That fuller version

I prepared this for the police.

It’s sort of embarrassing because it shows me being quite an incompetent investigator of a unix system; the up-side of that is that if you can follow this, you’ll get that I’m probably not faking any logs or messing with the evidence.

I especially like this bit from Charlie’s history file:


i am still alan
pine
i am still alan
su admin
quit
bye
logout
exit

It brings back vivid memories of the LNR offices and Alan saying ‘I’m pretending to be you but,’, as he explained the principles of su to Charlie. Also, excellent attempt to get out of the shell in those last four lines.

We’re not on this server any more: all the same, there are a few snips where I’ve taken out passwords, etc.

We’ve got almost all the old logs we mention kicking around somewhere.

Apologies if you want to read this and the mark-up has messed anything up, or the line-breaks are screwy or the width makes it illegible; drop me a line and I can send it as text.

I think point 9) is the most engaging, by the way.

1) A copy of the .bash_history file for root at the host ns.walltowalladmin.co.uk, truncated to the relevant entries (sent to Sean Walsh using ‘history | mail -s log stan.walsh@virgin.net’ – headers are included, this can be checked against the mail log, and the current .bash_history – I’m happy to send on the full mail. Unfortunately, the relevant information has fallen of the top of the current root history file.)


From root@ns.walltowalladmin.co.uk Fri Jun 18 21:56:52 2004
Return-Path: < root @ns.walltowalladmin.co.uk >
Received: from localhost (localhost [127.0.0.1])
by welikebooks.org (8.12.7/8.12.2) with ESMTP id i5IKuokb000625
for <swalsh @localhost>; Fri, 18 Jun 2004 21:56:51 +0100 (BST)
Received: from mail.virgin.net.criticalpath.net [80.5.182.225]
by localhost with POP3 (fetchmail-5.8.17)
for swalsh@localhost (single-drop); Fri, 18 Jun 2004 21:56:51 +0100 (BST)
Received: from n078.sc1.cp.net (209.228.29.64) by n061.sc1.cp.net (7.0.027)
id 40CA4A41001161B6 for stan.walsh@virgin.net; Fri, 18 Jun 2004 20:56:24 +0000
Received: from ns.walltowalladmin.co.uk (212.67.209.107) by n078.sc1.cp.net (7.0.027.3-1)
id 40C8C70E0067B229 for stan.walsh@virgin.net; Fri, 18 Jun 2004 20:56:24 +0000
Received: (from root@localhost)
by ns.walltowalladmin.co.uk (8.10.2/8.10.2) id i5IKvSe03377
for stan.walsh@virgin.net; Fri, 18 Jun 2004 21:57:28 +0100
Date: Fri, 18 Jun 2004 21:57:28 +0100
From: Root <root @ns.walltowalladmin.co.uk>
Message-Id: <200406182057.i5IKvSe03377@ns.walltowalladmin.co.uk>
To: stan.walsh@virgin.net
Subject: the log
Status: RO
Content-Length: 21302
Lines: 1000


8 su charlie
9 su charlie
10 su charlie
11 exit
12 su charlie
13 exit
14 su charlie
15 exit
16 su charlie
17 exit
18 su charlie
19 su charlie
20 exit
21 su root
22 exit
23 cd home/sites/site10/web
24 cd /home/sites/site10/web
25 dir
26 cd tools/database
27 dir
28 mysqladmin -uroot -p******* create ldjfree
29 mysql -uroot -p*********** ldjfree < lnewsreview.sql 30 mysqladmin -uroot -p********* create ldjcms 31 mysqladmin -uroot -p********* drop ldjcms 32 mysqladmin -uroot -p********** create ldjcms 33 cd /home/sites/site3 34 rm -rf web 35 su charlie 36 exit 37 dir 38 cd tools/database 39 dir 40 exit 41 su charlie 42 su charlie 43 pine 44 su charlie 45 ls

2) Charlie's .bash_history file (again, mailed to myself via the command line. Entry numbers are missing because this time I catted the file to mail, rather than su-ing to Charlie and running 'history'). Unfortunately, we re-entered Charlie's account once we suspected a problem (you can see this in the final entries): thus its mod date in an ls -la is for Jun 21.


From root@ns.walltowalladmin.co.uk Wed Jun 23 21:05:48 2004
Return-Path: <root @ns.walltowalladmin.co.uk>
Received: from localhost (localhost [127.0.0.1])
by welikebooks.org (8.12.7/8.12.2) with ESMTP id i5NK5mwe000980
for <swalsh @localhost>; Wed, 23 Jun 2004 21:05:48 +0100 (BST)
Received: from mail.virgin.net.criticalpath.net [80.5.182.225]
by localhost with POP3 (fetchmail-5.8.17)
for swalsh@localhost (single-drop); Wed, 23 Jun 2004 21:05:48 +0100 (BST)
Received: from n078.sc1.cp.net (209.228.29.64) by n061.sc1.cp.net (7.0.027)
id 40CA4A41001D4E03 for stan.walsh@virgin.net; Wed, 23 Jun 2004 20:05:15 +0000
Received: from ns.walltowalladmin.co.uk (212.67.209.107) by n078.sc1.cp.net (7.0.027.3-1)
id 40C8C70E00B1F95C for stan.walsh@virgin.net; Wed, 23 Jun 2004 20:05:14 +0000
Received: (from root@localhost)
by ns.walltowalladmin.co.uk (8.10.2/8.10.2) id i5NK6AK25897
for stan.walsh@virgin.net; Wed, 23 Jun 2004 21:06:10 +0100
Date: Wed, 23 Jun 2004 21:06:10 +0100
From: Root <root @ns.walltowalladmin.co.uk>
Message-Id: <200406232006.i5NK6AK25897@ns.walltowalladmin.co.uk>
To: stan.walsh@virgin.net
Subject: history
Status: RO
Content-Length: 241
Lines: 43

mail
pine
exit
pine
pine
pine
exit
pine
pine
quit
exit
pine
pine
pine
pine
pin
pine
exit
pine
exit
pine
exit
pine
exit
pine
pine
exit
pine
exit
pine
pine
quit
exit
pine
exit
i am still alan
pine
i am still alan
su admin
quit
bye
logout
exit

3) Extracts from /var/log/auth. These extracts cover mostly logins from 82-35-30-145.cable.ubr04.hari.blueyonder.co.uk. There are some other logins/su/su-charlies (or su alan) from a dynamically-assigned address at ‘not-set-yet.ntli.net’, which we have not yet pursued; the final entry shown is from ‘cpc4-nwrk1-6-0-cust77.nott.cable.ntl.com’. We are confident that these addresses will resolve to the same individual (who spends some time in Newark, possibly explaining the nott.cable).


Apr 7 20:19:43 ns PAM_pwdb[29606]: (login) session opened for user admin by (uid=0)
Apr 7 20:19:43 ns -- admin[29606]: LOGIN ON pts/0 BY admin FROM 82-35-30-145.cable.ubr04.hari.blueyonder.co.uk
Apr 7 20:19:50 ns PAM_pwdb[29635]: (su) session opened for user root by admin(uid=110)
Apr 7 20:20:00 ns PAM_pwdb[29647]: (su) session opened for user charlie by admin(uid=0)
Apr 7 20:22:27 ns PAM_pwdb[29647]: (su) session closed for user charlie
Apr 7 20:22:29 ns PAM_pwdb[29635]: (su) session closed for user root


Apr 13 21:03:44 ns PAM_pwdb[5031]: (login) session opened for user admin by (uid=0)
Apr 13 21:03:44 ns -- admin[5031]: LOGIN ON pts/0 BY admin FROM 82-35-30-145.cable.ubr04.hari.blueyonder.co.uk
Apr 13 21:03:52 ns PAM_pwdb[5046]: authentication failure; admin(uid=110) -> charlie for su service
Apr 13 21:04:02 ns PAM_pwdb[5067]: (su) session opened for user root by admin(uid=110)
Apr 13 21:04:05 ns PAM_pwdb[5072]: (su) session opened for user charlie by admin(uid=0)
Apr 13 21:04:27 ns PAM_pwdb[5072]: (su) session closed for user charlie
Apr 13 21:04:29 ns PAM_pwdb[5067]: (su) session closed for user root
Apr 13 21:04:31 ns PAM_pwdb[5031]: (login) session closed for user admin


Apr 15 15:17:01 ns PAM_pwdb[17294]: (login) session opened for user admin by (uid=0)
Apr 15 15:17:01 ns -- admin[17294]: LOGIN ON pts/0 BY admin FROM 82-35-30-145.cable.ubr04.hari.blueyonder.co.uk
Apr 15 15:17:06 ns PAM_pwdb[17317]: (su) session opened for user root by admin(uid=110)
Apr 15 15:17:09 ns PAM_pwdb[17319]: (su) session opened for user charlie by admin(uid=0)
Apr 15 15:34:39 ns PAM_pwdb[18570]: (ftp) session opened for user admin by (uid=0)
Apr 15 15:37:18 ns PAM_pwdb[12049]: (ftp) session closed for user admin
Apr 15 17:37:02 ns PAM_pwdb[17319]: (su) session closed for user charlie
Apr 15 17:37:03 ns PAM_pwdb[17317]: (su) session closed for user root

Apr 15 20:37:22 ns PAM_pwdb[7586]: (login) session opened for user admin by (uid=0)
Apr 15 20:37:22 ns -- admin[7586]: LOGIN ON pts/0 BY admin FROM 82-35-30-145.cable.ubr04.hari.blueyonder.co.uk
Apr 15 20:37:27 ns PAM_pwdb[7626]: (su) session opened for user root by admin(uid=110)
Apr 15 20:37:29 ns PAM_pwdb[7636]: (su) session opened for user charlie by admin(uid=0)
Apr 15 20:39:22 ns PAM_pwdb[7636]: (su) session closed for user charlie
Apr 15 20:39:36 ns PAM_pwdb[7767]: (su) session opened for user alan by admin(uid=0)
Apr 15 20:42:10 ns PAM_pwdb[7767]: (su) session closed for user alan
Apr 15 20:42:13 ns PAM_pwdb[7626]: (su) session closed for user root
Apr 15 20:42:20 ns PAM_pwdb[7918]: (su) session opened for user root by admin(uid=110)
Apr 15 20:42:35 ns PAM_pwdb[7918]: (su) session closed for user root
Apr 15 20:42:37 ns PAM_pwdb[7586]: (login) session closed for user admin


Apr 16 23:59:30 ns PAM_pwdb[25099]: (login) session opened for user admin by (uid=0)
Apr 16 23:59:30 ns -- admin[25099]: LOGIN ON pts/0 BY admin FROM 82-35-30-145.cable.ubr04.hari.blueyonder.co.uk
Apr 16 23:59:54 ns PAM_pwdb[25151]: (su) session opened for user root by admin(uid=110)
Apr 17 00:00:17 ns PAM_pwdb[25199]: (su) session opened for user charlie by admin(uid=0)
Apr 17 00:02:17 ns PAM_pwdb[25199]: (su) session closed for user charlie
Apr 17 00:02:17 ns PAM_pwdb[25151]: (su) session closed for user root
Apr 17 00:02:48 ns PAM_pwdb[25409]: (login) session opened for user admin by (uid=0)
Apr 17 00:02:48 ns -- admin[25409]: LOGIN ON pts/0 BY admin FROM 82-35-30-145.cable.ubr04.hari.blueyonder.co.uk
Apr 17 00:03:08 ns PAM_pwdb[25448]: (su) session opened for user root by admin(uid=110)
Apr 17 00:03:11 ns PAM_pwdb[25451]: (su) session opened for user charlie by admin(uid=0)
Apr 17 00:05:50 ns PAM_pwdb[25451]: (su) session closed for user charlie
Apr 17 00:05:50 ns PAM_pwdb[25448]: (su) session closed for user root
Apr 17 00:06:06 ns PAM_pwdb[25615]: (login) session opened for user admin by (uid=0)
Apr 17 00:06:06 ns -- admin[25615]: LOGIN ON pts/0 BY admin FROM 82-35-30-145.cable.ubr04.hari.blueyonder.co.uk
Apr 17 00:06:15 ns PAM_pwdb[25636]: (su) session opened for user root by admin(uid=110)
Apr 17 00:06:19 ns PAM_pwdb[25641]: (su) session opened for user charlie by admin(uid=0)
Apr 17 00:07:24 ns PAM_pwdb[25641]: (su) session closed for user charlie
Apr 17 00:07:24 ns PAM_pwdb[25636]: (su) session closed for user root
Apr 17 00:07:41 ns PAM_pwdb[25692]: (ftp) session opened for user admin by (uid=0)
Apr 17 00:08:35 ns PAM_pwdb[25692]: (ftp) session closed for user admin
Apr 17 00:08:55 ns PAM_pwdb[25765]: (login) session opened for user admin by (uid=0)
Apr 17 00:08:55 ns -- admin[25765]: LOGIN ON pts/0 BY admin FROM 82-35-30-145.cable.ubr04.hari.blueyonder.co.uk
Apr 17 00:09:57 ns PAM_pwdb[25843]: (su) session opened for user root by admin(uid=110)
Apr 17 00:10:03 ns PAM_pwdb[25848]: (su) session opened for user charlie by admin(uid=0)
Apr 17 00:11:15 ns PAM_pwdb[25848]: (su) session closed for user charlie
Apr 17 00:11:18 ns PAM_pwdb[25843]: (su) session closed for user root


Apr 17 19:49:17 ns PAM_pwdb[20185]: (login) session opened for user admin by (uid=0)
Apr 17 19:49:17 ns -- admin[20185]: LOGIN ON pts/0 BY admin FROM 82-35-30-145.cable.ubr04.hari.blueyonder.co.uk
Apr 17 19:49:25 ns PAM_pwdb[20208]: (su) session opened for user root by admin(uid=110)
Apr 17 19:50:06 ns PAM_pwdb[20275]: (su) session opened for user charlie by admin(uid=0)
Apr 17 19:51:18 ns PAM_pwdb[20275]: (su) session closed for user charlie
Apr 17 19:51:20 ns PAM_pwdb[20208]: (su) session closed for user root


Apr 18 01:19:41 ns PAM_pwdb[6928]: (login) session opened for user admin by (uid=0)
Apr 18 01:19:41 ns -- admin[6928]: LOGIN ON pts/0 BY admin FROM 82-35-30-145.cable.ubr04.hari.blueyonder.co.uk
Apr 18 01:19:45 ns PAM_pwdb[6945]: (su) session opened for user root by admin(uid=110)
Apr 18 01:19:48 ns PAM_pwdb[6948]: (su) session opened for user charlie by admin(uid=0)
Apr 18 01:20:21 ns PAM_pwdb[6948]: (su) session closed for user charlie
Apr 18 01:20:23 ns PAM_pwdb[6945]: (su) session closed for user root
Apr 18 01:20:30 ns PAM_pwdb[6928]: (login) session closed for user admin


Apr 19 15:49:42 ns PAM_pwdb[9798]: (login) session opened for user admin by (uid=0)
Apr 19 15:49:42 ns -- admin[9798]: LOGIN ON pts/0 BY admin FROM 82-35-30-145.cable.ubr04.hari.blueyonder.co.uk
Apr 19 15:49:48 ns PAM_pwdb[9826]: (su) session opened for user root by admin(uid=110)
Apr 19 15:49:51 ns PAM_pwdb[9831]: (su) session opened for user charlie by admin(uid=0)
Apr 19 15:50:34 ns PAM_pwdb[9831]: (su) session closed for user charlie
Apr 19 15:50:35 ns PAM_pwdb[9826]: (su) session closed for user root
Apr 19 15:50:36 ns PAM_pwdb[9798]: (login) session closed for user admin


Apr 20 18:54:08 ns PAM_pwdb[5210]: (login) session opened for user admin by (uid=0)
Apr 20 18:54:08 ns -- admin[5210]: LOGIN ON pts/0 BY admin FROM 82-35-30-145.cable.ubr04.hari.blueyonder.co.uk
Apr 20 18:54:13 ns PAM_pwdb[5239]: (su) session opened for user root by admin(uid=110)
Apr 20 18:54:15 ns PAM_pwdb[5247]: (su) session opened for user charlie by admin(uid=0)
Apr 20 18:58:41 ns PAM_pwdb[5247]: (su) session closed for user charlie
Apr 20 18:58:41 ns PAM_pwdb[5239]: (su) session closed for user root


Apr 21 16:54:20 ns PAM_pwdb[20346]: (login) session opened for user admin by (uid=0)
Apr 21 16:54:20 ns -- admin[20346]: LOGIN ON pts/0 BY admin FROM 82-35-30-145.cable.ubr04.hari.blueyonder.co.uk
Apr 21 16:54:29 ns PAM_pwdb[20381]: (su) session opened for user root by admin(uid=110)
Apr 21 16:54:31 ns PAM_pwdb[20384]: (su) session opened for user root by admin(uid=0)
Apr 21 16:54:35 ns PAM_pwdb[20387]: (su) session opened for user charlie by admin(uid=0)
Apr 21 16:56:46 ns PAM_pwdb[20387]: (su) session closed for user charlie
Apr 21 16:56:48 ns PAM_pwdb[20384]: (su) session closed for user root
Apr 21 16:56:49 ns PAM_pwdb[20381]: (su) session closed for user root


Apr 23 01:02:47 ns PAM_pwdb[6128]: (login) session opened for user admin by (uid=0)
Apr 23 01:02:47 ns -- admin[6128]: LOGIN ON pts/0 BY admin FROM 82-35-30-145.cable.ubr04.hari.blueyonder.co.uk
Apr 23 01:03:28 ns PAM_pwdb[6169]: (su) session opened for user root by admin(uid=110)
Apr 23 01:03:43 ns PAM_pwdb[6191]: (su) session opened for user charlie by admin(uid=0)
Apr 23 01:06:07 ns PAM_pwdb[6191]: (su) session closed for user charlie
Apr 23 01:06:10 ns PAM_pwdb[6169]: (su) session closed for user root


Apr 30 22:12:16 ns PAM_pwdb[1463]: (login) session opened for user admin by (uid=0)
Apr 30 22:12:16 ns -- admin[1463]: LOGIN ON pts/0 BY admin FROM 82-35-30-145.cable.ubr04.hari.blueyonder.co.uk
Apr 30 22:12:33 ns PAM_pwdb[1478]: authentication failure; admin(uid=110) -> root for su service
Apr 30 22:12:39 ns PAM_pwdb[1498]: (su) session opened for user root by admin(uid=110)
Apr 30 22:12:44 ns PAM_pwdb[1503]: (su) session opened for user charlie by admin(uid=0)
Apr 30 22:18:14 ns PAM_pwdb[1503]: (su) session closed for user charlie
Apr 30 22:18:14 ns PAM_pwdb[1498]: (su) session closed for user root


May 1 21:18:51 ns PAM_pwdb[13988]: (login) session opened for user admin by (uid=0)
May 1 21:18:51 ns -- admin[13988]: LOGIN ON pts/1 BY admin FROM 82-35-30-145.cable.ubr04.hari.blueyonder.co.uk
May 1 21:18:58 ns PAM_pwdb[14007]: (su) session opened for user root by admin(uid=110)
May 1 21:19:04 ns PAM_pwdb[14022]: (su) session opened for user charlie by admin(uid=0)
May 1 21:19:38 ns PAM_pwdb[14022]: (su) session closed for user charlie
May 1 21:40:31 ns PAM_pwdb[15437]: (ftp) session opened for user admin by (uid=0)
May 1 21:42:15 ns PAM_pwdb[11376]: (login) session closed for user admin


May 3 00:59:00 ns PAM_pwdb[4083]: (login) session opened for user admin by (uid=0)
May 3 00:59:00 ns -- admin[4083]: LOGIN ON pts/0 BY admin FROM cpc4-nwrk1-6-0-cust77.nott.cable.ntl.com
May 3 01:00:19 ns PAM_pwdb[4186]: (su) session opened for user root by admin(uid=110)
May 3 01:00:33 ns PAM_pwdb[4201]: (su) session opened for user charlie by admin(uid=0)
May 3 01:02:35 ns PAM_pwdb[4201]: (su) session closed for user charlie

4) Headers from a mail received by Alan Hamilton, from Paul Carr. You can see it ultimately originates from “AJWLaptop ([82.35.30.145]) by smtp-out4.blueyonder.co.uk”. This matches the ip logging on in 3), above.


Return-Path: <paul @lnreview.co.uk >
Delivered-To: ahamilto@plato.wadham.ox.ac.uk
Received: (qmail 4711 invoked from network); 6 May 2004 17:59:39 -0000
Received: from gateway.wadham.ox.ac.uk (163.1.161.253)
†††† by 0 with SMTP; 6 May 2004 17:59:39 -0000
Received: (qmail 14945 invoked by uid 1004); 6 May 2004 17:59:30 -0000
Received: from paul@lnreview.co.uk by gateway by uid 71 with
qmail-scanner-1.20†††† (clamscan: 0.67. sweep: 2.18/3.79. Clear:RC:0(129.67.1.167):.
†††† Processed in 0.078936 secs); 06 May 2004 17:59:30 -0000
Received: from tx1.oucs.ox.ac.uk (129.67.1.167)
†††† by gateway.wadham.ox.ac.uk with SMTP; 6 May 2004 17:59:30 -0000
Received: from scan1.oucs.ox.ac.uk ([129.67.1.166] helo=localhost)
†††† by tx1.oucs.ox.ac.uk with esmtp (Exim 4.24)
†††† id 1BLn9e-0008LX-HD
†††† for ahamilto@plato.wadham.ox.ac.uk ; Thu, 06 May 2004 18:59:30
+0100Received: from rx1.oucs.ox.ac.uk ([129.67.1.165])
†††† by localhost (scan1.oucs.ox.ac.uk [129.67.1.166]) (amavisd-new, port 25)
†††† with ESMTP id 31870-04 for < ahamilto@plato.wadham.ox.ac.uk >;
†††† Thu, 6 May 2004 18:59:30 +0100 (BST)
Received: from www2.simply.net ([81.3.64.234])
†††† by rx1.oucs.ox.ac.uk with esmtp (Exim 4.24)
†††† id 1BLn9e-0008LT-3v
†††† for ahamilto@plato.wadham.ox.ac.uk ; Thu, 06 May 2004 18:59:30
+0100Received: from ns.walltowalladmin.co.uk (unknown [212.67.209.107])
†††† by www2.simply.net (Postfix) with ESMTP id 5E8F6B268B
†††† for < lnreview@thenameofthegame.org >; Fri, 23 Jun 2000
11:13:57 +0100 (BST)Received: from smtp-out4.blueyonder.co.uk (smtp-out4.blueyonder.co.uk
[195.188.213.7])†††† by ns.walltowalladmin.co.uk (8.10.2/8.10.2) with ESMTP id
i46HxCh20357†††† for > alan@lnreview.co.uk >; Thu, 6 May 2004 18:59:12 +0100
Received: from AJWLaptop ([82.35.30.145]) by smtp-out4.blueyonder.co.uk
with Microsoft SMTPSVC(5.0.2195.5600);†††† Thu, 6 May 2004 18:59:25 +0100
From: "Paul Carr" < paul@lnreview.co.uk >
To: <alan @lnreview.co.uk >
Subject: RE: Better get into the habit of fwding these things to you
Date: Thu, 6 May 2004 18:59:22 +0100
Message-ID: <ajegjfinhfcjkeknbjcieebhliaa .paul@lnreview.co.uk >
MIME-Version: 1.0
Content-Type: text/plain;
†††† charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
In-Reply-To: <f5084cb8 -9F82-11D8-8775-000A958FAA7E@lnreview.co.uk >
Importance: Normal
X-OriginalArrivalTime: 06 May 2004 17:59:25.0215 (UTC)
FILETIME=[DE120AF0:01C43393]X-Oxmail-Spam-Status: score=0.0 tests=
X-Oxmail-Spam-Level:

5)Modification dates of pine's dotted files. '.addressbook' and '.addressbok.lu' are modified (most likely created) on April 7th, at a time matching the log above. Pine creates a new debug log each time it is used; by default, four exist at any point, and are cycled through. Three of the four match the final 'su charlies' in the log above. The fourth was created when we su'd to charlies account, in order to demonstrate the principles of 'su' and pine to him (.pinerc was modified in the same session). A screen grab of ls -la illustrates the mod times:

Click here for picture

6).pinedebug4 from April 30. This shows the fake-charlie's activity, at the end: he moves between the folder view and folder indexes, checking inbox, trash, and reading roughly ten items in sent mail (if we've interpreted this correctly.) There seems to be information to tie this to specific mails (when it can't parse headers), but we haven't made that effort yet.


Debug output of the Pine program (debug=2 debug_imap=0). Version 4.56 (LNX)
Fri Apr 30 22:12:47 2004


"pine" <no args>

Setting home dir from $HOME: "/home/sites/site12/users/charlie"

-- init_pinerc --

Global config "/usr/local/lib/pine.conf" is default
Personal config "/home/sites/site12/users/charlie/.pinerc" is default
Exceptions config not set on cmdline
checking for default "/home/sites/site12/users/charlie/.pinercex" in pinerc dir
no, there is no exceptions config

Global config: /usr/local/lib/pine.conf
Personal config: /home/sites/site12/users/charlie/.pinerc
Exceptions config:
Fixed config: /usr/local/lib/pine.conf.fixed

reading_pinerc "/usr/local/lib/pine.conf"
Open failed: No such file or directory
reading_pinerc "/home/sites/site12/users/charlie/.pinerc"
Read 15782 characters:
reading_pinerc "/usr/local/lib/pine.conf.fixed"
Open failed: No such file or directory
======= Current_val options set =======
inbox-path : inbox
default-fcc : sent-mail
default-saved-msg-fo : saved-messages
postponed-folder : postponed-msgs
signature-file : .signature
feature-list : allow-changing-from
saved-msg-name-rule : default-folder
fcc-name-rule : default-fcc
sort-key : arrival
addrbook-sort-rule : fullname-with-lists-last
folder-sort-rule : alphabetical
goto-default-rule : inbox-or-folder-in-recent-collection
incoming-startup-rul : first-unseen
pruning-rule : ask-ask
folder-reopen-rule : ask-no-n
threading-display-st : struct
threading-index-styl : exp
threading-indicator- : >
threading-expanded-c : .
threading-lastreply- : |
composer-wrap-column : 74
reply-indent-string : >
reply-leadin : default
empty-header-message : undisclosed-recipients
use-only-domain-name : no
bugs-fullname : Pine Developers
bugs-address : pine-bugs@cac.washington.edu
suggest-fullname : Pine Developers
suggest-address : pine-suggestions@cac.washington.edu
local-fullname : Local Support
local-address : postmaster
kblock-passwd-count : 1
viewer-overlap : 2
scroll-margin : 0
status-message-delay : 0
mail-check-interval : 150
maildrop-check-minim : 60
nntp-range : 0
mail-directory : mail
folder-collections : mail/[]
address-book : .addressbook
standard-printer : lpr
last-time-prune-ques : 104.4
last-version-used : 4.56
user-input-timeout : 0
debug-memory : 500000
remote-abook-history : 3
remote-abook-validit : 5
printer : attached-to-ansi
elm-style-save : no
header-in-reply : no
feature-level : sapling
old-style-reply : no
save-by-sender : no
color-style : no-color
current-indexline-st : flip-colors
titlebar-color-style : default
normal-foreground-co : black
normal-background-co : cyan
keylabel-foreground- : black
keylabel-background- : cyan
selectable-item-fore : black
selectable-item-back : cyan
======= Command_line_val options set =======
======= User_val options set (/home/sites/site12/users/charlie/.pinerc) =======
last-time-prune-ques : 104.4
last-version-used : 4.56
======= PostloadUser_val options set (postload) =======
======= Global_val options set (/usr/local/lib/pine.conf) =======
inbox-path : inbox
default-fcc : sent-mail
default-saved-msg-fo : saved-messages
postponed-folder : postponed-msgs
signature-file : .signature
saved-msg-name-rule : default-folder
fcc-name-rule : default-fcc
sort-key : arrival
addrbook-sort-rule : fullname-with-lists-last
folder-sort-rule : alphabetical
goto-default-rule : inbox-or-folder-in-recent-collection
incoming-startup-rul : first-unseen
pruning-rule : ask-ask
folder-reopen-rule : ask-no-n
threading-display-st : struct
threading-index-styl : exp
threading-indicator- : >
threading-expanded-c : .
threading-lastreply- : |
composer-wrap-column : 74
reply-indent-string : >
reply-leadin : default
empty-header-message : undisclosed-recipients
use-only-domain-name : no
bugs-fullname : Pine Developers
bugs-address : pine-bugs@cac.washington.edu
suggest-fullname : Pine Developers
suggest-address : pine-suggestions@cac.washington.edu
local-fullname : Local Support
local-address : postmaster
kblock-passwd-count : 1
viewer-overlap : 2
scroll-margin : 0
status-message-delay : 0
mail-check-interval : 150
maildrop-check-minim : 60
nntp-range : 0
mail-directory : mail
folder-collections : mail/[]
address-book : .addressbook
standard-printer : lpr
user-input-timeout : 0
debug-memory : 500000
remote-abook-history : 3
remote-abook-validit : 5
printer : attached-to-ansi
elm-style-save : no
header-in-reply : no
feature-level : sapling
old-style-reply : no
save-by-sender : no
color-style : no-color
current-indexline-st : flip-colors
titlebar-color-style : default
normal-foreground-co : black
normal-background-co : cyan
======= Fixed_val options set (NO pine.conf.fixed) =======
========== Feature settings ==========
no-alternate-compose-menu
no-compose-cut-from-cursor
no-compose-maps-delete-key-to-ctrl-d
no-compose-rejects-unqualified-addrs
no-compose-send-offers-first-filter
no-enable-alternate-editor-cmd
no-enable-alternate-editor-implicitly
no-enable-search-and-replace
no-enable-sigdashes
no-quell-dead-letter-on-cancel
no-spell-check-before-sending
no-quell-user-lookup-in-passwd-file
no-enable-reply-indent-string-editing
no-include-attachments-in-reply
no-include-header-in-reply
no-include-text-in-reply
no-reply-always-uses-reply-to
no-signature-at-bottom
no-strip-from-sigdashes-on-reply
no-disable-sender
no-enable-8bit-esmtp-negotiation
no-enable-background-sending
no-enable-delivery-status-notification
no-enable-verbose-smtp-posting
no-fcc-on-bounce
no-fcc-only-without-confirm
no-fcc-without-attachments
no-mark-fcc-seen
no-send-without-confirm
no-use-sender-not-x-sender
no-warn-if-blank-to-and-cc-and-newsgroups
no-warn-if-blank-subject
no-combined-subdirectory-display
no-combined-folder-display
no-enable-dot-folders
no-enable-incoming-folders
no-enable-lame-list-mode
no-expanded-view-of-folders
no-quell-empty-directories
no-separate-folder-and-directory-entries
no-single-column-folder-list
no-vertical-folder-list
no-combined-addrbook-display
no-expanded-view-of-addressbooks
no-expanded-view-of-distribution-lists
no-auto-open-next-unread
no-thread-index-shows-important-color
no-continue-tab-without-confirm
no-delete-skips-deleted
no-enable-cruise-mode
no-enable-cruise-mode-delete
no-mark-for-cc
no-next-thread-without-confirm
no-return-to-inbox-without-confirm
no-tab-visits-next-new-message-only
no-enable-msg-view-attachments
no-enable-msg-view-urls
no-enable-msg-view-web-hostnames
no-enable-msg-view-addresses
no-enable-msg-view-forced-arrows
no-prefer-plain-text
no-pass-control-characters-as-is
no-compose-sets-newsgroup-without-confirm
no-enable-8bit-nntp-posting
no-enable-multiple-newsrcs
no-news-approximates-new-status
no-news-deletes-across-groups
no-news-offers-catchup-on-close
no-news-post-without-validation
no-news-read-in-newsrc-order
no-predict-nntp-server
no-quell-extra-post-prompt
no-enable-print-via-y-command
no-print-offers-custom-cmd-prompt
no-print-includes-from-line
no-print-index-enabled
no-print-formfeed-between-messages
no-enable-aggregate-command-set
no-enable-arrow-navigation
no-enable-arrow-navigation-relaxed
no-enable-bounce-cmd
no-enable-exit-via-lessthan-command
no-enable-flag-cmd
no-enable-flag-screen-implicitly
no-enable-full-header-cmd
no-enable-full-header-and-text
no-enable-goto-in-file-browser
no-enable-jump-shortcut
no-enable-partial-match-lists
no-enable-tab-completion
no-enable-unix-pipe-cmd
no-allow-talk
no-assume-slow-link
no-auto-move-read-msgs
no-auto-unzoom-after-apply
no-auto-zoom-after-select
no-check-newmail-when-quitting
no-confirm-role-even-for-default
no-disable-2022-jp-conversions
no-disable-charset-conversions
no-disable-keymenu
no-disable-take-last-comma-first
no-enable-dot-files
no-enable-fast-recent-test
no-enable-mail-check-cue
no-enable-mouse-in-xterm
no-enable-newmail-in-xterm-icon
no-enable-rules-under-take
no-enable-suspend
no-enable-take-export
no-expose-hidden-config
no-expunge-only-manually
no-expunge-without-confirm
no-expunge-without-confirm-everywhere
no-preserve-start-stop-characters
no-quell-attachment-extra-prompt
no-quell-content-id
no-quell-timezone-comment-when-sending
no-quell-folder-internal-msg
no-quell-lock-failure-warnings
no-quell-status-message-beeping
no-quit-without-confirm
no-save-will-advance
no-save-will-not-delete
no-save-will-quote-leading-froms
no-scramble-message-id
no-select-without-confirm
no-show-cursor
no-show-plain-text-internally
no-show-selected-in-boldface
no-slash-collapses-entire-thread
no-tab-checks-recent
no-try-alternative-authentication-driver-first
no-unselect-will-not-advance
no-use-current-dir
no-use-subshell-for-suspend
no-use-function-keys
allow-changing-from
no-cache-remote-pinerc
no-disable-busy-alarm
no-disable-config-cmd
no-disable-keyboard-lock-cmd
no-disable-password-caching
no-disable-password-cmd
no-disable-pipes-in-sigs
no-disable-pipes-in-templates
no-disable-roles-setup-cmd
no-disable-roles-sig-edit
no-disable-roles-template-edit
no-disable-setlocale-collate
no-disable-shared-namespaces
no-disable-signature-edit-cmd
no-enable-mailcap-param-substitution
no-enable-setlocale-ctype
no-quell-berkeley-format-timezone
no-quell-imap-envelope-update
no-quell-maildomain-warning
no-quell-news-envelope-update
no-quell-partial-fetching
no-quell-personal-name-prompt
no-quell-user-id-prompt
no-save-aggregates-copy-sequence
no-selectable-item-nobold
no-termdef-takes-precedence
Userid: charlie
Fullname: "Charlie Skelton"
User domain name being used ""
Local Domain name being used "walltowalladmin.co.uk"
Host name being used "ns.walltowalladmin.co.uk"
Mail Domain name being used (by c-client too)"ns.walltowalladmin.co.uk"
new win size -----<25 80>------
Terminal type: ansi
About to open folder "INBOX" inbox: "INBOX"
IMAP 22:12:47 4/30 mm_log babble: Assigning new unique identifiers to all messages
Opened folder "/var/spool/mail/charlie" with 3 messages
Sorting by Arrival


---- MAIN_MENU_SCREEN ----
=== folder_screen called ====


---- FOLDER LISTER ----
About to open folder "INBOX" inbox: "INBOX"


---- MAIL INDEX ----


---- INDEX MANAGER ----
MAIL_CMD: going to folder/collection menu
=== folder_screen called ====


---- FOLDER LISTER ----
About to open folder "mail-trash" inbox: "INBOX"
Close - saved inbox state: max 3
Opened folder "mail/mail-trash" with 0 messages
Sorting by Arrival


---- MAIL INDEX ----


---- INDEX MANAGER ----
MAIL_CMD: going to folder/collection menu
=== folder_screen called ====


---- FOLDER LISTER ----
About to open folder "sent-mail" inbox: "INBOX"
expunge and close mail stream "mail/mail-trash"
Opened folder "/home/sites/site12/users/charlie/mail/sent-mail" with 804 messages
Sorting by Arrival


---- MAIL INDEX ----


---- INDEX MANAGER ----


----- MAIL VIEW -----


---- MAIL INDEX ----


---- INDEX MANAGER ----


----- MAIL VIEW -----


---- MAIL INDEX ----


---- INDEX MANAGER ----


----- MAIL VIEW -----


---- MAIL INDEX ----


---- INDEX MANAGER ----


----- MAIL VIEW -----
IMAP 22:14:33 4/30 mm_log parse: Missing parameter


---- MAIL INDEX ----


---- INDEX MANAGER ----


----- MAIL VIEW -----


---- MAIL INDEX ----


---- INDEX MANAGER ----
IMAP 22:14:47 4/30 mm_log parse: Unexpected characters at end of address: ; tonybuckingham@hotmail.com


----- MAIL VIEW -----


---- MAIL INDEX ----


---- INDEX MANAGER ----


----- MAIL VIEW -----


---- MAIL INDEX ----


---- INDEX MANAGER ----


----- MAIL VIEW -----


---- MAIL INDEX ----


---- INDEX MANAGER ----
IMAP 22:15:28 4/30 mm_log parse: Unexpected characters at end of address: ; sean@lnreview.co.uk


----- MAIL VIEW -----


---- MAIL INDEX ----


---- INDEX MANAGER ----


----- MAIL VIEW -----


---- MAIL INDEX ----


---- INDEX MANAGER ----
MAIL_CMD: going to folder/collection menu
=== folder_screen called ====


---- FOLDER LISTER ----


---- MAIN_MENU_SCREEN ----


---- QUIT SCREEN ----
Want_to read: y (121)
goodnight_gracey:
- completely_done_with_adrbks -
expunge and close mail stream "/home/sites/site12/users/charlie/mail/sent-mail"
expunge and close mail stream "/var/spool/mail/charlie"
about to end_tty_driver
goodnight_gracey finished

7).pinedebug3 from May 1. I’ve removed the long middle section from this log (kept in, above), but the original is available. He seems only to look at the mail indexes during this incident.


Debug output of the Pine program (debug=2 debug_imap=0). Version 4.56 (LNX)
Sat May 1 21:19:06 2004


"pine" <no args>

Setting home dir from $HOME: "/home/sites/site12/users/charlie"

-- init_pinerc --

Global config "/usr/local/lib/pine.conf" is default
Personal config "/home/sites/site12/users/charlie/.pinerc" is default
Exceptions config not set on cmdline
checking for default "/home/sites/site12/users/charlie/.pinercex" in pinerc dir
no, there is no exceptions config

Global config: /usr/local/lib/pine.conf
Personal config: /home/sites/site12/users/charlie/.pinerc
Exceptions config:
Fixed config: /usr/local/lib/pine.conf.fixed

reading_pinerc "/usr/local/lib/pine.conf"
Open failed: No such file or directory
reading_pinerc "/home/sites/site12/users/charlie/.pinerc"
Read 15782 characters:
reading_pinerc "/usr/local/lib/pine.conf.fixed"
Open failed: No such file or directory

[...options snipped...]

Userid: charlie
Fullname: "Charlie Skelton"
User domain name being used ""
Local Domain name being used "walltowalladmin.co.uk"
Host name being used "ns.walltowalladmin.co.uk"
Mail Domain name being used (by c-client too)"ns.walltowalladmin.co.uk"
new win size -----<25 80>------
Terminal type: ansi
About to open folder "INBOX" inbox: "INBOX"
Opened folder "/var/spool/mail/charlie" with 8 messages
Sorting by Arrival
Want_to read: y (121)
---- write_pinerc(Main) ----
wrote pinerc: /home/sites/site12/users/charlie/.pinerc: time_pinerc_written = 1083442755


---- MAIN_MENU_SCREEN ----
=== folder_screen called ====


---- FOLDER LISTER ----
About to open folder "INBOX" inbox: "INBOX"


---- MAIL INDEX ----


---- INDEX MANAGER ----
MAIL_CMD: going to folder/collection menu
=== folder_screen called ====


---- FOLDER LISTER ----


---- MAIN_MENU_SCREEN ----


---- QUIT SCREEN ----
Want_to read: y (121)
goodnight_gracey:
- completely_done_with_adrbks -
expunge and close mail stream "/var/spool/mail/charlie"
about to end_tty_driver
goodnight_gracey finished

8).pinedebug2 from May 3rd, with the central section again snipped. In this case, the user looks at some messages in the inbox, and triggers a problem when attempting to view a html mail: pine can't find mime-types to read it. It also claims to expunge a message at the end: we'd like to know whether this means he's been deleting Charlie's mail.


Debug output of the Pine program (debug=2 debug_imap=0). Version 4.56 (LNX)
Mon May 3 01:00:36 2004


"pine" <no args>

Setting home dir from $HOME: "/home/sites/site12/users/charlie"

-- init_pinerc --

Global config "/usr/local/lib/pine.conf" is default
Personal config "/home/sites/site12/users/charlie/.pinerc" is default
Exceptions config not set on cmdline
checking for default "/home/sites/site12/users/charlie/.pinercex" in pinerc dir
no, there is no exceptions config

Global config: /usr/local/lib/pine.conf
Personal config: /home/sites/site12/users/charlie/.pinerc
Exceptions config:
Fixed config: /usr/local/lib/pine.conf.fixed

reading_pinerc "/usr/local/lib/pine.conf"
Open failed: No such file or directory
reading_pinerc "/home/sites/site12/users/charlie/.pinerc"
Read 15782 characters:
reading_pinerc "/usr/local/lib/pine.conf.fixed"
Open failed: No such file or directory

[....options snipped...]

Userid: charlie
Fullname: "Charlie Skelton"
User domain name being used ""
Local Domain name being used "walltowalladmin.co.uk"
Host name being used "ns.walltowalladmin.co.uk"
Mail Domain name being used (by c-client too)"ns.walltowalladmin.co.uk"
new win size -----<25 80>------
Terminal type: ansi
About to open folder "INBOX" inbox: "INBOX"
Opened folder "/var/spool/mail/charlie" with 18 messages
Sorting by Arrival


---- MAIN_MENU_SCREEN ----
=== folder_screen called ====


---- FOLDER LISTER ----
About to open folder "INBOX" inbox: "INBOX"


---- MAIL INDEX ----


---- INDEX MANAGER ----


----- MAIL VIEW -----
mt_browse: FAILED open(/home/sites/site12/users/charlie/.mime.types) : No such file or directory.
mt_browse: FAILED open(/etc/mime.types) : No such file or directory.
mt_browse: FAILED open(/usr/local/lib/mime.types) : No such file or directory.
-- html