Baron
ET Founder
Registered: Apr 1999
Posts: 2437 |
12-13-11 08:53 PM
So on Sunday here's what he did, but you have to follow this carefully:
1. He did search of all thread titles with the word "sex".
2. He found a thread with one post from 2008 that was indeed a spam thread that never got deleted. It contained only one post that had some broken images and a gazillion URLs to all sorts of spammy sites but aside from that, there was nothing special about it.
3. He then posted a reply in which he quoted the original post and then added the comment "Get out spammer!!!  "
And after doing that, whenever users went to that thread (which is on the homepage at this point since he added a reply), they were redirected to the kiddie porn bullshit whether they liked it or not.
Ok, but hold up. You might be thinking, "How could it redirect to another site if all he posted was a few word reply?" Well, before I deleted the thread, I save the source code of the page. Then I sat down and looked over every line and eventually discovered what he did: Yes, he quoted the first post, BUT he also added several lines of text to the bottom of that quote. And these lines where not regular text, but HTML code that contained a Javascript function that would send users to the kiddie porn. And this code would not be visible to regular users just viewing that page.
But at that point, I didn't just immediately jump to conclusions and assume that he did it. I thought to myself, "I need to check to see if a moderator edited his post afterwards to include those lines." I was very doubtful of this because I caught this thread within seconds after it was posted but I knew the right thing to do was to check anyway. So I went and pulled the database logs for that day, which basically show every single transaction that occurred, right down to showing each time a thread was viewed. Sure enough, the logs showed that he did the search I described above and then he posted the reply. There were some views on the thread shortly thereafter but then the thread got deleted. There was never a point where that post was edited so I KNEW he did it.
But I also knew he did it for common sense reasons, such as: Why would somebody search for a sex thread from 2008 and then post a few word reply? Who does that? Well, the answer is nobody, unless of course you are trying to fabricate a reply for the purpose of including some malicious code to redirect users and make it look like it was the first poster that did it. But he couldn't accomplish the goal of truly making it look like it was all the thread starter's fault since he didn't have the ability to edit the original post as well.
I hope you can see where I'm coming from when I say he was pretty clever. He tried to conceal it in the best way he could, and just looking at the thread itself from the perspective of a regular user, you would look at the first post and then what he quoted and they looked identical on the surface. And you would certainly assume that any redirection or other suspicious activity was from the first post, not the reply. But the source code told the real story.
Prior to him using his EMRGLOBAL username for this, he was creating new users and posting under those usernames via publicly and PM. But as you might know, we recently locked down the ability of new users to post immediately on the public boards and also to use the PM system. So instead of taking the traditional route of creating a new account for the spamming, he decided to use his main username this time. He knew he couldn't PM the spam, as that would definitely look like he was responsible. Instead, he decided the best route was to post publicly and just make the spam look like it was coming from someone else. It was a clever idea, but it was also a very lazy and stupid mistake to make.
|
