Archive for the ‘Web Security’ Category

Compression and Massive Logging to flatfiles for DDOS logging

Monday, January 2nd, 2012

While working with a DDOS attack that has gone on for over two years, we learn that varnishncsa is not the best logging platform out there. While Varnish does a superb job at protecting the site, the logging leaves a little to be desired. A kill/varnishncsa redirect script runs every night at midnight, logrotate compresses the files and we’re left with a big set of logfiles — logfiles that don’t represent the entire picture.

Because we’re firewalling attacker IPs, our logs only show the requests that make it through the firewall – which minimizes the data that we can collect. From a forensic analysis standpoint, that makes the collected data less valuable. As a result, we need to collect the data off a span port, but, even though it is a denial of service attack against the web, it is good to log all TCP/UDP/syn traffic on the machine to make sure we register everything.

In an ideal world, the machine should have three ethernet ports, or, you should do this monitoring from another machine, but, this is a component to the ISO I’m putting together that can be used as a front-end proxy-cache that logs the attacks. The concept is to create an ISO or USB stick installation that sets up Varnish, IPSet, this logger and the blocker that adds the rules to IPSet.

Tux, a kernel mode http accelerator, used to log to a compressed file and had a tux2w3c helper that would convert the logs to an ASCII readable format that could be processed by weblog software. Since we’re not logging the actual web request, but the TCP packet received, we have a lot more information that we can look at. Our analysis software can look for markers within that data to make decisions and send to IPSet to self-protect and self-heal through the use of expiration times on the rules.

Initially I believe the log format will look something like this:

<timestamp><attacker ip><countrycode><attacked IP><port><tcp payload>

A tool to output the logfile in an ASCII readable form will be written as well so that the data can later be analyzed. Each row will be bzip2 compressed so that the daemon can run endlessly. Logfile names will be portlog.incidentid.20120102 and won’t require rotation. I suspect it might be worthwhile to later allow the logfile to include the hour, resulting in 24 files per day.

SetUID versus www-data

Tuesday, October 25th, 2011

For years I’ve been an advocate of running apache as www-data rather than SetUID.

Quickly, an explanation of the differences:

www-data

The Apache (or alternate webserver) runs as a low privilege account, usually www-data or httpd or a similarly named user/group. When a request is served, the low privilege apache process needs to have access to read the file, which usually means that the files must be world readable, and, the directories world executable. As such, any rogue process on the machine that knows the filesystem structure could traverse the filesystem and read files, like, wp-config.php, etc. Preventing that traversal becomes difficult if one can read config files and know which domains are served from that machine. Using a predictable filesystem layout makes it easier. However, any file that is not world writeable cannot be modified by the web process. This is why an exploit running on a site is only able to write to particular directories – usually ones that are made world writeable to allow uploads.

SetUID

In this case, the server takes the request, then, changes the UID to the user account that owns the files. Traversing the filesystem to find files like wp-config.php becomes difficult if the file and directory permissions are set correctly. The web process is the user, so, it is able to write to any file – just as it could with your FTP account. An exploit that is loaded now has access to modifying any file in your FTP account.

Why www-data or SetUID

While www-data has some shortcomings, SetUID is immensely more popular for two reasons: It avoids trouble tickets where people can’t understand why their application can’t upload a file to a directory, and, it protects the user’s files from being read by other people also running on that machine.

There is another mode that can be used – running the web server as www-data, but, running suPHP which spawns php processes as a particular user, while the webserver itself still runs in low privilege mode. Any PHP script still has the permission to write files on the filesystem, but, CGI/WSGI scripts would not have the ability to write to those files.

While I’m not a real fan of SetUID, one of the projects we’re working on will use it mostly to avoid the common questions regarding why this directory needs to be chmod 777 and it will cut down on the support tickets.

As a result, we need to plan for multiple generations of backups because rather than get trouble tickets regarding applications that can’t write files, we’ll be getting trouble tickets from users that have had their sites exploited and every file modified – rather than just the files in the directories that have been given permission.

I do have another theory on how to deal with this with groups. Basically, you would still run the webserver in a low privilege mode, but, it would switch to www-data.usergroup which would prevent traversal, and, the user could selectively allow group write on directories that needed it. Since usergroup would be given read access, a script running as a different user would not be able to traverse the directory since each user’s tree would be owned by their user:group.

I guess we would call this SetGID hosting.

vBulletin spam signup email addresses, combatting the problem

Thursday, March 3rd, 2011

A while back I had corresponded with Google’s spam team regarding a pattern I had discovered and sent it off to some people. It appears that they used some of that to clean up the search results removing this particular type of spam, but, the source of the problem still exists. Over the past 60 days, a particular client’s vBulletin site has received 2670 signups, over half using gmail addresses. A group of three people have independently looked at every signup to verify that these indeed do fit the spam pattern.

It appears an outsourcing company is hired to sign up, but, are given a list of email addresses that they can choose from. Signup and verification always take place from radically different IPs, so, we can assume that the people doing the actual signup have no idea that their verification email never goes out. This is confirmed by the fact that they use multiple periods in their gmail address to make the email address appear to be unique. Once we’ve determined that the email address has already been seen by modifying vBulletin to strip out the . and truncate at the +, it is instantly banned. We opted to allow the signups to be registered rather than saying that the email was in use.

A slight background to the issue. Google allows one to use a . or + in the email address which resolves to the same destination address. While I like that feature and have used it in the past, vBulletin appears to ignore this fact. So, the email address bobjones@gmail.com goes to the same destination as bob.jones@gmail.com and bob.j.ones@gmail.com. Likewise, you can use the + in the email address to signify the source of the email. So, bob.jones+twitter@gmail.com might signify that the email came from your twitter profile and bob.jones+facebook@gmail.com comes from your facebook profile. Since they end up at the same place, google is a perfect way to have hundreds of email addresses that appear to be unique, but, are delivered to the same destination. This means your validation script can check fewer mailboxes, decode the validation email looking for the link, and can automatically click.

Initially our client installed Recaptcha which increases the chance that a human is probably filling out the form. Based on the number of resubmissions, I’m reasonably certain that a human is doing the data entry and they aren’t cracking Recaptcha.

I figured at one point these were created accounts, but, some of the names are so specific, one would have to assume that perhaps there are some compromised email accounts in here as well. If you glance through the list, you’ll see judicious use of the . and + to try to create unique email addresses.

The first thing we did was write a plugin that hooked into the signup process that cleaned up the email addresses. The second thing we did was look for a signup that took place in a country different from the verification click. Often times they did use proxy servers, so, using a few of the proxy dns blacklists, we were also able to make an educated guess that the signups were probably going to post spam. The first post at the board is moderated using Akismet for any that slip through, but, this method appears to be fairly good at hitting the right ones, and out of 2691 signups, it detected 2670 spam signups with 1 false positive. The false positive was a tough one – even looking at the signup data, the IP addresses used in both the signup request and validation took place in separate countries according to maxmind’s geoip database (the person signed up at work, drove home across a country border in Europe, and validated his email address from home). We also changed the registration form and put a second link above the first that said:

If you didn’t intend to sign up, click this link

For a few days, their spider was hitting the first link, banning the account for us. Often times there was a delay of a few days between an account that was validated and the first post.

If you look at the list, you can see where they have attempted to obfuscate the email address, and in some cases, are using the + to insert a counter. Based on the posts that were made, it suggests we might have more than one group actually spamming, all outsourcing the account creation to the same company.

Spammers are resourceful. It is a shame there isn’t a way to get these email addresses shut down to squelch some of the spam at the source.

Since starting this post, eight more signups came in, bringing the average to roughly 90 signups per day.

In short:

* Check a ‘cleaned’ email against the database, i.e. remove the . and truncate at the + for gmail/googlemail accounts
* Use Recaptcha
* Alter the signup form to include a link to decline the signup
* Look at the Signup IP and the validation IP
* Validate Signup IP isn’t coming from a proxy

0..0..7a.pe.x.0..0.7.pl@gmail.com
007apex007.pl@gmail.com
0hvfyi1@gmail.com
0uocqag@gmail.com
123456789alexiss@gmail.com
1.23456789alexiss@gmail.com
123456.789alexiss@gmail.com
1dzenmaster@gmail.com
221288jackson@gmail.com
33wew22q@gmail.com
3t0f8yw@gmail.com
4progonpron@gmail.com
5eqz1jn@gmail.com
5zrdl98@gmail.com
8maximc@gmail.com
999huy888@gmail.com
9fapvin@gmail.com
aamirafaddnek@gmail.com
abdeelgoscdix@gmail.com
abdulahjantah@gmail.com
achebeds@gmail.com
achebe.ds@gmail.com
acnetreatmentmed.com@gmail.com
adaiahburnjig@gmail.com
adderleyagfuj@gmail.com
addsd231@gmail.com
adelegomeztl@gmail.com
a.d.helmmadgwag@gmail.com
a.dhelmmadgwag@gmail.com
adilacordixut@gmail.com
adildurbanqev@gmail.com
adinheffers.ox@gmail.com
ad.olo89ghblehjr89@gmail.com
adrihoftonqep@gmail.com
aek1lpq@gmail.com
a.eoqiobeuj8857@gmail.com
agapebazocrak@gmail.com
agapov08.05@gmail.com
agersely@gmail.com
aggettbalatub@gmail.com
aglayaaguikop@gmail.com
agnesgish@gmail.com
agustinodadur@gmail.com
aguvw1e@gmail.com
ahilyacur.wxur@gmail.com
aileengyngzec@gmail.com
ajaxmorrelfej@gmail.com
a.j.mcabrek@gmail.com
akonsjerz@gmail.com
akulbuffyseqi@gmail.com
alegrowed@gmail.com
alejandrapamelacook@gmail.com
alexander.00984@gmail.com
alexgrzdv@gmail.com
algereugenzaz@gmail.com
alinawang1983@gmail.com
alishabakerleroy@gmail.com
alishabu.d.g.k.od@gmail.com
alishabu.d.g.k.o.d@gmail.com
alishabu.d.g.ko.d@gmail.com
alishab.udgkod@gmail.com
alishabu.d.g.kod@gmail.com
alishab.udgko.d@gmail.com
alishabu.d.gk.o.d@gmail.com
alishabu.d.gko.d@gmail.com
alishabu.dgk.od@gmail.com
alishabud.gk.od@gmail.com
alishabud.g.k.o.d@gmail.com
alishabu.dgko.d@gmail.com
alishabu.dg.k.o.d@gmail.com
alishabu.dg.ko.d@gmail.com
alishabu.dgk.o.d@gmail.com
alishabu.d.gk.od@gmail.com
AlleteTyday@gmail.com
amberleehezaw@gmail.com
amitzurhabqej@gmail.com
amozlovejohuc@gmail.com
amyveras@gmail.com
analogy896@gmail.com
andreajohn1984@gmail.com
andreajohn1985@gmail.com
andreolettkaz@gmail.com
andrmkr2011@gmail.com
andrusrufivul@gmail.com
ang.e.la.r.ac.e.l.i.s.t.e.v.ens@gmail.com
ang.elara.celistevens@gmail.com
angelara.celistevens@gmail.com
ang.e.l.a.r.acelistevens@gmail.com
an.gelara.celistevens@gmail.com
a.n.g.e.l.a.r.acelistevens@gmail.com
an.g.e.l.a.r.acelistevens@gmail.com
an.g.e.lar.acelist.e.v.ens@gmail.com
a.n.gelara.celistevens@gmail.com
a.nge.l.a.r.acelistevens@gmail.com
a.ng.e.l.a.r.acelistevens@gmail.com
angelosjagfuj@gmail.com
annabartova14@gmail.com
annabelindlat@gmail.com
anna.fergusonk@gmail.com
annakitty1975@gmail.com
a.nn.a.mar.ywi.ggen.s+030@gmail.com
ann.a.marywiggen.s+720@gmail.com
ann.ama.ry.wiggens+720@gmail.com
ann.a.marywiggen.s+820@gmail.com
annasokolovs@gmail.com
annually952@gmail.com
annushkabeqec@gmail.com
annwheeles@gmail.com
any@gmail.com
apollo5598@gmail.com
appositeuxcardenas@gmail.com
arafadoerrsev@gmail.com
aranahogbehar@gmail.com
arenda.avtoplus@gmail.com
arkhipposfjit@gmail.com
armandliptbas@gmail.com
armitwink1@gmail.com
ascend6442@gmail.com
asdgag2@gmail.com
ashbrookkaxef@gmail.com
asketel.broxow@gmail.com
as.pe.s.sr.ab.s@gmail.com
as.pe.ssrab.s@gmail.com
assangevePax@gmail.com
assangeveTuh@gmail.com
assurance1172@gmail.com
atolkasretro@gmail.com
atrop2011@gmail.com
atuzuzi@gmail.com
audrey.gambjiq@gmail.com
author4428@gmail.com
avbjeu.xipohjij@gmail.com
aviationandtravel@gmail.com
avtosola.net@gmail.com
awaiszafar7000@gmail.com
axfordshelgih@gmail.com
a.yerstodelc..aj@gmail.com
a.y.e.r.s.t.o.d.e.l.c.aj@gmail.com
azandormannut@gmail.com
b.5522040.6@gmail.com
b552.20.406@gmail.com
b.5.52.20.406@gmail.com
badnoob22@gmail.com
baksommetr@gmail.com
bao.dingbbs+gov@gmail.com
bao.ding.bbs@gmail.com
baodingbbs@gmail.com
barburlaub@gmail.com
bartkucha@gmail.com
basilottaotaj@gmail.com
batchcharlie@gmail.com
battrickmiloh@gmail.com
bauchopdorses@gmail.com
bavkufo@gmail.com
bazelikz@gmail.com
bazelllibifan@gmail.com
bballhawes@gmail.com
beadesjulikan@gmail.com
beamspalmekaz@gmail.com
beatblumfigak@gmail.com
beatricemcwih@gmail.com
beatty.schwalb9520@gmail.com
be.atty.schwalb95.20@gmail.com
be.atty.schwalb.9520@gmail.com
be.atty.schwalb9.520@gmail.com
be.atty.schwalb.9.520@gmail.com
be.atty.schwalb.9.5.20@gmail.com
be.atty.schwalb.9.5.2.0@gmail.com
becherfeldroq@gmail.com
benalbright77@gmail.com
benjaminpinch@gmail.com
bennywilliamhp@gmail.com
berndtsymeroj@gmail.com
berthina.fap.in@gmail.com
bertmintomefigueroa40@gmail.com
bestintertionalusergroup@gmail.com
bes.t.t..vis@gmail.com
bewojagecotaa@gmail.com
bhargamanuzov@gmail.com
bicknellgagev@gmail.com
bieverolafgiq@gmail.com
bilexusujagwd@gmail.com
billmakk1@gmail.com
billsberrykec+Accumbimmibia@gmail.com
billsberrykec+Wogetedefag@gmail.com
biqonuliviwbk@gmail.com
bjorn.sherlockenosburgf.alls@gmail.com
blannatalynaf@gmail.com
bl.o.gi.petr@gmail.com
blomfieldhfec@gmail.com
blusekal02@gmail.com
bmb3ls5@gmail.com
bobupunuimouj@gmail.com
boffeystevpul@gmail.com
boleklinggqog@gmail.com
boone.pete3@gmail.com
borisaser@gmail.com
borleykimilel@gmail.com
botlernaratof@gmail.com
botolphstirling0280@gmail.com
bozekhalhedin@gmail.com
braswell.braswell@gmail.com
breewoodmalez@gmail.com
bremmelllojel@gmail.com
bricemcgowan826@gmail.com
brilecof@gmail.com
britziusionab@gmail.com
broniamassnoq@gmail.com
bryn.hildurgin@gmail.com
b.swift56@gmail.com
bswift56@gmail.com
bswift5.6@gmail.com
bswift.56@gmail.com
buckeridgebon@gmail.com
burnerbainsus@gmail.com
c0ywjb9@gmail.com
cakemonstersz55@gmail.com
calhounavijaz@gmail.com
caltonkolewig@gmail.com
calverleybgef@gmail.com
calviesarvsiq@gmail.com
canadian.neighbor@gmail.com
canadian.neigh.bor@gmail.com
canadian.nei.ghbor@gmail.com
can.adianneighbor@gmail.com
c.anadian.neighbor@gmail.com
canadianneighbor@gmail.com
c.anadian.neigh.bor@gmail.com
candicemenjivarden@gmail.com
canwellyordog@gmail.com
c.armen73bowen@gmail.com
carol.thomas4115@gmail.com
cartcarfi@gmail.com
casbo.ltanavor@gmail.com
caseychance990@gmail.com
cathcartgokab@gmail.com
cathychudfas@gmail.com
cawbadi@gmail.com
chakravatixah@gmail.com
c.hakshualevul@gmail.com
champnessetab@gmail.com
channingjulijms19@gmail.com
charleswilly078@gmail.com
chellbomg+7@gmail.com
chengbin.gkai@gmail.com
chessunneerap@gmail.com
chisholmjuxar@gmail.com
c.h.i.s.h.olmjuxar@gmail.com
chomiczad.rcej@gmail.com
chongqin050@gmail.com
chongqin051@gmail.com
chongqin054@gmail.com
ch.risdoove@gmail.com
chubbjagadnow@gmail.com
chuedusovich@gmail.com
chumahallwzoj@gmail.com
churchleymfof@gmail.com
cimveipa@gmail.com
ciprianabrlod@gmail.com
classic2955@gmail.com
claytonvbs5@gmail.com
clewleyfrajeq@gmail.com
clifford.san.dy34@gmail.com
cliffordsandy34@gmail.com
clothogamejez@gmail.com
coasepashuwov@gmail.com
coasesibilcen@gmail.com
cobbinaongrop@gmail.com
.coillcu.mhannhetherington.@gmail.com
colgravebalus@gmail.com
colombinebqun@gmail.com
comerhatsuwuc@gmail.com
condrogo@gmail.com
connikiedoveb@gmail.com
convertonet@gmail.com
cooldude26may+1200@gmail.com
cooldude26may+130@gmail.com
cor.e.yac.t.orc463@gmail.com
corey.ac.t.orc463@gmail.com
core.yac.t.orc463@gmail.com
co.re.yac.t.orc463@gmail.com
co.r.e.yac.t.orc463@gmail.com
c.oreyactorc463@gmail.com
cosmeticdentist.rysandiego@gmail.com
c.osm.etic.dentis.trysandiego@gmail.com
cotrillarron61@gmail.com
cradduckroler@gmail.com
crannagefavat@gmail.com
crazyfinance@gmail.com
creation4u.web@gmail.com
cromackagajuc@gmail.com
croney.janssas@gmail.com
crummynicodus@gmail.com
cuttsarcitper@gmail.com
cybaloh@gmail.com
d42k7cl@gmail.com
dabelhemanpeg@gmail.com
dablbit@gmail.com
daliboraeazul@gmail.com
dallasmakoceg@gmail.com
da.mianoscovaz@gmail.com
darrinserrano.8762966@gmail.com
daverrr.a.x.v@gmail.com
daverrra.x.v@gmail.com
d.averrraxv@gmail.com
d.averrrax.v@gmail.com
davidovitcqol@gmail.com
davitashviris@gmail.com
davsleyjenkaz@gmail.com
dawn.watkinsw@gmail.com
dayanarabezer@gmail.com
deboldmaxybax@gmail.com
defrollmail@gmail.com
dejohnlimmfux@gmail.com
deluweluliqgb@gmail.com
denismebel1@gmail.com
dennichristiangreat@gmail.com
denyukhinubad@gmail.com
derduj@gmail.com
devil7782@gmail.com
dhfhfo9uog@gmail.com
dhjkdkjsde@gmail.com
diegoglau@gmail.com
digitluxury@gmail.com
dillinghampytepuod1530@gmail.com
dillonboldhic@gmail.com
dimongps@gmail.com
diploma2441@gmail.com
dizkuoka@gmail.com
djonnismetryy@gmail.com
dlynmvtn4@gmail.com
dmduke653@gmail.com
dmitriytok.ar8@gmail.com
dmitriytokar8@gmail.com
dmitriyto.kar8@gmail.com
dmitriyt.okar8@gmail.com
dmitriy.tokar8@gmail.com
dmitri.ytokar8@gmail.com
dmit.riytokar8@gmail.com
dmit.r.iytokar8@gmail.com
dmi.triytokar8@gmail.com
doiphudu001@gmail.com
doiphudu002@gmail.com
doiphudu003@gmail.com
doiphudu004@gmail.com
doiphudu005@gmail.com
doiphudu006@gmail.com
doiphudu007@gmail.com
dollybri996@gmail.com
dominational1@gmail.com
doneils.stuart@gmail.com
donnachiefnur@gmail.com
donnanwinffiz@gmail.com
donny.hastings@gmail.com
dontaehousgix@gmail.com
dooswer@gmail.com
dorohbor@gmail.com
dotsonlottrab@gmail.com
drawpercentdd@gmail.com
d.r.t.g.g.f.r@gmail.com
dudillbrocvaz@gmail.com
duhoponodufkl@gmail.com
dygsmw.tajtntpv@gmail.com
dykinssayolis@gmail.com
dzzkikabidze@gmail.com
earlenegibbazu@gmail.com
eastbooking.ua7@gmail.com
eastbooking.ua9@gmail.com
e.as.ydate1@gmail.com
ea.sydate1@gmail.com
easydate.1@gmail.com
e.a.sydate1@gmail.com
e.asydat.e1@gmail.com
e.asyda.te1@gmail.com
eatborivojlev@gmail.com
ebbingciprsol@gmail.com
eckels.granlek@gmail.com
edguwxno3818@gmail.com
eduardosanderszm@gmail.com
edwardkturner@gmail.com
eee44d@gmail.com
egonadderslex@gmail.com
ehsorreddddn@gmail.com
eileengotebet@gmail.com
elforddiaprif@gmail.com
eliasenpujdip@gmail.com
ellarunnatgix@gmail.com
elme.naaichke.b@gmail.com
elmen.aaichke.b@gmail.com
elmena.aichke.b@gmail.com
elm.ena.aichke.b@gmail.com
elmenaaich.keb@gmail.com
elmenaaichke.b@gmail.com
elme.na.aichke.b@gmail.com
el.mena.aichke.b@gmail.com
e.lmena.aichke.b@gmail.com
eltonblevinssw@gmail.com
emarketin.gfirm@gmail.com
emmitalbergec@gmail.com
endriciajwlaf@gmail.com
endymionluhux@gmail.com
envevycheew@gmail.com
enyakagantucu@gmail.com
eqerhsdfh5hehs.df@gmail.com
eqerhsdfh5he.hsdf@gmail.com
eqerhsdfh5h.ehsdf@gmail.com
eqerhsdfh5.hehsdf@gmail.com
eqerhs.dfh5hehsdf@gmail.com
eqerh.sdfh5hehsdf@gmail.com
eqer.hsdfh5hehsdf@gmail.com
eqerhsdfh5hehsdf@gmail.com
e.qerhsdfh5heh.sdf@gmail.com
e.qerhs.dfh5hehsdf@gmail.com
e.qe.rhsdfh5hehsdf@gmail.com
e.q.erhsdfh5hehsdf@gmail.com
eqerhsdfh5hehsd.f@gmail.com
erikcart009+22@gmail.com
erikcart009@gmail.com
erik.cart009@gmail.com
ernestinaezox@gmail.com
er.tttfgfhhhretu@gmail.com
ervinggreaweh@gmail.com
es914618@gmail.com
eskoimnei@gmail.com
etphvlt@gmail.com
ewanowickowska+gdjh@gmail.com
ewanowickowska+gh@gmail.com
ewanowickowska+hazard19@gmail.com
ewanowickowska+hazard20@gmail.com
ewanowickowska+hazard21@gmail.com
ewanowickowska+hazard22@gmail.com
ewanowickowska+ikkt@gmail.com
ewanowickowska+ilgipok@gmail.com
ewanowickowska+ilgk@gmail.com
ewanowickowska+ilguok@gmail.com
ewanowickowska+iljj6@gmail.com
ewanowickowska+iljjok@gmail.com
ewanowickowska+ilpipok@gmail.com
ewanowickowska+ilppok@gmail.com
ewanowickowska+itgt@gmail.com
ewingsiv.miudi.russ36@gmail.com
exarriert@gmail.com
exejolie+BeexMype@gmail.com
exejolie+Muhpneullylalt@gmail.com
exoticcarrentalsnyc@gmail.com
eye.lashesfo.ryou@gmail.com
eyelashesforyou@gmail.com
eyel.ashes.foryou@gmail.com
ey.elashesfor.you@gmail.com
ey.elashes.foryou@gmail.com
faireymarthuh@gmail.com
falcione3@gmail.com
fareweathedec@gmail.com
feign189168@gmail.com
feldmarkablap@gmail.com
fernievaldzeb@gmail.com
ferrareseaqop@gmail.com
fflemd.mkiqbrte@gmail.com
fiptuare@gmail.com
fishwickcyjiw@gmail.com
fitteskourliz@gmail.com
fmkdru@gmail.com
forcatalogs12@gmail.com
foresttmen@gmail.com
forextraider8@gmail.com
fortress5075@gmail.com
fqofkyiq174@gmail.com
francescapayton@gmail.com
f.r.ancillocgut@gmail.com
f.rancillocgut@gmail.com
francillocgut@gmail.com
franciscabreb@gmail.com
franzettihtun@gmail.com
frederikfiberi@gmail.com
fredyyjko@gmail.com
freedronizene@gmail.com
freeofficeman@gmail.com
fritschmandow@gmail.com
gabrafa.bra@gmail.com
gabrafab.ra@gmail.com
galadrielbgif@gmail.com
galpeleg22@gmail.com
galpeleg23@gmail.com
gaming.dota@gmail.com
ganendranetah@gmail.com
ganeshcuppneh@gmail.com
garyricardruq@gmail.com
gavrushat@gmail.com
gbogazon@gmail.com
gearyfaithjov@gmail.com
gennleono@gmail.com
genowefakraczasta@gmail.com
ger.hardd.1978@gmail.com
gertygert.ygerty@gmail.com
getetimes@gmail.com
gethinfrymfaz@gmail.com
gevagun@gmail.com
gevatcrumljug@gmail.com
ggoafdlt8@gmail.com
giacomuzzofeh@gmail.com
giannilatrhub@gmail.com
gillilawyevuv@gmail.com
gina.hughesqcany@gmail.com
gingoldbasfuq@gmail.com
gi.vlo.t.u@gmail.com
givlotu@gmail.com
gi.v.l.o.t.u.@gmail.com
giwoxazasiklb@gmail.com
giwudom@gmail.com
gizomum@gmail.com
gladbachanbih@gmail.com
glasmiwa@gmail.com
glenisthoem@gmail.com
gohakollove@gmail.com
goldhillclroc@gmail.com
goodrickeblej@gmail.com
go.t.ovijbiz@gmail.com
g.o.t.o.v.i.j.b.i.z@gmail.com
g.o.w.a.n.l.1.0.5.7@gmail.com
gprsrob@gmail.com
gpsrobots@gmail.com
gpsrobotss@gmail.com
gracuurne@gmail.com
greenigkhakek@gmail.com
greguolhinxug@gmail.com
grgduglgrg.z@gmail.com
grgduglgrgz@gmail.com
gribendobens@gmail.com
gribust@gmail.com
grievecarntej@gmail.com
grixdorialifa@gmail.com
grumbergas@gmail.com
gryglewskirit@gmail.com
gshifs.ywtlbanp@gmail.com
gsyaagsawooa@gmail.com
gudgeonbrydoz@gmail.com
guskeici@gmail.com
gyvesantaibis@gmail.com
h55hardware@gmail.com
habahaba112211@gmail.com
hackforthbcot@gmail.com
hafewofajadni@gmail.com
haglintonstus@gmail.com
hakonssonpxuc@gmail.com
hanayoburnzak@gmail.com
hanifparkey22@gmail.com
hansillshrlij@gmail.com
harmonfillbef@gmail.com
harphambadsol@gmail.com
harsalarwosec@gmail.com
hatcliffepxoj@gmail.com
hatcriur2elper@gmail.com
hatcriurelper@gmail.com
hehumillotneq@gmail.com
hellomyfriendheretoda.y@gmail.com
helmaizaceguq@gmail.com
henfrebraytup@gmail.com
hexenenacawqw@gmail.com
hhotrussianbrides@gmail.com
hisakecunegmf@gmail.com
hisayegotmguv@gmail.com
hisco.etehigov@gmail.com
his.coetehigov@gmail.com
hitebudasufrx@gmail.com
hizirviggoxoz@gmail.com
holdforthpses@gmail.com
holipaser@gmail.com
holliehannbir@gmail.com
hollowaykhdif@gmail.com
holly.hibbs5951@gmail.com
hourlyloan@gmail.com
howstopsnoring@gmail.com
hozojapecidne@gmail.com
hqdrugs.org@gmail.com
hrumer7reg@gmail.com
hrumer7re.g@gmail.com
hrumer.7r.e.g@gmail.com
hr.umer.7r.e.g@gmail.com
hr.u.m.e.r7reg@gmail.com
huhuhuhftft@gmail.com
hujunxi.ang119@gmail.com
hukulixucidtm@gmail.com
h.umanbotonline@gmail.com
hu.manbotonline@gmail.com
hum.anbotonline@gmail.com
hurseyflorvut@gmail.com
hvjtpuwy863@gmail.com
hzn2soy@gmail.com
iapyceposyqa@gmail.com
ibik.u.lili.q.ipa@gmail.com
ickowicztaquf@gmail.com
idellesse.8epv@gmail.com
ieremiyadupug@gmail.com
ifiziti@gmail.com
igunre@gmail.com
ikinveltexohi@gmail.com
ikondaxaus@gmail.com
ilumiarti@gmail.com
iluxuryren@gmail.com
imancheekeced@gmail.com
imedincovsupremat@gmail.com
indraniladsoz@gmail.com
ingenuity775@gmail.com
insoleyurizoh@gmail.com
ionabudiao@gmail.com
iphmjorl85414@gmail.com
irilagomumym27408@gmail.com
isher013@gmail.com
islamkighlxuh@gmail.com
itkin.andrej@gmail.com
itzhaiekaldeb@gmail.com
iulusbondlcir@gmail.com
jacekplacekwow@gmail.com
jacek.placek.wow@gmail.com
j.a.ckacai@gmail.com
jackwills2132@gmail.com
ja.cob.davids.cott1987@gmail.com
jacquejones143@gmail.com
jafagojacojqt@gmail.com
james.gedanken@gmail.com
jamessmith28a@gmail.com
j.an.ci.o.ru.le.z+15@gmail.com
j.an.ci.o.r.u.le.z+18@gmail.com
j.an.ci.o.r.u.le.z+19@gmail.com
j.an.ci.or.u.le.z+21@gmail.com
j.an.ci.or.u.l.e.z+22@gmail.com
j.a.n.ci.o.r.ule.z+22@gmail.com
j.an.ci.or.u.l.e.z+25@gmail.com
janc.iorul.ez+29@gmail.com
ja.n.ci.or.ulez+29@gmail.com
j.anci.o.ru.l.e.z+36@gmail.com
j.an.ci.o.ru.l.ez+37@gmail.com
ja.n.ci.or.ulez+45@gmail.com
ja.n.ci.or.ulez+47@gmail.com
ja.n.ci.or.ulez+48@gmail.com
ja.n.ci.or.ulez+51@gmail.com
ja.n.ci.or.ulez+55@gmail.com
ja.n.ci.or.ulez+56@gmail.com
ja.n.ci.or.ulez+57@gmail.com
ja.n.ci.or.ulez+58@gmail.com
ja.n.ci.or.ulez+59@gmail.com
ja.n.ci.or.ulez+60@gmail.com
janekklaubnow@gmail.com
janenabeaton@gmail.com
jarrattlidsux@gmail.com
jasofinabluzero@gmail.com
ja.sonstee.mp@gmail.com
jason.steve.fowler@gmail.com
jatil.akilgpol@gmail.com
javjav90909@gmail.com
jealfolkewahi@gmail.com
jefflottifeli@gmail.com
jeisilinawang283@gmail.com
jenaliette.martense@gmail.com
jenaweaver.6@gmail.com
jenaweaver6@gmail.com
j.ennyrenwikforum@gmail.com
je.nnyrenwikforum@gmail.com
jerostuvickgm@gmail.com
jessie.cummumu.hogan70@gmail.com
jessy.gillelow@gmail.com
jewelvasquezgv@gmail.com
jhlafx.hhtrgibt@gmail.com
jihanzobor@gmail.com
jilanamolalid@gmail.com
jimmcchad@gmail.com
jim.meeks888@gmail.com
jinhonag123+239@gmail.com
jmacarthur.01124512001@gmail.com
jnml866@gmail.com
joannakiersznicka+bm12@gmail.com
joannakiersznicka+bm7@gmail.com
joannakiersznicka+bm@gmail.com
joannakiersznicka+celeb@gmail.com
joannakiersznicka+celebs@gmail.com
joannakiersznicka+gsm@gmail.com
joannakiersznicka+nudeceleb@gmail.com
joannakiersznicka+ujko@gmail.com
joannakiersznicka+uo@gmail.com
joannakiersznicka+websystems2@gmail.com
joannakiersznicka+websystems@gmail.com
joannakiersznicka+zp8l@gmail.com
jodieortiz23@gmail.com
johanstormer@gmail.com
jone.emilly@gmail.com
jonieguerrheq@gmail.com
j.onquilarmseb@gmail.com
jonquilarmseb@gmail.com
jonydacosty@gmail.com
josef.parrish320@gmail.com
jotamkillfduj@gmail.com
jozefatilyqob@gmail.com
jr8j7po@gmail.com
jsdovemodulus@gmail.com
jukenifopinp.t@gmail.com
julietjeanruc@gmail.com
jyotsanaorchard3944@gmail.com
kaihekoamarop@gmail.com
k.aihekoamarop@gmail.com
karabungalistabungu61651@gmail.com
kassiopeyastar.s@gmail.com
kastoude@gmail.com
katerinaodintsova26@gmail.com
k.ati.evo.n.d.er@gmail.com
ka.ti.e.v.o.nder@gmail.com
kati.e.von.de.r@gmail.com
katisabirova@gmail.com
keepers.ain.t@gmail.com
keepers.aint@gmail.com
keepersaint@gmail.com
keepersain.t@gmail.com
keetingcorset@gmail.com
kelsellherkeh@gmail.com
kendredjarjux@gmail.com
kennybuzekbud@gmail.com
kevinbazik023@gmail.com
kevinjons072@gmail.com
kievshid@gmail.com
kilebroflovsky91+Accumbimmibia@gmail.com
kilebr.oflovsky91@gmail.com
kilebroflov.sky91@gmail.com
kilebroflovsky.91@gmail.com
kilebroflovsky9.1@gmail.com
kileb.roflovsky91@gmail.com
kile.broflovsky91@gmail.com
kil.ebroflovsky91@gmail.com
ki.lebroflovsky91@gmail.com
kimberly.hawkinsa@gmail.com
kimburyerevot@gmail.com
kimikogiackah@gmail.com
kingsleyhojuq@gmail.com
kiniki.71+letnik@gmail.com
kinsellajater@gmail.com
kirkbydomnnuf@gmail.com
kismethackwet@gmail.com
kiting.miss@gmail.com
kjgoihiihqeqw@gmail.com
kleeb.ornkafef@gmail.com
kleebornkafef@gmail.com
kleinhautoqed@gmail.com
klimussharrop@gmail.com
kocesib@gmail.com
kochursergey@gmail.com
kokozmani@gmail.com
kolomorz@gmail.com
komin5000@gmail.com
koniki.71+bykba@gmail.com
koniki.71+ebooki@gmail.com
koniki.71+filmy@gmail.com
koniki.71+filmyonline@gmail.com
koniki.71+kasjopeja@gmail.com
koniki.71+kostka@gmail.com
koniki.71+mebleg@gmail.com
koniki.71+mieszkania@gmail.com
koniki.71+nocnaszafkaa@gmail.com
koniki.71+oobe@gmail.com
koniki.71+tibia@gmail.com
koniki.71+traveln@gmail.com
koniki.71+xw@gmail.com
kopferkousfuq@gmail.com
koppeyasusfoh@gmail.com
k.oppeyasusfoh@gmail.com
koraymaharqul@gmail.com
kotomoffetlag@gmail.com
k.ovalevborisivanoviz1968sarat@gmail.com
krist.myer@gmail.com
kristofergsec@gmail.com
krolhumamfati@gmail.com
kronstain@gmail.com
kshfssz4@gmail.com
kuberachaslag@gmail.com
kwekumacadnap@gmail.com
k.wkwarszawski56+1@gmail.com
k.wkwarszawski56@gmail.com
kylefont58@gmail.com
kylelyndsi@gmail.com
kylemcilwrxuq@gmail.com
lacdupi@gmail.com
ladyti.nkoffa@gmail.com
l.ad.ytinkoffa@gmail.com
l.a.dytinkoffa@gmail.com
laidelvalesuc@gmail.com
laithfoxlejuc@gmail.com
laneadarcepov@gmail.com
lashamhevejag@gmail.com
l.auraj.oli.b.et@gmail.com
lauren.paynep@gmail.com
laurianaizvec@gmail.com
lawlanfahaxop@gmail.com
lazarowaters7@gmail.com
lcfzyyaeone@gmail.com
lea.mari15@gmail.com
lectiru@gmail.com
lee.jacky77.7@gmail.com
lemmeainaxiki@gmail.com
leonc696@gmail.com
leonidgorbatenkolubitmamu@gmail.com
lepsgrigoriy@gmail.com
lernikovanton@gmail.com
levingkanobif@gmail.com
lexidone@gmail.com
liarabima@gmail.com
Liarmkiva@gmail.com
libkebrothqab@gmail.com
likegvladimir@gmail.com
li.lia.nnelawleybf61@gmail.com
li.li.annelawleybf61@gmail.com
li.liann.elawleybf61@gmail.com
lililljkjkjh@gmail.com
linceyjathdaw@gmail.com
lindsay.perkinsb@gmail.com
lino.ware8@gmail.com
linsymcnamhus@gmail.com
linyali447@gmail.com
lisa9dpp@gmail.com
lisaoack.ley@gmail.com
liupingxr12+0@gmail.com
liupingxr12+11@gmail.com
liupingxr12+15@gmail.com
liupingxr12+19@gmail.com
liupingxr12+20@gmail.com
liupingxr12+21@gmail.com
liupingxr12+29@gmail.com
liupingxr12+2@gmail.com
liupingxr12+4@gmail.com
liupingxr12+5@gmail.com
liupingxr12+6@gmail.com
liupingxr12+7@gmail.com
liupingxr12+8@gmail.com
li.z.sm.ar.tly@gmail.com
logins501@gmail.com
loisihopoezid@gmail.com
longbonenonok@gmail.com
lornegladdzud@gmail.com
l.o.u.d.i.a.n.j.o.r.fax@gmail.com
lovegalinavolkova@gmail.com
lowell.chambers@gmail.com
lo.x.50.0@gmail.com
l.o.x500@gmail.com
lox.50.0@gmail.com
lsmin123546742@gmail.com
ludlbonavenab@gmail.com
lungewasmacob@gmail.com
lupe.alston0@gmail.com
lvcibgyv1@gmail.com
lzgwzeoohg@gmail.com
m4dm4n.4.3v3r@gmail.com
m902839@gmail.com
maalateecaqaj@gmail.com
maayanecartoj@gmail.com
macmechanknaw@gmail.com
macneillygduz@gmail.com
m.a.cyla.feserenao.r@gmail.com
m.a.cy.lafeser.enaor@gmail.com
madocduquenut@gmail.com
madtiuke@gmail.com
magdagennrzig@gmail.com
magheart2@gmail.com
makar.rakitin@gmail.com
makkibuff@gmail.com
malachaiaiset@gmail.com
manfriedbeqin@gmail.com
manicommumviq@gmail.com
mapkag@gmail.com
marcellusjsak@gmail.com
marciamors.e7@gmail.com
mariakuznecova1977@gmail.com
mariamburnvis@gmail.com
maribethbazaq@gmail.com
mariezhw@gmail.com
mark.jhonson35@gmail.com
markospanc@gmail.com
marlenmaahs@gmail.com
marokina1@gmail.com
maslosoevoeprodamoptom@gmail.com
mattcut90@gmail.com
matyasikdivof@gmail.com
maximilian.christo.pherroc43174@gmail.com
max.imilian.christo.pherroc43174@gmail.com
mayosepeaby@gmail.com
m.black1957@gmail.com
mblack.1957@gmail.com
mcauliffemxot@gmail.com
mcilwainvalur@gmail.com
mcrinnbenncod@gmail.com
mcsauledmwluq@gmail.com
meghanbrisker@gmail.com
mephamsamuhic@gmail.com
mercedesslr1@gmail.com
mercury0447@gmail.com
merlecobb3@gmail.com
mescouri@gmail.com
miakaimlacboj@gmail.com
michell34094@gmail.com
miditimsad@gmail.com
mikelooke@gmail.com
mikolates.tol.ov@gmail.com
mikolates.tol.o.v@gmail.com
mikolatest.ol.o.v@gmail.com
mikolates.to.lov@gmail.com
mikolates.to.lo.v@gmail.com
mikolates.to.l.ov@gmail.com
mikolates.tolov@gmail.com
mikolatest.o.l.o.v@gmail.com
mikolatest.o.l.ov@gmail.com
mikolatest.o.lo.v@gmail.com
mikolatesto.l.o.v@gmail.com
mikolatest.olo.v@gmail.com
mikolatest.o.lov@gmail.com
mikolates.to.l.o.v@gmail.com
mikolates.t.olov@gmail.com
mikolates.t.olo.v@gmail.com
mikolatesto.lo.v@gmail.com
mikolatesto.l.ov@gmail.com
mikolatestolo.v@gmail.com
mikolate.sto.lov@gmail.com
mikolate.stol.o.v@gmail.com
mikolate.stol.ov@gmail.com
mikolate.stolo.v@gmail.com
mikolate.stolov@gmail.com
mikolates.t.o.l.o.v@gmail.com
mikolates.t.o.lo.v@gmail.com
mikolates.t.ol.o.v@gmail.com
mikolates.t.ol.ov@gmail.com
milleaesaujig@gmail.com
minshallbosez@gmail.com
mirelahavel@gmail.com
mir.ell.aanklus@gmail.com
mir.el.laanklus@gmail.com
mirellaanklus@gmail.com
mishapetro.vtrueman@gmail.com
mishapetrov.trueman@gmail.com
mishapetrovtr.ueman@gmail.com
mishapetrovtru.eman@gmail.com
mishapetrovtrue.man@gmail.com
mishapetrovtruema.n@gmail.com
mishapetrovtrueman@gmail.com
mishapet.rovtrueman@gmail.com
mishap.etrovtrueman@gmail.com
misha.petrovtrueman@gmail.com
mis.hapetrovtrueman@gmail.com
mishape.trovtrueman@gmail.com
m.ishapetrovtrueman@gmail.com
m.i.shapetrovtrueman@gmail.com
misindas@gmail.com
m.j.pru.v@gmail.com
mk.felirag703@gmail.com
moipismakatalog@gmail.com
moncreiffafa.j@gmail.com
moneybettips2@gmail.com
moneybettips@gmail.com
monikafotyga+f1kor@gmail.com
monikafotyga+f65jor@gmail.com
monikafotyga+for@gmail.com
monikafotyga+lkkk@gmail.com
monikafotyga+lkns@gmail.com
morgonkrisqut@gmail.com
morisserd@gmail.com
mosisia549@gmail.com
moskiwomen@gmail.com
mrharrypotters@gmail.com
msuengmaster@gmail.com
myfortuna02@gmail.com
myrealacc123@gmail.com
nadenekornprobst@gmail.com
nadezdarewosar@gmail.com
nadezda.rewosar@gmail.com
n.aetymioslwec.c.a@gmail.com
n.aetymioslwecc.a@gmail.com
n.aetymioslwec.ca@gmail.com
naetymios.l.wec.ca@gmail.com
naetymios.lwec.ca@gmail.com
naetymioslwec.ca@gmail.com
n.aetymioslw.ecca@gmail.com
n.aetymiosl.wec.ca@gmail.com
n.a.ety.mioslwecca@gmail.com
n.a.etymioslwecca@gmail.com
n.ae.tymioslwecca@gmail.com
n.aet.ymioslwecca@gmail.com
n.aety.mioslwecca@gmail.com
n.aetym.i.o.slwecca@gmail.com
n.aetym.ioslwecca@gmail.com
n.aetymio.slwecca@gmail.com
nafisanealbor@gmail.com
nakeeco@gmail.com
nakiyahdahlquist49@gmail.com
nanglekerwtec@gmail.com
napierprinxux@gmail.com
nata.erem@gmail.com
nathanialjoshuafof81591@gmail.com
ndrwjava@gmail.com
nehieeqadaluso25955@gmail.com
neillpagiexuz@gmail.com
neishamaclraj@gmail.com
nereislisedej@gmail.com
nerobapupilaj@gmail.com
nertyasoifnanert@gmail.com
ne.wunwanted@gmail.com
newunwanted@gmail.com
newunwa.nted@gmail.com
newu.nwanted@gmail.com
ngyoung166@gmail.com
nicevehozebyb@gmail.com
nicole.spencera@gmail.com
niiokr2012@gmail.com
niiokr.2012@gmail.com
nikdimsik@gmail.com
nikolao.aleksandro@gmail.com
nikolasmir@gmail.com
nikolaysmaruhin@gmail.com
nikolfal@gmail.com
ninarie10@gmail.com
nirvikarmuruw@gmail.com
nivupalufitxh@gmail.com
nobenome777@gmail.com
noeliajacquelynnecbb426@gmail.com
nolan.mitch@gmail.com
nongtjpg375@gmail.com
normand.evans@gmail.com
normavillsbat@gmail.com
nowa.chroma3@gmail.com
now.pharmacy@gmail.com
nozaegu@gmail.com
numseba@gmail.com
nurcombetusax@gmail.com
nuthbettelapi@gmail.com
.n.uzagib@gmail.com
odellmacilgaj@gmail.com
oferte.site.imob@gmail.com
offiegianonec@gmail.com
ohesogymoiseym13898@gmail.com
olacide@gmail.com
oldegetr@gmail.com
oleggry.aznov@gmail.com
o.mn.ad.re.n.1.9.8.7@gmail.com
onarovo@gmail.com
ortiz7chester@gmail.com
ostindalgepof@gmail.com
otdixinf@gmail.com
o.teliaqua.llisons@gmail.com
otikase@gmail.com
owamago@gmail.com
oxwblakedeclaratory@gmail.com
oyfepeupenyjof@gmail.com
p.a.c.i.e.n.c.a.c.of.ol@gmail.com
papaharabrsut@gmail.com
paulglobusus@gmail.com
pavlosburdhes@gmail.com
pc.color.man@gmail.com
pedersonisudeir1666@gmail.com
pedranballsal@gmail.com
persist213@gmail.com
peterwllrx@gmail.com
petetongisnow@gmail.com
petka1924@gmail.com
petroshv@gmail.com
p.etu.nixipi.qid@gmail.com
pevijivovefmm@gmail.com
pewonovubeqfq@gmail.com
pharmacybestse.l.l.e.rs@gmail.com
phenusa05@gmail.com
piperjohnstonkobe@gmail.com
pispipi.s@gmail.com
pi.s.pi.pi.s@gmail.com
pi.s.p.i.pis@gmail.com
pisyakamushkin5@gmail.com
plvz10.26@gmail.com
podiakova1@gmail.com
postulate599@gmail.com
pr.o.g.e.k.t.8@gmail.com
pro.g.e.k.t.8@gmail.com
prog.e.k.t.8@gmail.com
proge.k.t.8@gmail.com
p.r.ogekt8@gmail.com
p.r.o.g.e.k.t.8@gmail.com
p.r.o.g.e.k.t8@gmail.com
p.r.o.g.e.kt8@gmail.com
p.r.o.g.ekt8@gmail.com
p.r.o.gekt8@gmail.com
p.r.og.e.kt.8@gmail.com
progek.t.8@gmail.com
programmas9@gmail.com
pro.momehc@gmail.com
propoval54@gmail.com
puerhbeautytea@gmail.com
qelifasecuvbi@gmail.com
qequbuqirawch@gmail.com
qhnavwrv8242@gmail.com
qhnavwrv.8242@gmail.com
qh.na.vwrv.8242@gmail.com
qh.na.vwrv.82.42@gmail.com
quinnschw.artz911@gmail.com
qwertyuiopasdfghjklz2cvbnm123@gmail.com
qwertyuiopasdfghjklz2cvbnm12.3@gmail.com
qwertyuiopasdfghjklz2cvbnm1.2.3@gmail.com
qwertyuiopasdfghjklz2cvbnm.1.2.3@gmail.com
qwertyuiopas.d.f.g.h.j.k.l.z.2.cv.b.n.m.12.3@gmail.com
qwertyuiopas.d.f.g.h.j.k.l.z.2.c.v.b.n.m.1.2.3@gmail.com
qwertyuiopasdfghjklzxcvbnm262@gmail.com
qws25198@gmail.com
qy2x1su@gmail.com
r7lmvdo@gmail.com
rahenadibirfx+Beecefluide@gmail.com
rahenadibirfx+skangeantarce@gmail.com
rananafronwox@gmail.com
rarkoepa@gmail.com
rashaadchasor@gmail.com
rashadklasnoz@gmail.com
rashford2@gmail.com
raymond.bland4564@gmail.com
rdyftyxymtsxfuddj.aaa@gmail.com
rdyftyxymtsxfudd.jaaa@gmail.com
rdyft.yxymtsxfuddjaaa@gmail.com
rdyftyxy.mtsxfuddjaaa@gmail.com
rdyftyxymtsx.fuddjaaa@gmail.com
rdyftyxymts.xfuddjaaa@gmail.com
rdyftyxym.tsxfuddjaaa@gmail.com
reboot5671@gmail.com
rebornxt@gmail.com
rech.markwardt2845@gmail.com
redalig@gmail.com
reginalnovzab@gmail.com
relcaze@gmail.com
remrooms@gmail.com
renegatebzrw@gmail.com
renold.s674@gmail.com
re.nolds6.74@gmail.com
re.nold.s674@gmail.com
r.en.olds674@gmail.com
ren.olds674@gmail.com
r.enold.s674@gmail.com
repalubifoxit@gmail.com
resewopen@gmail.com
reynoldgawainmcclave@gmail.com
ri..c.h.ar.dgive.n1@gmail.com
r.ich.ar.d.g.i.v.e.n1@gmail.com
r.i..c.h.a.r..d.g.i.v.e.n.1@gmail.com
r.i.c.h.a.r.d.g.i.v.e.n.1@gmail.com
r.i.c.h.a.r.d.g.i.v.e.n1@gmail.com
r.ic.h.a.r.d.g.i.v.e.n1@gmail.com
r.ich.a.r.d.g.i.v.e.n1@gmail.com
r.ich.ar.dgiven1@gmail.com
r.i.c.h.a.r..d.g.i.v.e.n.1@gmail.com
r.ichy.1001@gmail.com
rich.y.1.0.01@gmail.com
richy1001@gmail.com
ricoplermo@gmail.com
riddickeyrrad@gmail.com
rikobenninbeh@gmail.com
riosjaime85@gmail.com
risottoania@gmail.com
ritormaliks@gmail.com
robertgiovannis@gmail.com
robertyolessi@gmail.com
rodaheqarizgq@gmail.com
rodgercooperew@gmail.com
rolland.megeadu.strickland@gmail.com
roman.kimm@gmail.com
romanrmn8@gmail.com
rosalinaswatlovski@gmail.com
rosalindahpex@gmail.com
rosetteschnettler94@gmail.com
rotages@gmail.com
rr9aco3@gmail.com
rubymarklelav@gmail.com
Rudberhard43ha1@gmail.com
ruleima@gmail.com
rutka7377@gmail.com
rxcborg@gmail.com
rxjbdbry.7@gmail.com
rxjbdbr.y7@gmail.com
rxjbdb.ry7@gmail.com
rxjbd.bry7@gmail.com
sabrina.torchwuk@gmail.com
sadoownik@gmail.com
s.adss.e.rrxf.ss@gmail.com
sadsserrxfss@gmail.com
samanthasomers@gmail.com
Samoniefer43ha1@gmail.com
samuellahenderson@gmail.com
s.amuellawashington@gmail.com
sa.muellawashington@gmail.com
samuellawashington@gmail.com
sandieg.oplumbingplumbers@gmail.com
sandiegoplumbingplumbers@gmail.com
sandy.florea@gmail.com
sara.a.jennings@gmail.com
saradoudneboz@gmail.com
sa.shabeheler@gmail.com
s.ashabeheler@gmail.com
s.a.shabeheler@gmail.com
sashabeheler@gmail.com
satecarid@gmail.com
savitske@gmail.com
sccromms@gmail.com
scottandyou@gmail.com
scrapeboxautoapprovelist+15010@gmail.com
scrapeboxautoapprovelist+1506310@gmail.com
scrapeboxautoapprovelist+17363@gmail.com
scrapeboxautoapprovelist+17363@gmail.com
scrapeboxautoapprovelist+2973@gmail.com
scrapeboxautoapprovelist+52739@gmail.com
scrapeboxautoapprovelist+564@gmail.com
scrape.boxautoapprovelist+6268@gmail.com
scrape.boxautoapprovelist+628@gmail.com
scrapeboxautoapp.rovelist+6381@gmail.com
scrapeboxautoapprovelist+6381@gmail.com
scrapeboxautoapprovelist+6400@gmail.com
scrap.eb.ox.au.t...oa.......p.....p.r...ovelist@gmail.com
scrapeboxauto...approv..e.list@gmail.com
scrapeboxaut.o...approv..e.list@gmail.com
scrap.eb.ox.au.t...oap.....p.r...ovelist@gmail.com
sdf454dfdfsdf@gmail.com
sebahiveblpor@gmail.com
securelet.i.s@gmail.com
sefahalbardal@gmail.com
selitog@gmail.com
senator.34234@gmail.com
se.nator34234@gmail.com
sen.ator34234@gmail.com
seoanalitikass@gmail.com
seo.james.seo@gmail.com
seoumx@gmail.com
serevdsiart@gmail.com
serganovv@gmail.com
ser.ge.i.p.ol.ik@gmail.com
ser.gei.polik@gmail.com
sergeipo.lik@gmail.com
serguniov76@gmail.com
s.eriutnerrkin@gmail.com
shalmaike.sga.r@gmail.com
shalmaike.sg.ar@gmail.com
sharniehamhaf@gmail.com
sharrington39@gmail.com
shaunhalmkcet@gmail.com
shawna.mcgaughey5250@gmail.com
sheilahgalxip@gmail.com
shelbyarnoldjf@gmail.com
shelleypeacock092@gmail.com
shoshanafldeg@gmail.com
shtyrlez22@gmail.com
shuanon2@gmail.com
shyamfugglwud@gmail.com
shylagrey88@gmail.com
sinners.ru@gmail.com
sipulin1981@gmail.com
skfbjkljakrea@gmail.com
slmnsvtvsvt5@gmail.com
slvmark@gmail.com
sofronbezumov1258@gmail.com
sonlex40002008@gmail.com
soundblue2@gmail.com
southerlannis@gmail.com
s.paceboy3.01@gmail.com
s.pac.eboy31.0@gmail.com
s.paceb.oy31.0@gmail.com
space.b.oy31.0@gmail.com
spamaster12@gmail.com
spamdemadera@gmail.com
speed66999@gmail.com
ssabilisyssf@gmail.com
sstbdab@gmail.com
s.tal1.2l.ion@gmail.com
s.tal1.2l.io.n@gmail.com
stal1.2.lion@gmail.com
stanislasbro@gmail.com
stanleybeasleywo@gmail.com
s.tarandreg@gmail.com
sta.randreg@gmail.com
stefaniebrin@gmail.com
s.tepangalustyan@gmail.com
stepanmorozo@gmail.com
stepfekla@gmail.com
strankochiro@gmail.com
strelalidbes@gmail.com
strongrtewuy@gmail.com
sucuobu@gmail.com
sudewehapebke@gmail.com
sullivanfaustino@gmail.com
su.mmei1992@gmail.com
summit2484@gmail.com
sunshinesymy@gmail.com
surendrabapip@gmail.com
svetikbool@gmail.com
svetiksemicvetiks@gmail.com
tabhealth@gmail.com
tabithx@gmail.com
tackbinso@gmail.com
taikichecococ@gmail.com
tamabek@gmail.com
t.amiemitchtej@gmail.com
tamiemitchtej@gmail.com
tarquiniusvad@gmail.com
tatushca@gmail.com
tbchrisdog2@gmail.com
tbchrisdog4@gmail.com
tdssuccess@gmail.com
ted699@gmail.com
teddylavoniac@gmail.com
teklabeauskas@gmail.com
temamcmaincel@gmail.com
theinternetmarketerin@gmail.com
th.elor.dofthe.rings2k@gmail.com
thomasbauer1986@gmail.com
th.omasbauer1986@gmail.com
thwaitebonhad@gmail.com
tibaiwu@gmail.com
tierraandrhuf@gmail.com
titsotu@gmail.com
tiuimaike@gmail.com
t.ommyebrahm@gmail.com
tonishanorpub@gmail.com
tonis.han.orpub@gmail.com
topwrinkleserumcom@gmail.com
tracey.stephensp@gmail.com
traci.molloy6429@gmail.com
trafunal15@gmail.com
tranajag@gmail.com
tran.ajag@gmail.com
trand.omenic130@gmail.com
trando.menic130@gmail.com
trandom.enic130@gmail.com
tranglerow+asa@gmail.com
tranglerow+cnr1@gmail.com
trasteembable@gmail.com
trisem3@gmail.com
trollacar@gmail.com
trololo.bleat@gmail.com
trooperkoopa2@gmail.com
troychristian8@gmail.com
tuqukavozucap@gmail.com
u6n6fs6@gmail.com
ucelelitoo@gmail.com
u.dap.ore@gmail.com
u.dapore@gmail.com
udardubinoy@gmail.com
ugorlof@gmail.com
uguyti97ut@gmail.com
ultram.ultram@gmail.com
umerwilke55@gmail.com
ur.h.oma.r.d.lesax@gmail.com
ur.h.omardlesax@gmail.com
userator1@gmail.com
u.t.o.m.a.s.z.1.1@gmail.com
ut.o.m.a.s.z.1.1@gmail.com
uweriotp@gmail.com
uyewqfdgfhgiuyhgf@gmail.com
uyfznyb@gmail.com
vadikgps@gmail.com
vamanalethlix@gmail.com
vanadevifiqow@gmail.com
vanyaseo13@gmail.com
vasil77@gmail.com
vasilisaandreeva2.010@gmail.com
vasilywasheretooften@gmail.com
Veceaccewly@gmail.com
venuskrukowski@gmail.com
viagrapillsbest@gmail.com
vikloader@gmail.com
v.i.k.loader@gmail.com
v.i.k.l.oader@gmail.com
v.i.kloader@gmail.com
villefedorzuc@gmail.com
vinc.ebernard526@gmail.com
vince.bernard526@gmail.com
vincentyounggz@gmail.com
vinodhargr.jil@gmail.com
vip.outlet.net@gmail.com
virgin415@gmail.com
vladpetrova@gmail.com
vliwpm.xisaxdck@gmail.com
vmazakin+NadeAbnonna@gmail.com
volbarrientos@gmail.com
vtupolev2@gmail.com
wali.eduardoo@gmail.com
wangdagou19867@gmail.com
waquxakukawgo@gmail.com
weatherhorneb@gmail.com
webhosts123@gmail.com
weboazi@gmail.com
werrthrhrtzhtzjjujtzerhwtghgbh@gmail.com
wingslover112@gmail.com
winterhous.ess@gmail.com
wleddl3@gmail.com
wpmu12+99@gmail.com
wufireqorudfh@gmail.com
wuledak@gmail.com
x7pewpewpe.w@gmail.com
x7pewpewpew@gmail.com
xcvnxcdsfhs@gmail.com
xepokop1987@gmail.com
xioyhr0@gmail.com
xivahetelipte@gmail.com
xr551188@gmail.com
xrgodab.cdefghijklmnopqrstuvwyz@gmail.com
xrumer73@gmail.com
xrumer87@gmail.com
xxxpornlab@gmail.com
yaebashutmp1@gmail.com
yagisiduce18349@gmail.com
yasminexia.42@gmail.com
yhndcitf@gmail.com
yjoyloyhado@gmail.com
yo3rgd4ail@gmail.com
yogisahighcel@gmail.com
yourmail22221@gmail.com
yourmail@gmail.com
zanamorrisner@gmail.com
zbestwork@gmail.com
zd3unuq@gmail.com
zdonker@gmail.com
zegufal@gmail.com
zenobiabeediw@gmail.com
zimbo1988@gmail.com
zipperix@gmail.com
zivoabe@gmail.com
zivu.b.ez@gmail.com
zivub.ez@gmail.com
znak5000@gmail.com
zolnimagra@gmail.com
zuflemi@gmail.com
zugkeefu@gmail.com
zuridunikewvc@gmail.com
zuzamodbal@gmail.com

Hackers bypass .htaccess security by using GETS rather than GET

Friday, December 10th, 2010

Last night I received an urgent message from a client. My machine has been hacked, someone got into the admin area, I need all of the details from this IP.

So, I grepped the logs, grabbed the appropriate entries and saw something odd.

1.2.3.4 - - [09/Dec/2010:22:15:41 -0500] "GETS /admin/index.php HTTP/1.1" 200 3505 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12"
1.2.3.4 - - [09/Dec/2010:22:17:09 -0500] "GETS /admin/usermanagement.php HTTP/1.1" 200 99320 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12"
1.2.3.4 - - [09/Dec/2010:22:18:05 -0500] "GETS /admin/index.php HTTP/1.1" 200 3510 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12"

A modified snippet of the .htaccess file:

AuthUserFile .htpasswd
AuthName "Protected Area"
AuthType Basic

<Limit GET POST>
require valid-user
</Limit>

Of course, we know GETS isn’t valid, but, why is Apache handing out status 200s and content lengths that appear to be valid? We know the area was password protected behind .htaccess and with some quick keyboard work we’ve got a system that properly prompts for Basic Authentication with a properly formed HTTP/1.0 request. Removing the <Limit> restriction from the .htaccess protects the site, but, why are these other methods able to pass through? Replacing GETS with anything other than POST, PUT, DELETE, TRACK, TRACE, OPTIONS, HEAD results in Apache treating those requests as if GET had been typed.

Let’s set up a duplicate environment on another machine to figure out what Apache is doing.

tsavo:~ mcd$ telnet devel.mia 80
Trying x.x.x.x...
Connected to xxxxxxx.xxx.
Escape character is '^]'.
GET /htpasstest/ HTTP/1.0    

HTTP/1.1 401 Authorization Required
Date: Fri, 10 Dec 2010 21:29:58 GMT
Server: Apache
WWW-Authenticate: Basic realm="Protected Area"
Vary: Accept-Encoding
Content-Length: 401
Connection: close
Content-Type: text/html; charset=iso-8859-1

Let’s try what they did:

tsavo:~ mcd$ telnet devel.mia 80
Trying x.x.x.x...
Connected to xxxxxxx.xxx.
Escape character is '^]'.
GETS /htpasstest/ HTTP/1.0

HTTP/1.1 501 Method Not Implemented
Date: Fri, 10 Dec 2010 21:53:58 GMT
Server: Apache
Allow: GET,HEAD,POST,OPTIONS,TRACE
Vary: Accept-Encoding
Content-Length: 227
Connection: close
Content-Type: text/html; charset=iso-8859-1

Odd, this is the behavior we expected, but, not what we are experiencing on the client’s machine. Digging a little further we look at the differences and begin to suspect the machine may have been compromised. The first thing that struck was mod_negotiation – probably not. mod_actions, maybe, but, no. DAV wasn’t loaded, but, Zend Optimizer was on the machine that appeared to have been exploited. Testing the above script on the client’s machine resulted in…. exactly the same behavior — method not supported. Testing the directory that was exploited results in the GETS request served as if it was a GET request.

So, now we’ve got a particular domain on the machine that is not behaving as the config files would suggest. A quick test on the original domain, and as expected, GETS responds with the data and bypasses the authorization clause in the .htaccess. Lets try one more test:


# telnet xxxxxx.mia 80
Trying x.x.x.x...
Connected to xxxxxx.xxx.
Escape character is '^]'.
GETS /zend.php HTTP/1.1
Host: xxxxxx.xxx

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 22:02:33 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 602
Connection: close
Content-Type: text/html

Bingo. A Zend encoded file handed us an error 200 even though it contained an invalid request method.

The solution in this case was simple, remove the <Limit> clause from the .htaccess.

The question is, is Zend Optimizer actually doing the proper thing here. Watching Apache with gdb, Zend Optimizer does appear to hook the Apache request handler a bit higher, but why is it attempting to correct an invalid request?

One of the first rules in input validation is validate and reject on error. Never try to correct the data and accept it. If you try to correct it and make a mistake, you’re just as vulnerable and hackers will try to figure out those patterns and add extra escaping into their url request. In this case, only a few pages were able to be displayed as there were checks to make sure forms were POSTed. But, the Limit in .htaccess that should have protected the application, didn’t work as expected because the invalid methods weren’t specified.

As so many applications on the web generate .htpasswd files with the Limit clause, it makes me wonder how many Zend Encoded applications are vulnerable. Take a minute to check your systems.

When mime-type validation isn’t enough

Thursday, November 11th, 2010

Recently a client’s machine had been accessed through some holes in his application. We were given access to the source code and started to figure out how the hacker was able to get in and execute code to elevate his privileges, post financial transactions and reset accounts.

The first place we looked were places where images could be uploaded to the system as that is usually a very easy place to upload code. The file uploader checked for the presence of .gif/.jpg/.jpeg and checked the mime type, but, the check merely made sure that .jpg was contained within the filename, not that it was anchored to the right hand side. Looking through a number of directories where files could be written and be web accessible, we had a few possible locations to focus our efforts. Two sections of code were focused on and we came up with the following code:

00000000  ff d8 ff e0 00 10 4a 46  49 46 00 01 01 01 00 48  |......JFIF.....H|
00000010  00 48 00 00 ff db 00 43  00 01 01 01 01 01 01 01  |.H.....C........|
00000020  01 01 01 01 01 01 01 01  01 01 01 01 01 01 01 01  |................|
00000030  01 01 01 01 01 01 01 01  01 01 01 01 01 02 02 01  |................|
00000040  01 02 01 01 01 02 02 02  02 02 02 02 02 02 01 02  |................|
00000050  02 02 02 02 02 02 02 02  02 ff db 00 43 01 01 01  |............C...|
00000060  01 01 01 01 01 01 01 01  02 01 01 01 02 02 02 02  |................|
00000070  02 02 02 02 02 02 02 02  02 02 02 02 02 02 02 02  |................|
*
00000090  02 02 02 02 02 02 02 02  02 02 02 02 02 02 ff c2  |................|
000000a0  00 11 08 02 15 02 58 03  01 22 00 02 11 01 03 11  |......X.."......|
000000b0  01 ff c4 00 1e 00 00 00  06 03 01 01 00 00 00 00  |................|
000000c0  00 00 00 00 00 00 04 05  06 07 08 09 00 02 03 0a  |................|
000000d0  3c 3f 70 68 70 20 65 63  68 6f 20 22 74 65 73 74  |< ?php echo "test|
000000e0  22 3b 3f 3e 0a                                    |";?>.|
000000e5

You can recreate the exploit:

head -n 1 somefile.jpg > file.jpg.php
echo '< ?php echo "hello";?>' >> file.jpg.php

The file was named file.jpg.php, uploaded through the application, the file was then written to the avatars directory and was web accessible. Since the file contained .jpg and had a proper jpeg header, it passed the two validation tests. The payload contained with the file shows ‘junk’ before the word test is printed.

A number of factors made this attack vector possible. A client could upload content that contained filenames that could be executed by .php/.cgi if they contained .gif/.jpg/.jpeg. In addition, the avatar directory (and one other) allowed execution of scripts. Using filesmatch or removing the mimetypes for anything but the static images allowed would have prevented the files from being executed.

In reality, the hole that was used was even easier to exploit as the application allowed preview of a work unit where the url wasn’t sanitized properly allowing XSS, however, this method could have been utilized.

Every time you deal with user supplied content, check, double-check and triple-check the server configuration, directory permissions, ability to traverse directories, etc. Ideally, making sure your server has minimal abilities in those directories is a step in the right direction.

Entries (RSS) and Comments (RSS).
Cluster host: li