Sent from my iPhone
Begin forwarded message:
From: Cary Wiedemann
Date: October 29, 2015 at 12:59:15 AM EDT
To: Megan Elizabeth ,
acrhea@yahoo.com
Subject: Re: Death threats sent on the site to me
Megan,
This is an interesting one and may ultimately be traceable. The IP which generated this post is 45.55.161.28 which belongs to cloud hosting company Digital Ocean, Inc. This does not appear to be a "tor" anonymization network exit relay and may be a paid private server.
This IP has been used to attack you for several months. Please see my logs of this IP's activity below:
-- BEGIN LOG FILE --
==========================
Log level: Info
Date: 10/27/2015
Time: 10:25PM
Source: pm
Category: Application
Message: Private message posted by "MeganLinn".
User info: User ID = 13439, username = MeganLinn, User IP address = 45.55.161.28
Additional details:
Message:
Private message posted by "MeganLinn".
Number of recipients: 1
==========================
Log level: Info
Date: 10/27/2015
Time: 10:22PM
Source: pm
Category: Application
Message: Private message posted by "MeganLinn".
User info: User ID = 13439, username = MeganLinn, User IP address = 45.55.161.28
Additional details:
Message:
Private message posted by "MeganLinn".
Number of recipients: 1
==========================
Log level: Info
Date: 10/27/2015
Time: 10:20PM
Source: forum login
Category: Security
Message: User MeganLinn logged in.
User info: User ID = 13439, username = MeganLinn, User IP address = 45.55.161.28
==========================
Log level: Info
Date: 10/27/2015
Time: 10:19PM
Source: register
Category: Security
Message: User registered for an account: MeganLinn .
User info: Anonymous user, User IP address = 45.55.161.28
==========================
Log level: Info
Date: 09/29/2015
Time: 08:07AM
Source: post
Category: Application
Message: Message "Is this a horse or a fox tail?" posted by "Michael Amstutz".
User info: User ID = 13330, username = Michael Amstutz, User IP address = 45.55.161.28
Related message: Forum = Fairfax County General, Message ID = 1983201, URL =
http://www.fairfaxunderground.com/forum/read/2/1983201/1983201.html#msg-1983201
==========================
Log level: Info
Date: 09/29/2015
Time: 08:06AM
Source: forum login
Category: Security
Message: User Michael Amstutz logged in.
User info: User ID = 13330, username = Michael Amstutz, User IP address = 45.55.161.28
==========================
Log level: Info
Date: 09/29/2015
Time: 08:05AM
Source: forum login
Category: Security
Message: New password request for user "megantoohey86@gmail.com"
User info: Anonymous user, User IP address = 45.55.161.28
Additional details:
Message:
New password request for user "megantoohey86@gmail.com"
A new password was requested for the user with email address "megantoohey86@gmail.com". A new password "XXXXXXX" was generated and mailed to the user.
==========================
Log level: Info
Date: 09/29/2015
Time: 08:05AM
Source: forum login
Category: Security
Message: New password request for user "megantoohey86@gmail.com"
User info: Anonymous user, User IP address = 45.55.161.28
Additional details:
Message:
New password request for user "megantoohey86@gmail.com"
A new password was requested for the user with email address "megantoohey86@gmail.com". A new password "XXXXXXX" was generated and mailed to the user.
==========================
Log level: Info
Date: 09/29/2015
Time: 08:05AM
Source: forum login
Category: Security
Message: User Michael Amstutz logged out.
User info: User ID = 13330, username = Michael Amstutz, User IP address = 45.55.161.28
==========================
Log level: Info
Date: 09/29/2015
Time: 08:05AM
Source: pm
Category: Application
Message: Private message posted by "Michael Amstutz".
User info: User ID = 13330, username = Michael Amstutz, User IP address = 45.55.161.28
Additional details:
Message:
Private message posted by "Michael Amstutz".
Number of recipients: 1
==========================
Log level: Info
Date: 09/29/2015
Time: 08:04AM
Source: pm
Category: Application
Message: Private message posted by "Michael Amstutz".
User info: User ID = 13330, username = Michael Amstutz, User IP address = 45.55.161.28
Additional details:
Message:
Private message posted by "Michael Amstutz".
Number of recipients: 1
==========================
Log level: Info
Date: 09/29/2015
Time: 07:56AM
Source: forum login
Category: Security
Message: User Michael Amstutz logged in.
User info: User ID = 13330, username = Michael Amstutz, User IP address = 45.55.161.28
==========================
Log level: Info
Date: 09/29/2015
Time: 07:56AM
Source: register
Category: Security
Message: User registered for an account: Michael Amstutz .
User info: Anonymous user, User IP address = 45.55.161.28
==========================
Log level: Info
Date: 08/01/2015
Time: 12:57AM
Source: pm
Category: Application
Message: Private message posted by "Megyn_Lynn".
User info: User ID = 13006, username = Megyn_Lynn, User IP address = 45.55.161.28
Additional details:
Message:
Private message posted by "Megyn_Lynn".
Number of recipients: 1
==========================
Log level: Info
Date: 08/01/2015
Time: 12:55AM
Source: post
Category: Application
Message: Message "Birthday bash at my place@5934 North Kings Hwy Alexandria 22303" posted by "Megyn_Lynn".
User info: User ID = 13006, username = Megyn_Lynn, User IP address = 45.55.161.28
Related message: Forum = Fairfax County General, Message ID = 1936513, URL =
http://www.fairfaxunderground.com/forum/read/2/1936513/1936513.html#msg-1936513
==========================
Log level: Debug
Date: 08/01/2015
Time: 12:52AM
Source: search
Category: Application
Message: PHP notice: Undefined index: POST
User info: User ID = 13006, username = Megyn_Lynn, User IP address = 45.55.161.28
Additional details:
Message:
PHP notice: Undefined index: POST
PHP notice generated at /web/fairfaxunderground/temp/tpl-classic-search-5aad0116359ceb0b0049ac9a4e1549ed.php-stage2:77
Back trace:
Function include called at
/web/fairfaxunderground/temp/tpl-classic-search-5aad0116359ceb0b0049ac9a4e1549ed.php:7
----
Function include called at
{path to Phorum}/common.php:1599
----
Function phorum_output called at
{path to Phorum}/search.php:423
----
Request info:
HTTP_HOST = www.fairfaxunderground.com
REQUEST_URI = /forum/search.php?0,search=,author=ying+ko,page=1,match_type=ALL,match_dates=0,match_forum=ALL,match_threads=0
QUERY_STRING = 0,search=,author=ying+ko,page=1,match_type=ALL,match_dates=0,match_forum=ALL,match_threads=0
==========================
Log level: Info
Date: 08/01/2015
Time: 12:50AM
Source: post
Category: Application
Message: Message "I authorize and consent to these pictures being viewed, saved, and shared on other websites" posted by "Megyn_Lynn".
User info: User ID = 13006, username = Megyn_Lynn, User IP address = 45.55.161.28
Related message: Forum = Off-Topic, Message ID = 1936510, URL =
http://www.fairfaxunderground.com/forum/read/40/1936510/1936510.html#msg-1936510
==========================
Log level: Info
Date: 08/01/2015
Time: 12:48AM
Source: forum login
Category: Security
Message: User Megyn_Lynn logged in.
User info: User ID = 13006, username = Megyn_Lynn, User IP address = 45.55.161.28
==========================
Log level: Info
Date: 08/01/2015
Time: 12:48AM
Source: register
Category: Security
Message: User registered for an account: Megyn_Lynn .
User info: Anonymous user, User IP address = 45.55.161.28
==========================
Log level: Info
Date: 07/05/2015
Time: 01:37AM
Source: spamhurdles
Category: Module
Message: Spam Hurdles blocked "posting" post
User info: Anonymous user, User IP address = 45.55.161.28
Additional details:
Message:
Spam Hurdles blocked "posting" post
Javascript signing is enabled, but the client either did not sign the provided data or did sign it wrongly.
Expected signature: aa2c318fbb60d9d0784a7c9da8118147
Received signature: n/a
-- END LOG FILE --
Unfortunately none of these impersonation accounts correspond to any other IP addresses.
The user-agent string is also unfortunately generic: "Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0"
I'm going to leave this account open in the hopes the perpetrator slips up and signs in from a non-proxy IP. I'll similarly leave the IP unbanned to continue correlating the abuse from this particular user, lest they switch to a new IP.
I'm performing some additional analytics, but don't expect any smoking guns.
- Cary Wiedemann
--Curator, FairfaxUnderground.com
On Wed, Oct 28, 2015 at 4:40 PM, Megan Elizabeth wrote:
Sent from my iPhone
Begin forwarded message:
From: Megan Elizabeth
Date: October 28, 2015 at 4:38:56 PM EDT
To: "acrhea@yahoo.com" Adam Rhea "attorney"
Subject: Death threats sent on the site to me
These were sent today to me about the case with Pamela and this is a legitimate death threat too. I am scared.
Sent from my iPhone