◆ SpookStack

(a) the New York Times administrative database (admin_db) and the Op-Ed database (Oped_db) as they existed prior to the intrusion; (b)} the New York Times administrative database (admin_db) and the Op-Ed database (Oped_db) as they existed after the intrusion; {c) log files* from the proxy server accessed by the intruder; (d) log files from various other servers on the NYT Intranet; {e) an email automatically generated by the New York Times’ computer network when a new user identification is created reflecting that the Eric Yee user identification was created on February 20, 2002 at 8:10 p.m. EST; and (£) the user identification numbers/passwords (“userids/passwords”) associated with five LexisNexis accounts created by the fictitious Eric Yee user account. 8. I have analyzed the materials provided by the New York Times described in paragraph 7 above and, based on that analysis and conversations with various New York Times personnel, have determined the following: (a} New York Times server logs reflect that an intruder had compromised the NYT Intranet at least as early as February 14, 2002. {b) Between on or about February 14, 2002 and on or about February 26, 2002, New York Times Intranet server logs reflect that an intruder repeatedly accessed the New York Times Intranet through a New York Times proxy server and queried various directories on the servers, modified news stories saved on the server, and modified various databases. (c) an email automatically generated on February 20, 2002 at 8:10 p.m. EST by the New York Times computer network with the subject ‘Change in stafflist” reflects that at that date and time the intruder, using the superuser account of a former New York Times employee, created a new superuser account under the 8 hog files lists actions that have occurred in connection with a computer server. For example, Web servers maintain log files listing every request made to the server. -6- FBI(19-cv-1495)-234