Possible clone account: Is it possible to track changes made in a profile?

HecticZA · January 24, 2015, 04:31:21 AM

Good day everyone.

Hope this is the correct section for the post.

My heading does not explain the full story and here follows a long story.

One of my members was unhappy and decided to leave. He did not have permission to delete his account and he requested it to be done, which I did.
He then bad mouth my forum and members on another forum, but a month later requested to be accepted again.
The request was denied.
At that stage he could post as a guest and after his request was denied , he kept on posting. I then placed a partial ban on his IP, email and username.

Shortly after that I changed over to Cloudflare dns servers and all the IPs on the forum changed to a certain address range. Not sure if this played a role ito previously banned members on non-Cloudflare Ip's.

That is basically the background.

Current:

A new account was opened by a user, which I approved.
I now suspect that it was a clone account, as I checked "Profile edits" and found three records.

One made by the member to his username, one made by me when I assigned him to a Team. A full record of before and after changes exits for these two edits.

A 3rd edit was made under the FaceBook section. This indicates that the edit was made by a "Deleted member" and not by the current username.
It unfortunately does not show what the before and after changes were. It only shows a date and time and who made the changes.
I do not have any Admin personal that could made those changes in the member's Profile and whose account was deleted. In fact no Admin members have left.

Is there any way I can check in SMF or in my Control panel (Hosting provider) who the deleted member is, the IP used, based on date & time maybe or the detail that was edit? I think the FaceBook link might have either linked to his FB profile.

I'm on SMF 2.09.

Thank you for reading and any feedback to resolve this.

Bruce the Shark · January 24, 2015, 05:33:12 AM

So your saying you want to track this person down. Am i correct.
I am not sure if its possible to pin point there exact address due to security reason but i am sure here is an feature in smf that hold the ip information or history.
However said please read this topic that i found.
it might explain more about other forms of ip address changing including proxy or mobile device or dynamic ip for entry into a forum
Also there is nothing stopping them from setting up a new email account.
http://www.simplemachines.org/community/index.php?topic=476529.0
also another way is to have a statscounter in your code to monitor ip address activity
but i am sure there is many other ways to do this.
Sorry if i am not to experienced here, if you wait a momnet, a more senior member should be able to assist you out

Dav999 · January 24, 2015, 05:47:33 AM

If you have Cloudflare you can get original visitor IPs back by adding this at the top of your main index.php file (below the "<?php" line):

Code Select

if (isset($_SERVER['HTTP_CF_CONNECTING_IP']))
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CF_CONNECTING_IP'];

Then when that user logs in again you can see the original IP.

Bob Perry of Web Presence Consulting · January 24, 2015, 05:59:08 AM

Quote from: Dav999 on January 24, 2015, 05:47:33 AM
If you have Cloudflare you can get original visitor IPs back by adding this at the top of your main index.php file (below the "<?php" line):

Code Select Expand
if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CF_CONNECTING_IP'];

Then when that user logs in again you can see the original IP.

Cool, gonna try that out with the 2.1 beta release too, might help me with an issue that is similar in that respect... thank you sir!

Kindred · January 24, 2015, 10:04:03 AM

Of course, that edit only applies going forward and will not change the previously stored records at all...

In other words, no, there is no real way to tell now...

Btw: cloud flare is basically useless for forums...

HecticZA · January 24, 2015, 10:26:49 AM

Quote from: Bruce the Shark on January 24, 2015, 05:33:12 AM
So your saying you want to track this person down. Am i correct.

I want to identify the "Deleted member"
If I look at the time he changed the Facebook info, it coincides with the time that the account was registered.
I have had very few actual members that wanted their account info deleted.
The banned member requested that his account and posts be deleted and I did. He only was banned a couple of months later.
That is why I think this is a clone account.

I'm going to add a pic of the current account. The top entry was changed by the current registered user(possible clone). The second change was made by me. The bottom change was made by the deleted member and it seems that he opened the account as well. Not sure how that happened.

Quote from: Dav999 on January 24, 2015, 05:47:33 AM
If you have Cloudflare you can get original visitor IPs back by adding this at the top of your main index.php file (below the "<?php" line):

Code Select Expand
if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CF_CONNECTING_IP'];

Then when that user logs in again you can see the original IP.

Thank you.
This has been sorted. Not sure how, maybe by my hosting provider as I did query the IP range that I was seeing on the forum.

Bruce the Shark · January 24, 2015, 01:21:07 PM

This wont be an easy task. Once deleted pretty much all is gone.

Unless you got a backup of some sort. You might be able to retrieve it this way.

News:

Possible clone account: Is it possible to track changes made in a profile?

HecticZA

Bruce the Shark

Dav999

Bob Perry of Web Presence Consulting

Kindred

HecticZA

Bruce the Shark