A few weeks ago, we wrote a story about humorous headline aggregator Fark.com. That story was then submitted to Digg. Partially as a joke and partially to see what would happen, Fark.com founder Drew Curtis linked to the Digg post, rather than to the original story.

By sending thousands of his readers to the Digg page, Curtis singlehandedly pushed the story to Digg's homepage Success! Instant traffic and a new grill for me. So, is there any way Digg can account for this? Not easily. It's difficult to tell "authentic" Diggs from "gamed" Diggs when you have thousands of readers showing up at a page out of the blue. The site could check referring links and discount the votes if a ton of clicks come from one place — but it's not exactly spam. It's almost the same as using Digg's own "shout" mechanism to ask your friends to Digg your link.

I can't wait to hear from all kinds of so-called "social media" consultants about why this strategy won't work for their clients. Here's a question: If they're so smart, why aren't they tight with Drew?

We suspect what's bumming Fark founder Drew Curtis out isn't that Fark hasn't made the Digg front page, but that Kevin Rose's site is valued at north of $200,000,000, while Curtis's labor of love merely — gasp — turns a profit. Not meta enough for you? Try this: Digg this story about Fark being Dugg.

The main change affects "top diggers," the few submitters who contribute a huge percentage of the stories that make the Digg front page. These users, who have all submitted thousands of stories each, submit more than 10 percent of stories that make the front page of Digg. Muhammad Saleem — known as msaleem on Digg — has submitted 1,201 articles that eventually made the front page. He tells Valleywag that prior to the algorithm change, it would take him between 110 and 130 Diggs for a submitted story to make the front page. Now, it can take more than 200.

A top digger submits a story, it gets 100 diggs and then sits there in upcoming queue for 8 to 10 hours getting 180-190 votes and not being promoted to the front page. Other stories with 40 votes (from newbie users) get promoted from under you. Everyone loses. Good content submitted by top users is doomed to fail.

It seems a fairly transparent strategy to clean house of the submitters who have been dominating the front page for a while now. Essentially [they] adjusted the diversity factor to skew against popular submitters. Digg-critical stories are frequently buried before they ever reach the front page.

Our theory? Digg is attempting to throttle the number of stories that make the front page. As more and more stories get promoted to the front page of Digg — FP'd, in Digg-lingo — stories spend less time in the spotlight. By increasing the number of votes it takes for a story to make the front page, turnover should decrease.

I also spoke to Drew Curtis, proprietor of Fark.com, a semi-competitor of Digg's, about the changes.

Fark is a benevolent dictatorship or as I like to call it, a house party. You can come in and have a good time with the rest of us but if you shit on the floors and tell me my sense of decor sucks and the beer is awful, you're gone.

Digg is like Student Government on any given campus. It's a full-blown governmental institution completely ignored by the administrators, created for the appearance of having a say in what's going on. No wonder there is chaos. Or maybe it's more like Soviet Russia, where you're told you've got freedom and a voice and can make a difference, but you really can't do shit.

Digg's trying to do one of two things, either improve the quality of submissions or drive the pageviews up. I would suspect the latter, once VC gets involved it's all about the money.

as we point out in our FAQ, occasionally you will see stories in the upcoming section with 100+ Diggs - this is evidence of our promotion algorithm hard at work. One of the keys to getting a story promoted is diversity in Digging activity. When the algorithm gets the diversity it needs, it will promote a story from the Upcoming section to the home page.

If there continues to be manipulation and big brother-esque control behind the iron curtain of Digg, the users may soon give up and look for social news elsewhere, taking their pageviews with them. It's an open question, however, whether the masses of Digg users share the parochial concerns of top submitters.

I attempted to reach Digg CEO Jay Adelson and founder Kevin Rose via email. Rose was in a meeting at the time, and has not gotten back to me yet.

Pogue, holed up in Connecticut, proves as out of touch as those wraparound-sunglassed hipsters who never seem to leave SoMa. The cheeky news site — based in Lexington, Kentucky, not San Francisco — has had its own Jeopardy category and is featured annually in Reader's Digest. The popular site's name was originally meaningless nonsense, sure, but it has come to mean the "crap," as Curtis puts it in his new book, that fills so much of the mass media.

By including Fark in a list that could otherwise go on without end, Pogue reveals how little he knows about Internet culture. Or maybe he's just hoping to attract some traffic from enraged Farkers. Too bad Fark users' informal rules forbid links to the New York Times.

Update: After multiple readers commented on the inclusion of Fark in the list, Pogue has conceded his error.

Like Slashdot, Fark is based far from Silicon Valley or another tech mecca. Its Kentucky base keeps Curtis in touch with his mainstream-America roots. A Fark Jeopardy category? "Fail," whine Uncov's dozen readers. Excerpts in Reader's Digest? "My grandmother reads that," sneers the Pownce set. Fox News producers troll his site for story ideas — blue-staters tell themselves no one's watching. Well, no one who matters. Ok, make that no one cool in downtown San Francisco — that only leaves the rest of America.

Fark's accessibility may be the key to longevity. Show Digg to any friend outside Northern California or high tech, and you'll have to explain the headlines. Fark's pithy summaries go into Reader's Digest and onto Jeopardy without an edit. Curtis's new book, It's Not News, It's Fark.com, has sold 35,000 copies. Gawker's much hipper hardcover? 242 copies. Score one for flyover country.

• Startup mixer Stirr is back for a "Founder's Hacks" event. Ev Williams from Blogger and Twitter, Jangl and Ooma founder Michael Cerda, and Friendster and Socializr founder Jonathan Abrams will be on hand to share tricks they've learned in their entrepreneurial endeavors. 6 p.m. at Mighty in Potrero Hill. [Eventbrite]
• There's a "Media Web Meetup" on the topic of music copyright and creative commons and what the future of digital music is going to look like. Fun topic! But it starts at 1 p.m. in SoMa, so it's not for people with real jobs or something. If you work at Yahoo Brickhouse, however, feel free to go. [Upcoming]
• Fark founder Drew Curtis, the washed-up male figure skater pictured above, will be at Cafe Murano on Steiner Street for a Fark meetup tonight at 9 p.m. Expect beer. [Google Groups]

Digg's user base is two-thirds the size of Facebook's, which just garnered an investment from Microsoft valuing the company at $15 billion. On the other hand, Digg's users are much less active on the site. Advertisers are ultimately buying users' attention, and whether measured by pageviews or time spent on the site, Digg falls short. Still, with an audience that has grown sevenfold in a year, and investors desperately looking for a home for their cash, Digg surely will be sold based on a buyer's future hopes, not present reality.

Thompson: What's the possibility that Fark could be wrong? And if that happens, what can be done to redress Phillips' damaged reputation? Curtis: Our chances of being wrong are close to nil. Even with the information we currently have we're standing at 99.9%. Our data indicates that only one individual was using the dphillips Fark account for the entire time it's been in existence. That individual worked at Fox, used a Verizon Wireless card, and a Comcast cable modem account in the Memphis area.

It's either Phillips or he's been completely owned by someone else, who coincidentally has access to all of his websites, email accounts, PayPal information, work and home computers. That's a huge stretch.

Given that, it's odd that the Fox station has made no comment in this matter. Odd, especially, because according to Thompson, the station had promised a statement earlier this week, but none has materialized. At this point, some might say that Fox's silence is beginning to speak volumes.

Curtis told Valleywag that electronic evidence pointed nearly conclusively to Phillips and that he was pursuing legal action to obtain records and eliminate any doubt. Since then, Phillips and Fox have not commented publicly on the incident. Many observers have expressed disbelief, or suspected satire, given Fark users' reputation for sarcasm and tomfoolery. But Curtis, in sharing the incident, was deadly serious. Curtis today told me he plans to "file a civil claim in federal court to get subpoenas sent." Equally serious is the evidence he's assembled. After the jump, I'm sharing the timeline Curtis's team put together, as well as some other observations tipsters have shared.

In Mediaverse Memphis, a local news blog, a commenter left the following comment to a follow-up story on Valleywag's exclusive:

Has Darrell ever asked you to open a suspicious email attachment?

I hope you thought twice about it.

I think a lot of people who Darrell has screwed in the past are going to enjoy this.

The investigative news team at WHBQ was usually very well intentioned and thorough. I am sure the actions are those of Phillips and whatever idiots he thought could help him pull off a hacking scheme. This is in the Memphis market. Not exactly reaching out to the best and brightest with the most upstanding journalistic integrity. Phillips was hoping to make a name and move to a larger market.

One caveat: It's possible, of course, that Phillips's machine was compromised by an outside hacker. But is Fox's corporate network that insecure? And would a hacker, having access to a machine inside the Fox network, and control of Phillips's PayPal account, merely use them to implicate Phillips, rather than conducting larger mischief? I'll let you be the judge, after you review the evidence. (Note: I've redacted staff email addresses and logins, as well as full IP addresses, to avoid giving amateur hackers obvious targets.)

Subject: early August 2007 hack/trojan summary

——- Short version of what's happened:

On August 8, several Fark staff received suspicious email encouraging us to visit a particular website. Through August 12, more similar emails continued to arrive for other Fark volunteer staff, most pretending to be *from* other staff. Three websites were given in these emails, and the sites all contained links to two different trojan horse programs (effectively viruses that don't replicate themselves). If the trojan .EXE files were downloaded and run, the computer would be infected.

The emails all came from a computer in Australia (or in three cases, from Gmail.com). An infected computer would try to communicate with a computer in Tennessee. Antivirus programs did not always find the infection, but researching the behavior suggested they were modified versions of existing trojans, whose purpose was to steal passwords and send them to the Tennessee computer.

Searching Fark's logs for both computers' IP addresses returned no matches on the Australia computer, but revealed many matches for the Tennessee computer. The latter showed multiple attempts to break into Fark accounts belonging to both staff and end-users, and in the latter case was successful once.

They also used other existing accounts, at least two of which might belong to the actual owner of the Tennessee computer. Following logs to find activity on those accounts from other IP addresses, we found identical break-in attempts from elsewhere. Based on their attack patterns, we strongly suspect a Fark staff's Gmail.com account was also broken into.

Based on the other non-malicious behavior of those accounts, including the legit purchase of a Totalfark subscription, we believe our guy is in Memphis, Tennessee, and is probably a Fox13 television journalist named Darrell Phillips; however it's all circumstantial evidence without subpoening records from the ISP's owning all the IP addresses, and trojan-hosting websites, in question.

——- Longer version of what happened:

Between August 8 and 12, Fark staff received some suspicious emails trying to get us to visit these three websites:

http://clipsmoke.com/diggtracker.html
http://h1.ripway.com/jumpstart/videomailer-3225.html
http://tinyurl.com/37prcs

so really there are two webhosting companies involved.

Each site contained a link to download an .EXE file, though it pretended to be something else. Three different .EXE files, all of which turned out to be trojan horse programs (though only two distinct programs; #3 was the same as #2). If run, the computer would be infected.

The emails were sent from a computer hosted in or near Melbourne, Australia (or in three cases, from gmail.com), but most of the emails were forged so they'd appear to be from other Fark staff or friends or relatives of Fark staff.

Infected computers would attempt to send data to computers named "fromage.no-ip.info" and "salad5.no-ip.info". In the August 8 to 12 timeframe, those names were aliases for "c-XX-XX-XX-105.hsd1.tn.comcast.net" which is likely a Comcast cable modem customer in Tennessee.

Numerous attempts to hack Fark accounts were found in the same time frame from that same Comcast address. No malicious activity was found from the Australia address, other than the forged emails. This is why the Comcast subpoena is at the top of the list.

I'm not sure any of our staff actually got their computers infected. At the present time, neither no-ip.info hosts works any more — meaning the trojan doesn't really work any more either.

Anyway... The first site (clipsmoke) had a link to a "diggtracker.exe" tool, which was the trojan. There was also a signup form to create an account that would allegedly give you stats on digg.com and notify of new stories or something, according to the emails we got about it. One staffer filled this form out, and a few hours later got a "thanks for signing up" email — from the same Australian IP address. I think the purpose of the form was really to steal emails and passwords rather than provide any real service.

The ripway site emails said that the site had a funny video on it. If you went there, there was a fake Flash movie (meaning the movie file was too small to contain actual video), and a link below it saying "click to download movie plugin". This link went to http://h1.ripway.com/jumpstart/jumpplayer.exe which was the first trojan.

The tinyurl site just redirects immediately to http://h1.ripway.com/jumpstart/boypics(compressed).exe — a direct link to the second trojan back on the ripway site.

All of these sites no longer work. I saved a copy of the ripway site before it was removed. Meg got a partial copy of the clipsmoke site.

While all this was going on, the computer at the Tennessee Comcast address was trying to hack into Fark accounts. Other accounts were in use by that same address, possibly the real account of the computer's owner, and we followed the logs of other computers used by that account to find other computers, and the logs from those computer IP's showed strikingly similar breakin attempt patterns. They also used the probably-legit account to submit a lot of links to news websites in Memphis.

I am still collecting three or four sets of different logs together into one cohesive set. Until then, here is a summary and event timeline of all of them:

Notes:
"clipsmoke/diggtracker" means an email trying to get us to click
http://clipsmoke.com/diggtracker.html
"ripway" means an email trying to get us to click
http://h1.ripway.com/jumpstart/videomailer-3225.html
"tinyurl" means an email with http://tinyurl.com/37prcs
This site simply redirects to
http://h1.ripway.com/jumpstart/boypics(compressed).exe

Source IP notes:

XX.XX.XX.247 is the Australian source of the phishing emails
XX.XX.XX.105 is Comcast Tennessee, destination of the trojan output and source
of most of the Fark password hack attempts.
XX.XX.XX.225 is an IP that seems to encompass multiple Fox TV sites
nationally — probably a corporate-wide proxy server.
Many many users coming from there submitting links to sites like
myfoxdc, myfoxatlanta, etc.
XX.XX.XX.172 is Verizon Wireless
XX.XX.XX.2xx is an anonymizing service at upsideout.com

I suspect the Comcast address is his home, Fox TV is his work, and upsideout was him trying to hide his real source IP.

DATE/TIME SOURCE IP EVENT
—————— ——————-
—————————————————————————————————————
Aug 8 22:32 XX.XX.XX.247 Email from "Cindy Dolan" gmail account to [REDACTED]@fark.com advertising the ripway site. [REDACTED]@fark.com also got one of these, and probably [REDACTED]@fark.com too. Source IP is in Australia. Cindy Dolan likely doesn't exist.

Aug 9 14:26 (gmail.com) Email from "Laurie Dobbins" gmail account to [REDACTED]@fark.com advertising the clipsmoke.com/diggtracker.html site. This one comes direct from gmail.com, not Australia. Laurie Dobbins is probably also a fake name. They claim to be a journalist, which is interesting given what comes next...

Aug 9 19:04 66.193.225.40 The computer logged into Fark account "jsp2000" logs into "dphillips" account. This IP belongs to foxtv.com; it appears to be a corporate proxy used by Fox TV stations across the country, so many accounts are seen coming from this IP address, mostly submitting links to whoever their local Fox TV affiliate site is.

Aug 10 11:25 XX.XX.XX.225 Fark account "dphillips" submits a link to a Memphis media site.

Aug 10 12:11 (gmail.com) Another email from "Laurie Dobbins" gmail account, this one to [REDACTED]@fark.com, again advertising the clipsmoke.com/diggtracker.html site.

Aug 10 13:?? (approx) One of us fills out the signup form on the diggtracker site.

Aug 10 14:31 (approx) Meg asks on our Fark moderator email mailing list if anyone knows anything about diggtracker

Aug 10 ??:?? The one that filled the signup form out thinks their gmail account was broken into between 13:00 and 18:24; we're still investigating this possibility

Aug 10 17:31 XX.XX.XX.247 Email from admin@dgtrk.com to [REDACTED]@yahoo.com: "You signed up for diggtracker". Note source IP is the same Australia one.

Aug 10 18:24 XX.XX.XX.247 Forged email from [REDACTED]@hotmail.com to [REDACTED]@[REDACTED] advertising the ripway site. Source is Australia again. The two addresses are Drew's sister and wife they might have obtained them from the compromised gmail account (we're still investigating that possibility). Fark's spam filter blocks this message.

Aug 11 00:00 XX.XX.XX.105 Someone started poking around Fark's webmail setup. They tried to log into some email accounts, but failed because our webmail doesn't actually work at all due to a configuration mistake on my part. Source IP is Comcast in Tennessee, using IE6 on Windows XP.

Aug 11 00:35 XX.XX.XX.105 Five failed attempts to log into Fark as users '[REDACTED]' and '[REDACTED]'. (The latter doesn't exist)

Aug 11 00:37 XX.XX.XX.105 View the Fark user proflies for '[REDACTED]' (not there) and [REDACTED] profile. They have suddenly switched to using Firefox, but still Windows XP.

Aug 11 00:54 XX.XX.XX.105 Logs into Fark as "[REDACTED]", getting the password right immediately. This name/password may have come from the maybe-compromised gmail also. Tries to log into TotalFark right after that as [REDACTED], but fails because [REDACTED] isn't a TotalFark subscriber.

Aug 11 00:54 XX.XX.XX.105 Viewed [REDACTED]'s user profile.

Aug 11 01:59 XX.XX.XX.105 Tried to use the Fark Moderator version of the user profile viewer to look at user "[REDACTED]" (Fark's contract web designer); attempts to use [REDACTED]'s moderator account to get in, but can't get the password right.

Aug 11 06:19 ? Forged email from [REDACTED]@gmail.com to [REDACTED]@gmail.com advertising ripway site. Source unknown, but probably Australia. These are both Fark moderators. Interestingly, they misspell "[REDACTED]", which tips off the recipient that something's not right.

Aug 11 08:49 XX.XX.XX.105 Tries again to use the Fark Moderator version of the profile viewer to look at [REDACTED]'s profile, which again asks for a moderator account first: he again tries "[REDACTED]" 5 times, "[REDACTED]@fark.com 4 times, "[REDACTED]" 2 times (note [REDACTED] is not actually a moderator), "[REDACTED]" 5 times, "[REDACTED]" again 3 times. This all lasts til 09:31. All unsuccessful. First 5 tries were IE6, then switches to Firefox.

Aug 11 09:20 XX.XX.XX.247 Forged email from [REDACTED]@gmail.com to [REDACTED]@gmail.com re ripway site; note continued misspelling of "[REDACTED]". [REDACTED] is an older address of another Fark moderator.

Aug 11 11:42 XX.XX.XX.247 Forged email from [REDACTED]@gmail.com to [REDACTED]@gmail.com advertising the site http://tinyurl.com/37prcs — which is really just a redirect to ripway. Yet another misspelling; it should have been [REDACTED].

Aug 11 16:49 XX.XX.XX.105 Attempt to view Fark user profile "[REDACTED]". It doesn't exist, but [REDACTED]'s dad has a similarly named account that he doesn't find...

Aug 11 22:41 XX.XX.XX.105 Attempt to view Fark user profile "DanAndJenn". That account is a spammer that we banned, possibly from Dallas. Friend? Accomplice? We don't know so I won't speculate further. Curiously, while the IP address is the same, he's now using IE7 from a Windows Vista computer. I suspect the Vista machine is his home desktop computer, and the XP machine is a laptop; you'll see why shortly...

Aug 11 22:43 XX.XX.XX.105 Tried once to log into the Fark profile viewer as Meg with a blank password

Aug 12 0?:?? The owner of the possibly-compromised gmail account changes the password after getting suspicious about all this.

Aug 12 12:16 XX.XX.XX.105 Logs out of the [REDACTED] account and into the dphillips account, and submits a link to a Memphis news site

Aug 12 16:48 XX.XX.XX.105 Logs out and then logs into account "lafollette.will". This one has the same password as "dphillips".

Aug 12 17:18 XX.XX.XX.105 Tried logging into Totalfark as [REDACTED] and [REDACTED] again, and fails. Logs out of lafollette.wil, then logs into Fark as [REDACTED] successfully.

Aug 12 17:24 XX.XX.XX.247 Forged email from [REDACTED]@bitO.com to [REDACTED]@fark.com with tinyurl URL. Yet another misspelling: [REDACTED]@[REDACTED]0.com (that's [REDACTED]-zero) is me, but they used [REDACTED]O (that's [REDACTED]-capital-letter-O). They did get around their inability to spell [REDACTED]@gmail.com by using [REDACTED]@fark.com this time — they're the same person, a Fark moderator.

Aug 13 14:35 XX.XX.XX.172 Next day. Jumps to Verizon Wireless and views the "dphillips" Fark profile. This is IE6 on Windows XP again; use of Verizon Wireless strongly suggests (but doesn't prove) that they're using a laptop.

Aug 13 14:36 XX.XX.XX.172 Switches to Firefox, and goes to profile viewer; the session cookie indicates that [REDACTED] had previously been logged into that computer. This and the viewing of "dphillips" implies that this Verizon Wireless IP is the same computer that was at Comcast IP XX.XX.XX.105 yesterday.

Aug 13 14:38 (Paypal) Less than 2 mins later, logs in as dphillips and buys a $5 Totalfark subscription for himself. In the transaction, Paypal gives us his name as Darrell Phillips and an email of [REDACTED]@dnphillips.com. (He also had darrell.phillips@[REDACTED] on his Fark account.)

Aug 13 14:44 XX.XX.XX.172 Still using Firefox, goes to Fark's headline search tool.

Aug 13 15:12 XX.XX.XX.225 30 minutes after that, they're on a foxtv.com address, logged in as dphillips.

Aug 13 15:39 XX.XX.XX.225 Does headline search again (for "animation")

Aug 13 16:10 XX.XX.XX.247 Email from admin@dgtrk.com to [REDACTED]@yahoo.com: "your Diggtracker account is inactive, please log in to reactivate it" email from Australia.

Aug 13 16:50 XX.XX.XX.225 dphillips submits a link to Fark

Aug 13 17:08 XX.XX.XX.225 dphillips submits a link to Fark

Aug 13 17:40 XX.XX.XX.22x While logged in as dphillips, tries to log into Fark 'motherh' using his own password, then two totally different passwords, and fails. In between attempts, he tries logging out of his own account, presumably thinking it would help (but it doesn't). New source IP's for this session, all starting with XX.XX.XX. and ending in .223 .232 .236 .219 — these IP's all belong to the "upsideout.com" anonymizing service. (Hosted in Houston by ev1.net who hosts a lot of popular anonymizing services.) Presumably trying to cover his tracks now, but not doing a very good job of it...

Aug 13 17:47 XX.XX.XX.225 A "forgot my password" request comes into Farkback from user "motherh".

Aug 13 17:48 XX.XX.XX.225 Views motherh profile — we're back on foxtv.com's network now, using IE6 / XP.

Aug 13 17:48 XX.XX.XX.225 View TotalFark page using "dphillips" Totalfark account.

Aug 13 17:53 XX.XX.XX.235 Tries to submit a link as "motherh" but can't get password right — back on the anonymizing service 6 minutes after the previous hit.

Aug 13 18:13 XX.XX.XX.213 Another "forgot my password" request from 'motherh' except they were logged into Fark as "lafollette.will" when they sent it. Oops.

Aug 13 18:16 XX.XX.XX.218 Logs in as lafollette.will to submit link

Aug 13 19:04 XX.XX.XX.225 Back to foxtv network, a computer that was logged in as "jsp2000" logs in as "dphillips"

Aug 13 21:37 XX.XX.XX.105 Back to Comcast IP 2.5 hours later: Logs out of [REDACTED] and into lafollette.will

Aug 13 21:38 XX.XX.XX.105 Looks at [REDACTED] profile. They're using IE7 on Windows Vista now.

Aug 13 21:39 XX.XX.XX.105 Hits logout button.

Aug 13 22:03 (gmail.com) Forged email from [REDACTED]@fark.com to multiple recipients — the To: line says [REDACTED]@gmail.com but [REDACTED]@gmail.com and maybe others get copies; all giving the tinyurl site URL again. Unlike the last tinyurl email, this comes straight from gmail and not Australia.

Aug 13 22:51 XX.XX.XX.105 Logs out of lafollette.will and into dphillips

Aug 13 23:08 XX.XX.XX.105 Submits link to Fark as dphillips

Aug 14 00:43 XX.XX.XX.247 Email from admin@dgtrk.com to [REDACTED]@yahoo.com: "there's a lot of login failures on your digg/farktracker account, you should sign in to check it". I think this is the first time it mentions "farktracker"; all previous ones had been diggtracker.

Aug 14 01:25 XX.XX.XX.210 Logs in as dphillips (using anonymizer)

Aug 14 03:00 ([Fark employee]) I lock the Fark accounts dphillips, dhphillips, lafollette.will, and change [REDACTED]'s password; I block inbound emails to Fark from Australian IP XX.XX.XX.247

Aug 14 04:00 ([Fark employee]) I discovered clipsmoke/diggtracker site had been shut down by its owner.

Aug 14 04:00 ([Fark employee]) I saved a copy of the ripway site in case it disappears later (which it does).

Aug 14 04:00 ([Fark employee]) Emailed abuse@ripway.com and abuse@no-ip.info asking sites and domains be shut off.

Aug 14 08:36 XX.XX.XX.105 Attempts logins to dphillips, lafollette.will, [REDACTED], dphillips in that order, multiple times until 09:13, all from Comcast IP

Aug 14 08:36 XX.XX.XX.105 Views dphillips profile (using Firefox / XP)

Aug 14 08:37 XX.XX.XX.105 Tries to get into his user profile

Aug 14 09:53 XX.XX.XX.225 Attempts login to dphillips, dnphillips several times

Aug 14 10:01 XX.XX.XX.225 dphillips sends Farkback saying "I forgot my password"

Aug 14 11:00 ([REDACTED]) Discovered ripway-hosted site had been shut down due to TOS violation.

Aug 14 11:33 XX.XX.XX.225 Views dphillips profile from FoxTV network (IE6/XP)

Aug 14 11:33 XX.XX.XX.225 Attempts login to dphillips

Aug 14 12:05 XX.XX.XX.225 dphillips sends Farkback saying "I think I was banned..."

Aug 14 12:23 XX.XX.XX.225 Attempts login to dphillips

Aug 14 17:39 75.203.255.69 Attempts login to motherh

Aug 14 18:23 XX.XX.XX.225 Attempts login to dphillips

Aug 14 21:35 ([REDACTED]) Discovered both no-ip.info names now resolve to 0.0.0.0, rendering the trojan ineffective

Aug 15 15:03 ([REDACTED]) Discovered ports 2000 and 2002 don't respond on XX.XX.XX.105 anymore; these were the ports the trojan attempted to connect to.

At least one other moderator got one of the suspicious emails but deleted it before they could forward it to me.

Around the same time [the dphillips account] started trying to get the 'motherh' account, he started using the anonymizer. Maybe he suspected we were on to him by then and wanted to try to cover his tracks.

——- Analysis of the trojans:

Two distinct trojan .EXE files were placed on the ripway and clipsmoke sites.

I deliberately infected a sacrificial system of mine that was disconnected from the Internet and had no useful data on it, and monitored what it was attempting to do with the network using a packet sniffer.

First, they both create a set of keys in the Windows Registry, presumably so they know not to run multiple copies of themselves.

They attempt to look up the IP address of a hostname: one uses "fromage.no-ip.info" and the other "salad5.no-ip.info". Between August 8 and 12, both names resolved to the Comcast IP XX.XX.XX.105. Since my scratch machine didn't have Internet access, I had Windows lie to the trojan and tell it the names resolved to something fake so that it could continue to the next step...

From there, they tried to connect to port 2000 (on fromage) and 2002 (on salad5). If I set up a fake server on the same machine, it transmitted what looked like garbage (probably encrypted) to the (fake) server.

Researching the registry keys created indicate that these are variants of a trojan known in antivirus circles as "Bifrose", which is known to log keystrokes in order to steal passwords. I tried two antivirus programs and neither one recognized either trojan, though. I submitted both to the ClamAV antivirus people, and their next night's software update now detects one of them. It might detect both by the time you read this.

Curtis believes that Phillips, or someone working with Phillips, sent him and several other Fark employees deceptive emails in an attempt to get them to download a trojan, a form of computer virus. The Trojan was designed to capture their passwords and give the author access to Fark's servers. In one case, it succeeded, giving a hacker passwords to a file server and one Fark employee's email account; he tried, but failed, to break into Fark's Web servers and email. Unfortunately for the hacker, Fark was able to trace his attempts to break into their system back to a machine in Memphis connected to a Comcast high-speed Internet connection.

At the same time, Phillips, already a Fark member, logged into several other user accounts on Fark — either ones he'd created or ones to which he'd somehow gotten access. Phillips also purchased, using PayPal, a paid subscription to TotalFark, a premium Fark service. The accounts all used the same IP addresses as the hacker. Busted. Curtis says he's "99 percent sure" it's Phillips — and is now attempting to pursue legal action, seeking detailed data from Comcast, to remove his doubts.

What does this mean? Curtis is unsure of Phllips's potential motives — assuming Phillips is, indeed, the hacker. Phillips may have had accomplices, after all — or his own accounts may have been compromised, which would be embarrassing enough for the reporter, who's apparently somewhat Internet-savvy.

But consider this: Phillips's station has launched a news aggregator, OnMemphis.com. The hacker appears to have been hunting for source code and trying to log into Fark's Web-based moderation tools. A look at either would be helpful to someone designing a social-news website.

Phillips might claim he was researching a story on the security of social news sites. If so, the fact that Fark employees so readily detected the intrusion and shut it down doesn't leave him with much of a tale to tell. But certainly, for a newsman, this would at least be a plausible cover story.

And one last motivation that should be mentioned, in the service of conspiracy theorists everywhere: Could Phillips have been working on behalf of higher-ups at News Corp.? It's a well-established fact that Fox News producers are fans of the thoroughly puerile headlines featured on Fark — so much so that a newspaper reporter caught one red-handed using the site as a source for story ideas. That episode, in turn, got some News Corp. executives interested in Fark, for whom the site might be a logical acquisition. If so, the assault on Fark's servers could, just possibly, be a spectacularly hamhanded form of due diligence. It's unlikely veering on unbelievable, but when we're talking about someone who works for Rupert Murdoch, it would be foolish to rule it out altogether.

We think this more accurately represents Business 2.0's attitude. I mean, holy shit, $60,000 a month! That's as much as a respectable small business! Who can fathom this kind of wealth besides every damn millionaire in the Valley?

Mega-size version [Valleywag]
Earlier: A word about the photo in Business 2.0's Michael Arrington profile [Valleywag]
And: A picture of Michael Arrington lighting his cigar with a hundred-dollar bill [Valleywag]