Odd things going on at forum

[Yalle]

I have a couple of questions regarding what might have happened to a user account at a forum that uses xenforo.

Some profile information has been changed on a regular user account and the user himself has not changed it, nor is there anything in the admins activity log that points towards that an admin did it. All profile changes that are logged have also only been done from what appears to be the user's own IP-addresses (different ones), even though he hasn't changed the info himself or had anyone using his PC or any other PC in the household.

What other options are there? Apparently no admin changed it since it isn't in the activity log, and there are no traces of any "foreign" IP-address regarding this account either. Most people would obviously say that it's the user himself who did it, but as I've said before, this isn't the case.

Can an admin change the activity logs to make it look like he didn't do it even though he did? Can an outsider log into the user's account and make it look as if he's logging in via the regular user's IP-address? I have no clue how this works, or how it's even possible, I will understand if you can't give any answers.

 

[MrLeft]

In theory someone can change just about anything if they have direct access to the Forum's database. Including both user profile information and admin/activity logs and just about anything else!

That being said .. I wouldn't really know why someone who managed to hack into your database would go through all that just to change a bit of information on someone's profile! Chances are if they hacked your database they would either steal your users information (e-mails for spam) and keep quiet about it so they can steal information in the future .. or completely delete/destroy your database.

Also .. same holds true if an admin's password is compromised .. basically using the admin's account they can tinker with a large amount of data! :-/

 

[ENF]

Sometimes the right answer is the most simple. He probably modified the data himself, whether he remembers it or not.

If you want additional answers, pull your web server logs and filter them by his IP address and see what actions he did in relation to his user profile.

The log will look like this when changing personal account details:

xxx.xxx.xxx.xxx POST /account/personal-details-save - -

The xxx would be the IP address. Your log format may vary, but the string to look for should be about the same. If you know about when the change happened, you can start digging around that time frame.

As the other poster stated above, if were someone acting maliciously -- they could hide their tracks very well if they access to the server and database. But, that's whole lot of crap just to change someone's profile data.

 

[Yalle]

It was a matter of someone being "out to get" this user and wrote things that I won't even mention here. The user did not do it himself. The closest guess I'm going for is that another admin did it but since there are no info about this in the activity logs it's hard to prove anything. It seems as if someone did the deed and then deleted all tracks. Thank you for your replies.