Can Any DUers with Strong IT Experiance Help Us With This Thread?

http://www.democraticunderground.com/discuss/duboard.php?az=view_all&address=389x1622835

It's about the anon poster that has been posting at TPM, C&L, and others

Last night he posted at Think Progress and gave some specific directions

They are in Reply # 120 in the above thread:

snip

"Wondering what this is all about and where this is going? Think back: It’s illegal to use computers for non-official business; and to discuss classified information about covert activities. Let’s take a look at the recent wiki updates by IP Number connected with the White House. Type the following phrase into your search engine of choice: ( 63.161.169.66 Special Activities Division )
See the result: That means for that a given search linked with EOP, that someone subject to the Leahy Subpoena was inside the White House-EOP; and at that hour looking things up

snip

BlackHatJack did this and reports in reply # 121:

"I followed instructions and put ref in search engine and got a whale of a lot of info, now...

when I try to insert the many site references in the search engine that just leads to even large data files.

Someone with an understanding of how data files are created and organized is going to have to decipher this massive amount of information for the rest of us."

And, Again, in Reply# 129:

"I would cut and paste some of it but it is huge, and divided into groups...

Edited on Tue Aug-21-07 12:34 PM by Blackhatjack
One section contains what I thought were websites searched, so I cut and pasted one of the entries into Google search engine and the results were another data file larger than the first in similar format.

I know the information is there to back up what Anonymous is trying to share with us.

I just don't know how to interpret it, navigate it, and make sense of it."


Is there anyone who can help us figure out if there's any there there?

He's very knowledgable about computers.

but link it to this thread cuz LOTS of us might benefit from any help the techies can give.

Anyone else having this problem?

but why don't you try cross posting thin in the tech forum area of DU. maybe someone will take an interest there?

Think you need to fix your link so I can read what you are saying.

Putting: 63.161.169.66 Special Activities Division
into Google only gets me two links, both are log files for some Illinois govt computer. I'm not familiar with the format but it would appeat that the IP 63.161.169.66 visited the server.

Only oddity I noticed is that it did not have a visit date like most others.

FAQ-ABO300 : ABOUT AWSTATS HISTORY
AWStats was initialy designed for my own use to track visitors on my personal web sites (www.chiensderace.com, www.chatsderace.com, www.lesbonnesannonces.com, www.pourmaplanete.com, and www.destailleur.fr)
Then I decided to put it on sourceforge in year 2000. Then a lot of new versions were development to add enhancements until today. See changelog for full history of changes.

http://awstats.sourceforge.net/docs/awstats_faq.html#LOGFORMAT

# Host - Pages - Hits - Bandwidth - Last visit date - -
# and are saved only if session is not finished

24.15.189.9 2 32 106582 20060906173305
63.161.169.66 0 2 3805
24.12.115.177 1 14 87585 20060922235324

my query only brought up 2 links. The first is a file that begins with

AWSTATS DATA FILE 6.5 (build 1.857)
# If you remove this file, all statistics for date 200609 will be lost/reset.

# Position (offset in bytes) in this file of beginning of each section for
# direct I/O access. If you made changes somewhere in this file, you should
# also remove completely the MAP section (AWStats will rewrite it at next
# update).
BEGIN_MAP 30
POS_GENERAL 1963                
POS_TIME 2670                
POS_VISITOR 244753              
POS_DAY 1177581             
POS_DOMAIN 3789                
POS_LOGIN 4028                
POS_ROBOT 4183   

The first section describes some general stats, maybe also field names in a database.

It also includes things the assorted browsers support, something about different crawler bots (programs that scour the internet cataloging pages, file types accessed, different operating systems of the accessing computers, different browsers used, the screen resolutions of the computers, search engines that referred the user to a page on this server, and a lot of other stuff related to what appears to be a searches (including the search phrases) people did on looking up information on Illinois tax law, and, of course, the IP addresses of people who accessed this server.

The entire file appears to be generated by AWStats, a weblog analyzer.

http://www.inacipe.gob.mx/

Which is a bit more interesting....

And here:
http://www.ua.edu/

University of Alabama

(cant follow the link either)

AWStats is an open source log file analyzer the produces a variety of "reports" for a web server. Once such file was returned when I googled the ip address and phrase shown above.

Generally speaking, those reports show the source ip, what page was accessed, what page they accessed it from, when, and a variety of other information.

I would suggest installing a copy http://awstats.sourceforge.net/ and then feeding it the log file referenced by the search http://awstats.illinois.gov/cgi-bin/data/business/awstats092006.business.illinois.gov.txt and looking at the various graphical reports.

Good luck..

MZr7

on edit: If you looking to trace the origin of a specific IP address that accesses a specific page.... well good luck. Most of us mask our true IP in a variety of ways to keep ppl from doing exactly that.

The logs we are looking at are not EOP servers. They belong to Illinois state and only show 1 visit by the IP in question.

:shrug:

MZr7

I'm totally missing what "anon" is pointing to.

this could be important in gauging the credibility of Anonymous.

White House Staffers Editing Wikipedia Entries?
Posted by sabra in General Discussion
Fri Aug 17th 2007, 02:18 PM
http://journals.democraticunderground.com/sabra/5998

Discuss:

http://www.democraticunderground.com/discuss/duboard.php?az=view_all&address=389x1608609

Hello, I've been working in web development for a few years now. The "log file" you are looking at, is not a log file at all. It's a processed datafile for a somewhat popular package (no idea why), called awstats. The entire point of AWStats is that you input a log file in one end, awstats removes all the interesting information, and out the other end comes a series of not particularly attractive pie charts a bar graphs.

The interesting information it removes, is specifically, what pages a particular person visited. If you want to know that, you need the original log file.

The format of the awstats datafile shouldn't be a mystery to anyone that has ever used microsoft excel (or any spreadsheet for that matter). It's, as I said, for generating bar graphs.

the little information that file does convey, is that the ip
63.161.169.66

visited zero pages, on no date, and somehow managed to download 3.8 kB of data anyway. 3.8kB is far smaller than most webpages. If I were to guess at what this means, it means that ip is probably a proxy that merely sent an http HEAD request to the server, to check when a page was last modified, found that it wasn't modified, and sent the proxy cached copy to some internal ip. But KEEP IN MIND THIS IS JUST SPECULATION.

If you want to establish credibility, first check that the ip subnet actually belongs to the white house. but you don't need to bother, since this stats package datafile essentially says nothing particularly interesting, aside from a slight network hiccup somewhere.

Not to mention the fact that it's not particularly suspicious that a whitehouse computer hiccuped at an illinois.gov website.

although it might be for the original link:

"the "data file dump" that was pointed to in a google search, when "deciphered" means exactly what anon poster says it means, and no more.

quote:
"See the result: That means for that a given search linked with EOP, that someone subject to the Leahy Subpoena was inside the White House-EOP; and at that hour looking things up."

The entry for the mentioned ip is mysteriously missing a date of last visit, but most of the other surrounding dates are sometime in 2005.

The thing you need to be looking at to verify is to see if the subnet of the ip actually belongs to the white house.

The trick here is that AWstats actually removes a large volume of information, because its primary purpose is for generating pretty pie charts and bar graphs that people can look at and pretend they're running a useful web business."

I am your son!
Doncha recognize me, maw?

sorry I didn't recognize you--I have a lot of kids I don't know about!

63.161.169.64
and
63.161.169.66

Guess who:



Is the RTechEmail at the eop.gov of any significance?

I read that post the other day from "anon" but forgot what the hints were. I'll go back and check now.

Oh...one more thing. There are more of those logs here: http://awstats.illinois.gov/cgi-bin/data/business/

Have fun parsing!