm
by Lager

dcooper wrote:
Yes indeed I was viewing a profile, I sometimes do that on linda's forum and the living moon to see when they were last login or/and to see what the post,(quicker results if you wan't to find a post by them) I looked at linda's to see the same thing, I also notice I can not see all the members (to see who's here) Agian I was not aware that I am unable to do that and I'm sorry. I did not ment for trouble. -dcooper

dcooper wrote:
I was trying to figure out some things on this forum that I am not shore of, Clicked that to see what it was it said needs to be restored...... I am sorry if I cause any trouble, I did not know what it was so I clicked it, I did not know that I was unable to do some things, Agian I'm sorry, If i caused any trouble.
But I still do not know what Permission transferred from Mikado14 I clicked it and said needs to be restored is?
Please do not banned me, I'm sorry -dcooper

First of all, you never had permissions to access the Administration Control Panel and you just can't inadvertently just "click" on something. The log clearly shows that you were in the admin section. Secondly, there is another log that shows the same thing through the cpanel of the server. So please don't insult me with your poor grammar and misspellings when I have noticed that you are capable of so much better.

Secondly, it is impossible for any member to have the ability, unless you are a Moderator or an Administrator to have the ability to transfer permissions from any user. Again, the log indicates something other than an accident both on the php and the cpanel of the server.

On the off chance that this is a glitch, I will accept your explanation but understand that it has been reported to the host, a log has been made, your IP has been reversed traced. From what I understand, you are a minor and you wouldn't want to this to go further so, if it was an accident then I suppose there will be no more logs. If this happens again, that would be the second infraction and it will go further.

Host Name: cpe-72-224-96-8.maine.res.rr.com Browser/OS: Opera/Nintendo
IP Address: 72.224.96.8 — dcooper Mobile Device: Nintendo Wii
Location: Bangor, Maine, United States Resolution: 800x472

Your IP has been reversed traced to the local switching station.

We will let this ride for now but I will have to report this to the owner of the site.

However, there remains this:


index.php
2 Sep 05:10:35 PM
The Quonset Hut • Who is online

viewonline.php
2 Sep 05:10:38 PM
The Quonset Hut • Who is online

index.php
2 Sep 05:10:46 PM
The Quonset Hut • Who is online

ucp.php?mode=login
2 Sep 05:10:47 PM
The Quonset Hut • Index page

The times are Pacific, you responded at approximately 6:30 EST on your PM's. Notice a problem? The above times are 8 PM EST which are a little later than when you sent the PM's. You are still accessing the "who is online" function and your permissions are not set to allow that. How is it that you are able to?

Your permissions have been reset. This is your last and only warning.

Lager

The evidence strongly suggests that for all the past months, Linda has expressed that she would never come on the Hut and post...ever again. Two weeks after the above, Linda wants her password reset so that she can post. This woman changes her mind more times than the sun changes position in the sky during the day. But all of a sudden she wants on. What would she have done if I just resent the password? I believe that she knew exactly what she was doing and when the dust settled, she would have claimed it was Morgan or twigsnapper or even Chuck Norris. But then she would be an accessory if she took advantage of it and I know she would have for she feels bullet proof. Oh, and here is a bit of a warning to you, you are being watched for they have come to me and asked questions. I have repeatedly told you to shut the hell up but you won't, history shows that.

Now it should be noted that what dcooper has done is a felony. He is a kid. A misguided one and I hope that this little incident will teach him a lesson and I will let it go. A part of me feels violated in that he hacked into this site. At whose beckoning was this done? Did he do this alone? Did he hope to gain favor with someone? There was talk in Linda's circle that I might do something as this. Never. It is wrong. I have always spoke the truth when it came to Linda and her phantom alphabet agencies...oh hell, say it like it is...when it came to Dave Smith and Harold Garrity and Chuck Norris. She took real people and gave them lives they never knew existed for them and she expected everyone to believe her, even when the truth came out.

But look at what has happened. I was bombarded with email from Linda for the past several days but after I posted the above...nothing. Truth stings, doesn't it?

You will get your wish Linda, your account is being deactivated just as some of the others requested but you must understand this, your name and all the posts will remain just as theirs have.

Your IP will also be banned but not until you have had time to read this. Have you wondered why I haven't been posting? Because you aren't worth it anymore. You are surrounded by those that neither have much or are worth much. They need stories and fables to hang their hat on and they will certainly get it from you. I feel compassion for you. You are trying so hard to gain recognition by hanging onto your Father's coattails and you will do and say anything to that end. Even use a 17 year old boy from Maine. I will not ruin his life. You already have for he was reported by IP and name ( shouldn't have used your real name Dylan) in a database of hackers. Don't get caught again Dylan but I really don't know what they would do but don't do so here, I won't be magnanimous.

Mikado

[Mikado14]

This thread was created due to the following email from Linda:

----- Original Message -----
From: Elizabeth Helen Drake
To: Mikado
Sent: Saturday, September 15, 2012 10:57 AM
Subject: response


This has been posted on the Hut, in case you missed it.

"
Here is what you wrote

I will post publicly what happened and the results

I don't care if its the front page of your local paper... just so we all know where to read it.

Start with what happened. Precisely. Explain yourself.....and then the results of this so called " investigation:".... saying that you are going to wait for the next ten years for the " results" before you say anything will not work Mikado. Your own credibility is on the line here.... Follow up on your own words. People can see through your smoke.

Stand up to this charge as I have stood up against you..................

Still crickets I see . Linda

Linda Brown

Posts: 3616
Joined: Thu Aug 25, 2011 1:08 pm
Private message

After I started this thread, the emails from Linda making demands ceased. I did what she requested, I stood up. I have since been sent one of her posts and haven't decided to respond or not for I really don't wish to have the energy sucked up by a vacuum.

The investigation was completed today.

After a long process, the cause of the problem was found. It appears that someone came into the admin panel, and changed the permissions for the admins users group profile and gave blanket Global permissions to all registered users. The source of how this was accomplished was identified and removed and the permissions for users reset. The problem seems to be gone. How was this possible? I haven't a clue but what I do know is that the software has been updated to correct how it was done.

All indicators were that the offender came in from the IP as listed. However, this was done sometime not too long ago and the possibility that dcooper was in the wrong place at the wrong time exists.

Since this has been corrected, I have lifted the ban on dcooper if he so chooses to post again.

As to Linda,

"You will get your wish Linda, your account is being deactivated just as some of the others requested but you must understand this, your name and all the posts will remain just as theirs have."

...I am going to reactivate her account and will be sending a password. I am not welcome at her forum but since all has been corrected, I will still give her the opportunity to post, if she so chooses, even though she does not afford me the same respect.

What I do find suspicious is that after months of Linda not posting and being quite public and vocal in regard to that subject, she comes out of the blue and demands to have her password corrected and claims it has been "messed up" for months. Now really, isn't it apparent that when she makes claims that she won't post and wouldn't be caught dead posting on here then how is it she knows her password was "messed up"? I am sure that if it had been not working as claimed, she would have been screaming like chicken little and proclaiming that I am a liar in that she couldn't post her due to her inability to login with her password...but...let's all give her the benefit of the doubt.

She will be reactivated this evening.

Mikado

[Linda Brown]

Thank you Mikado the password works just fine.

Linda

[Mikado14]

Your welcome.

[Linda Brown]

Oh! I like the Avatar Mikado. You have finally picked someone handsome. Linda

[Mikado14]

Oh! I like the Avatar Mikado. You have finally picked someone handsome. Linda

Wait for the next one!

Mikado

[Linda Brown]

Ah! <g> Living up to your thread title I see Mikado! Linda

[Mikado14]

Ah! <g> Living up to your thread title I see Mikado! Linda

No, not really. You mean you don't like my photo? Okay...I'll change it.

Just remember who stooped first...sweetheart...<g>

Mikado

[Linda Brown]

Oh I like the photo Mikado. You seem to be a charming and gentle man... too bad its not you.

You recently said.

"I am going to reactivate her account and will be sending a password. I am not welcome at her forum but since all has been corrected, I will still give her the opportunity to post, if she so chooses, even though she does not afford me the same respect.

No, I will not afford you respect Mikado. We may communicate but you lost my respect a very long time ago. The world will continue to turn. Its no great loss to either of us, I am sure... Your giving me a password here has no bearing on how much respect you have for me either.... as I am sure most of your readers have noticed. So lets just call it what it is and go on.

I noticed that you did not issue an apology to Dylan for accusing him of being a hacker.... though later you seem to have changed your tune on that. So is that respect for your members or are we all supposed to accept that is just the way that you are? Again it seems a question but really isn't because I don't care about the answer.

Linda