├── Makefile ├── README.md ├── mal-dnssearch.sh ├── mandiant_apt1.dns ├── test ├── TEST ├── compromised-ips.test ├── dns.pcap ├── ip-filter.test ├── malhosts.test └── mandiant_apt1.dns └── tools ├── mal-dns2bro.py └── mal-dns2bro.sh /Makefile: -------------------------------------------------------------------------------- 1 | PROG = mal-dnssearch 2 | PREFIX = /usr/local 3 | DEST = $(PREFIX)/$(PROG) 4 | BIN = /usr/bin 5 | 6 | default: install 7 | 8 | install: 9 | $(info Installing mal-dnssearch to $(DEST)) 10 | mkdir -p $(DEST) 11 | chmod 755 $(DEST) 12 | install mal-dnssearch.sh $(DEST) 13 | install tools/mal-dns2bro.sh $(DEST) 14 | ln -f -s $(DEST)/mal-dnssearch.sh $(BIN)/mal-dnssearch 15 | ln -f -s $(DEST)/mal-dns2bro.sh $(BIN)/mal-dns2bro 16 | 17 | uninstall: 18 | $(info Uninstalling mal-dnssearch!) 19 | unlink $(BIN)/mal-dnssearch 20 | unlink $(BIN)/mal-dns2bro 21 | rm -fr $(DEST) 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # mal-dnssearch 2 | 3 | `Mal-dnssearch` is a robust shell script that compares IP and DNS
4 | addresses in logs against malware (and related) reputation data.
5 | It reports any matches and supports many log formats.
6 | 7 | Requires Bash version 4.2+. Tested with Bash on OpenBSD, FreeBSD, OSX, and Ubuntu. 8 | 9 | ![mal-dnssearch Screenshot](http://jonschipp.com/pics/mal-dnssearch.png) 10 | 11 | ## Installation: 12 | 13 | Edit the Makefile or use the defaults to install the script.
14 | The *default* is to install to `/usr/local/mal-dnssearch`. 15 | A symlink is then created in /usr/bin so that mal-dnssearch will most likely be in your PATH. 16 | 17 | To install use: 18 | ```shell 19 | sudo make install 20 | ``` 21 | 22 | To uninstall use: 23 | ```shell 24 | sudo make uninstall 25 | ``` 26 | 27 | ## Supported Logs (parses DNS names only): 28 | 29 | Specify log type with `-T `. This is used to parse the file correctly.
30 | `-f` is then required to specify the log file to read. 31 | 32 | Type: | Description: 33 | -----------|---------------- 34 | apache | Apache Access Log 35 | apachev | Apache Other Vhosts Access Log 36 | argus | ARGUS file (requires user data i.e. setting ARGUS_CAPTURE_DATA_LEN) 37 | bind | ISC's BIND query log file 38 | bro | BRO-IDS dns.log file 39 | custom|ip - Custom file - IP addresses, one per line. 40 | custom|dns - Custom file - DNS (with one DNS name per line w/o trailing FQDN dot) 41 | hosts | /etc/hosts file 42 | httpry | HttPry log file 43 | passivedns | PassiveDNS log file 44 | tcpdump | Tcpdump pcap file 45 | tshark | Tshark pcap file 46 | sonicwall | SonicWall NSA log file (via syslog) 47 | 48 | Is your log not supported? E-mail me a sample, I'll add it. 49 | 50 | ## Supported Malware Host Lists: 51 | 52 | Default is `http://secure.mayhemiclabs.com/malhosts/malhosts.txt` (DNS list) when 53 | `-M` is not specified. 54 | 55 | List: | Description: 56 | -----------|----------------- 57 | custom | Custom, one IP entry per line 58 | snort | http://labs.snort.org/feeds/ip-filter.blf (IP) 59 | et_ips | http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt (IP) 60 | alienvault | http://reputation.alienvault.com/reputation.generic (BIG file) (IP) 61 | botcc | http://rules.emergingthreats.net/open/suricata/rules/botcc.rules (IP) 62 | tor | http://rules.emergingthreats.net/open/suricata/rules/tor.rules (IP) 63 | rbn | http://rules.emergingthreats.net/blockrules/emerging-rbn.rules (IP) 64 | malhosts | http://www.malwaredomainlist.com/hostslist/hosts.txt (DNS) 65 | malips | http://www.malwaredomainlist.com/hostslist/ip.txt (IP) 66 | ciarmy | http://www.ciarmy.com/list/ci-badguys.txt (IP) 67 | mayhemic | http://secure.mayhemiclabs.com/malhosts/malhosts.txt (DNS) 68 | mandiant | https://raw.github.com/jonschipp/mal-dnssearch/master/mandiant_apt1.dns (DNS) 69 | 70 | #### Todo (not ranked): 71 | 72 | * More efficient parsing 73 | * Add support for more logs (e-mail me with request and log sample) 74 | * Check for necessary programs where needed e.g. bro-cut, ra, tcpdump, tshark 75 | * Option to edit/change URLs in the script 76 | * Add cron mode option 77 | * Rewrite script in Python or C 78 | * Add option to download list only 79 | * See if you can read from the Collective Intelligence Framework database 80 | * Try optimizing with Gnu Parallel 81 | * See if there's a Team Cymru list to match against. 82 | * Add option to combine all IP and DNS lists into a single IP or DNS list. e.g. --all [dns|ip] 83 | * Add lists: 84 | * http://www.dragonresearchgroup.org/insight/ 85 | * http://danger.rulez.sk/projects/bruteforceblocker/blist.php 86 | * http://www.openbl.org/lists/date_all.txt 87 | * http://www.mirc.com/servers.ini 88 | * https://reputation.alienvault.com/reputation.data 89 | * Read from exported Sguil event logs 90 | * Add apache logs 91 | * Fix "0 out of 0 entries matched" on second run bug 92 | * Add whitelist option to mal-dns2bro 93 | 94 | ## Usage: 95 | 96 | ### Non-mandatory options: 97 | 98 | `-w` accept file with one entry per line or grep regex *e.g*. `-w "dont|match|these"`, `-w whitelist.txt`
99 | `-l` Log stdout & stderr to file *e.g.* `-l /var/log/output.log`
100 | `-F` block matched hosts w/ firewall, 3 available: iptables, pf, ipfw *e.g.* `-F pf`
101 | `-N` skip file download
102 | `-p` Pass downloaded file to stdout to pipe to other programs *e.g.*
103 | `-M mayhemic -p | mal-dns2bro -T dns > mayhemic.intel`
104 | `-v` Print line from mal-host list as its processed for debugging
105 | `-V` Print each line from the log file as its processed for debugging
106 | 107 | ```shell 108 | Usage: ./mal-dnssearch -T -f [-M ] [-w whitelist] [-l out.log] [-F firewall] [-N] [-vV] 109 | ``` 110 | 111 | ### Examples: 112 | 113 | ```shell 114 | ./mal-dnssearch.sh -M mandiant (Downloads file only) 115 | ./mal-dnssearch.sh -T tshark -f dns.pcap 116 | ./mal-dnssearch.sh -T passivedns -f /var/log/passivedns/dmz.log -w whitelist.txt 117 | ./mal-dnssearch.sh -T bro -f /usr/local/bro/logs/current/dns.log \ 118 | -w "company.com|abc.com|google|facebook" -l dns.results.log 119 | ./mal-dnssearch.sh -T bro -f /usr/local/bro/logs/current/dns.log -F iptables -l dns.results.log 120 | ./mal-dnssearch.sh -T argus -f dns.argus -M malhosts -F iptables -l dns.results.log 121 | ./mal-dnssearch.sh -T custom-ip -f iplist.log -M snort -l ip.results.log -N -v 122 | ./mal-dnssearch.sh -T custom-ip -f iplist.log -M mandiant -l ip.results.log 123 | ./mal-dnssearch.sh -T apache -f /var/log/apache2/access.log 124 | ``` 125 | 126 | ## Author: 127 | ***Jon Schipp*** (keisterstash)
128 | [More info](https://sickbits.net/finding-malware-by-dns-cache-snooping/)
129 | jonschipp [ at ] Gmail dot com
130 | `sickbits.net`, `jonschipp.com` 131 | -------------------------------------------------------------------------------- /mal-dnssearch.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # BSD License: 3 | # Copyright (c) 2013, Jon Schipp 4 | # All rights reserved. 5 | # 6 | # Redistribution and use in source and binary forms, with or without modification, 7 | # are permitted provided that the following conditions are met: 8 | # 9 | # Redistributions of source code must retain the above copyright notice, this list of 10 | # conditions and the following disclaimer. Redistributions in binary form must reproduce 11 | # the above copyright notice, this list of conditions and the following disclaimer in the 12 | # documentation and/or other materials provided with the distribution. 13 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY 14 | # EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15 | # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT 16 | # SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 17 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 18 | # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 19 | # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 20 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 21 | # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 22 | 23 | # print stats: kill -USR2 $pid 24 | trap "stats" SIGUSR2 25 | 26 | # functions 27 | usage() 28 | { 29 | cat < Type(s) of log e.g. \`\`-T bro'' 36 | -f Log file e.g. \`\`-f /opt/bro/logs/current/dns.log'' 37 | 38 | Type: | Description: 39 | apache - Apache access log 40 | apachev - Apache vhosts access log 41 | argus - ARGUS file 42 | bind - ISC's BIND query log file 43 | bro-dns - BRO-IDS dns.log file 44 | bro-conn - BRO-IDS conn.log file 45 | custom-ip - Custom file - IP, one per line 46 | custom-dns - Custom file - DNS, one per line 47 | hosts - /etc/hosts file 48 | httpry - HttPry log file 49 | passivedns - PassiveDNS log file 50 | tcpdump - Tcpdump pcap file 51 | tshark - Tshark pcap file 52 | sonicwall - SonicWall NSA log file 53 | | 54 | 55 | Malware List Options: 56 | -M Name of list, e.g. \`\`-M snort'' 57 | 58 | List: | Description: 59 | snort - http://labs.snort.org/feeds/ip-filter.blf (IP) 60 | et_ips - http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt (IP) 61 | alienvault - http://reputation.alienvault.com/reputation.generic (BIG file) (IP) 62 | botcc - http://rules.emergingthreats.net/open/suricata/rules/botcc.rules (IP) 63 | tor - http://rules.emergingthreats.net/open/suricata/rules/tor.rules (IP) 64 | rbn - http://rules.emergingthreats.net/blockrules/emerging-rbn.rules (IP) 65 | malhosts - http://www.malwaredomainlist.com/hostslist/hosts.txt (DNS) 66 | malips - http://www.malwaredomainlist.com/hostslist/ip.txt (IP) 67 | ciarmy - http://www.ciarmy.com/list/ci-badguys.txt (IP) 68 | mayhemic - http://secure.mayhemiclabs.com/malhosts/malhosts.txt (DNS) 69 | mandiant - https://raw.github.com/jonschipp/mal-dnssearch/master/mandiant_apt1.dns (DNS) 70 | 71 | Processing Options: 72 | -h help (this message) 73 | -F insert firewall rules (blocks) e.g. iptables,pf,ipfw 74 | -l Log stdout & stderr to 75 | -N Skip file download 76 | -p Print parsed mal-ware list to stdout e.g. \`\`-M ciarmy -p | prog'' 77 | -v Verbose, print each line line from malware list 78 | -V Verbose, print each line read from log file 79 | -w Whitelist, accept or regex 80 | e.g. -w "dont|match|these" 81 | 82 | Usage: $0 -T -f [-M ] [-w whitelist] [-l out.log] [-F fw] [-#] [-N] [-vV] 83 | e.g. $0 -T passivedns -f /var/log/pdns.log -w "facebook|google" -F iptables -l output.log 84 | EOF 85 | } 86 | 87 | bash_check(){ 88 | echo "$BASH_VERSION" | grep -q '[4-5]\.[2-9]' || { echo "${RED}Bash 4.2+ required!${END}" && exit 1; } 89 | } 90 | 91 | download() 92 | { 93 | if [ "$DOWNLOAD" != "NO" ]; then 94 | echo -e "\n${ORANGE}[${END}${RED}*${END}${ORANGE}]${END} ${BLUE}Downloading ${MALHOSTURL:-$MALHOSTDEFAULT}...${END}\n" 1>&2 95 | if command -v curl >/dev/null 2>&1; then 96 | curl --insecure -L -O ${MALHOSTURL:-$MALHOSTDEFAULT} 1>/dev/null 97 | 98 | if [ "$?" -gt 0 ]; then 99 | echo -e "\nDownload Failed! - Check URL" 100 | exit 1 101 | fi 102 | 103 | elif command -v wget >/dev/null 2>&1; then 104 | wget --no-check-certificate ${MALHOSTURL:-$MALHOSTDEFAULT} 1>/dev/null 105 | 106 | if [ "$?" -gt 0 ]; then 107 | echo -e "\nDownload Failed! - Check URL" 108 | exit 1 109 | fi 110 | 111 | else 112 | echo -e "\nERROR: Neither cURL or Wget are installed or are not in the \$PATH!\n" 113 | exit 1 114 | fi 115 | fi 116 | 117 | if [ -f ${MALHOSTFILE:-$MALFILEDEFAULT} ]; then 118 | total=$(sed -e '/^$/d' -e '/^#/d' < ${MALHOSTFILE:-$MALFILEDEFAULT} | wc -l) 119 | else 120 | echo -e "\n${ORANGE}[${END}${RED}*${END}${ORANGE}]${END} File doesn't exist (Is it in the current working directory?)..Exiting." 121 | exit 1 122 | fi 123 | } 124 | 125 | stats() 126 | { 127 | echo -e " ${RED}-->${END} ${ORANGE}[${END}${RED}-${END}${ORANGE}]${END} stats: found: ${RED}${found}${END}, current mal item: ${RED}$tally${END} of ${RED}$total${END}" 128 | } 129 | 130 | wlistchk() 131 | { 132 | if [ -z $WLISTDOM ]; then 133 | echo "grep -v -i -E '(in-addr|\_)'" 134 | elif [ -f $WLISTDOM ]; then 135 | echo "grep -v -i -f $WLISTDOM" 136 | else 137 | echo "grep -v -i -E '(in-addr|$WLISTDOM)'" 138 | fi 139 | } 140 | 141 | parse() 142 | { 143 | if [[ "$PARSE" = "alienvault" ]] || [[ "$PARSE" = "mayhemic" ]]; then 144 | { rm $MALHOSTFILE && awk '{ print $1 }' | sed -e '/^$/d' -e '/^#/d' > $MALHOSTFILE; } < $MALHOSTFILE 145 | fi 146 | if [[ "$PARSE" = "botcc" ]] || [[ "$PARSE" = "tor" ]] || [[ "$PARSE" = "rbn" ]]; then 147 | if [ "$DOWNLOAD" != "NO" ]; then 148 | { rm $MALHOSTFILE && grep -o '\[.*\]' | sed -e 's/\[//;s/\]//' | awk 'BEGIN { RS="," } { print }' \ 149 | | sed '/^$/d' > $MALHOSTFILE; } < $MALHOSTFILE 150 | fi 151 | fi 152 | if [[ "$PARSE" = "malhosts" ]]; then 153 | if [ "$DOWNLOAD" != "NO" ]; then 154 | { rm $MALHOSTFILE && tr -d '\r' | sed -e '/^#/d' -e '/^$/d' | awk '{ print $2 }' > $MALHOSTFILE; } < $MALHOSTFILE 155 | fi 156 | fi 157 | if [[ "$PARSE" = "malips" ]] || [[ "$PARSE" = "mandiant" ]]; then 158 | { rm $MALHOSTFILE && sed -e '/^$/d' -e '/^#/d' | tr -d '\r' > $MALHOSTFILE; } < $MALHOSTFILE 159 | fi 160 | 161 | if [[ $PIPE = 1 ]]; then 162 | echo -e "\n\n${ORANGE}[${END}${RED}*${END}${ORANGE}]${END} Stdout below for piping to a file or program\n" 1>&2 163 | cat $MALHOSTFILE 164 | exit 0 165 | fi 166 | } 167 | 168 | unique() { 169 | [[ $DNS = 0 ]] && sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 -S 1G| uniq 170 | [[ $DNS = 1 ]] && sort -S 1G | uniq 171 | } 172 | 173 | ipblock() 174 | { 175 | if [[ "$FW" = "iptables" ]]; then 176 | iptables -A INPUT -s "$bad_host" -j DROP 177 | iptables -A OUTPUT -s "$bad_host" -j DROP 178 | iptables -A FORWARD -s "$bad_host" -j DROP 179 | fi 180 | if [[ "$FW" = "pf" ]]; then 181 | echo -e "block in from "$bad_host" to any\n \ 182 | block out from "$bad_host" to any" | pfctl -a mal-dnssearch -f - 183 | fi 184 | if [[ "$FW" = "ipfw" ]]; then 185 | ipfw add drop ip from "$bad_host" to any 186 | ipfw add drop ip from any to "$bad_host" 187 | fi 188 | } 189 | 190 | compare() 191 | { 192 | found=0 193 | tally=0 194 | declare -A bad_hosts 195 | 196 | echo -e "\n${ORANGE}[${END}${RED}*${END}${ORANGE}]${END} ${ORANGE}|${END}${BLUE}$PROG Results${END}${ORANGE}|${END} - ${BLUE}${FILE}${END}: ${ORANGE}$COUNT${END} total entries\n" 197 | while read bad_host 198 | do 199 | let tally++ 200 | bad_hosts[$bad_host]=1 201 | done < <(cut -f1 < ${MALHOSTFILE:-$MALFILEDEFAULT} | sed -e '/^#/d' -e '/^$/d') 202 | 203 | for host in $(eval "$1") 204 | do 205 | [[ ${VERBOSELOG:-0} -eq 1 ]] && echo "---log: $host" 206 | if [[ ${bad_hosts[$host]} ]]; then 207 | echo -e "${ORANGE}[${END}${RED}+${END}${ORANGE}]${END} ${RED}Found${END} - host '"${ORANGE}$host${END}"' matches " 208 | let found++ 209 | [[ "$FWTRUE" = "1" ]] && ipblock 210 | fi 211 | done 212 | echo -e "--\n${ORANGE}[${END}${RED}=${END}${ORANGE}]${END} ${RED}$found${END} of ${ORANGE}$total${END} entries matched from ${BLUE}${MALHOSTFILE:-$MALFILEDEFAULT}${END}" 213 | } 214 | 215 | # if less than 1 argument 216 | if [[ ! $# > 1 ]]; then 217 | usage 218 | exit 1 219 | fi 220 | 221 | # Initializations 222 | FWTRUE=0 223 | LOG=0 224 | LOG_SET=0 225 | FILE_SET=0 226 | PIPE=0 227 | DNS=0 228 | APACHE=0 229 | APACHEV=0 230 | ARGUS=0 231 | BIND=0 232 | BRODNS=0 233 | BROCONN=0 234 | CUSTOMIP=0 235 | CUSTOMDNS=0 236 | HOSTS=0 237 | HTTPRY=0 238 | PDNS=0 239 | SWALL=0 240 | TCPDUMP=0 241 | TSHARK=0 242 | VERBOSELIST=0 243 | VERBOSELOG=0 244 | END="$(tput sgr0)" 245 | UNDERLINE="$(tput smul)" 246 | YELLOW="$(tput setaf 3)" 247 | RED="$(tput setaf 1)" 248 | BLUE="$(tput setaf 4)" 249 | ORANGE=$(tput setaf 172) 250 | MAGENTA="$(tput setaf 5)" 251 | CYAN="$(tput setaf 6)" 252 | WHITE="$(tput setaf 7)" 253 | 254 | bash_check 255 | 256 | # option and argument handling 257 | while getopts "hf:F:l:pM:NT:vVw:" OPTION 258 | do 259 | case $OPTION in 260 | F) 261 | FWTRUE=1 262 | FW="$OPTARG" 263 | ;; 264 | f) 265 | FILE="$OPTARG" 266 | FILE_SET=1 267 | ;; 268 | h) 269 | usage 270 | exit 1 271 | ;; 272 | l) 273 | LOG=1 274 | LOGFILE="$OPTARG" 275 | ;; 276 | M) 277 | if [[ "$OPTARG" == snort ]]; then 278 | MALHOSTURL="http://labs.snort.org/feeds/ip-filter.blf" 279 | MALHOSTFILE="ip-filter.blf" 280 | elif [[ "$OPTARG" == et_ips ]]; then 281 | MALHOSTURL="http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt" 282 | MALHOSTFILE="compromised-ips.txt" 283 | elif [[ "$OPTARG" == alienvault ]]; then 284 | MALHOSTURL="http://reputation.alienvault.com/reputation.generic" 285 | MALHOSTFILE="reputation.generic" 286 | PARSE="$OPTARG" 287 | elif [[ "$OPTARG" == botcc ]]; then 288 | MALHOSTURL="http://rules.emergingthreats.net/open/suricata/rules/botcc.rules" 289 | MALHOSTFILE="botcc.rules" 290 | PARSE="$OPTARG" 291 | elif [[ "$OPTARG" == tor ]]; then 292 | MALHOSTURL="http://rules.emergingthreats.net/open/suricata/rules/tor.rules" 293 | MALHOSTFILE="tor.rules" 294 | PARSE="$OPTARG" 295 | elif [[ "$OPTARG" == rbn ]]; then 296 | MALHOSTURL="http://rules.emergingthreats.net/blockrules/emerging-rbn.rules" 297 | MALHOSTFILE="emerging-rbn.rules" 298 | PARSE="$OPTARG" 299 | elif [[ "$OPTARG" == malhosts ]]; then 300 | MALHOSTURL="http://www.malwaredomainlist.com/hostslist/hosts.txt" 301 | MALHOSTFILE="hosts.txt" 302 | PARSE="$OPTARG" 303 | DNS=1 304 | elif [[ "$OPTARG" == malips ]]; then 305 | MALHOSTURL="http://www.malwaredomainlist.com/hostslist/ip.txt" 306 | MALHOSTFILE="ip.txt" 307 | PARSE="$OPTARG" 308 | elif [[ "$OPTARG" == ciarmy ]]; then 309 | MALHOSTURL="http://www.ciarmy.com/list/ci-badguys.txt" 310 | MALHOSTFILE="ci-badguys.txt" 311 | PARSE="$OPTARG" 312 | elif [[ "$OPTARG" == mandiant ]]; then 313 | MALHOSTURL="https://raw.github.com/jonschipp/mal-dnssearch/master/mandiant_apt1.dns" 314 | MALHOSTFILE="mandiant_apt1.dns" 315 | PARSE="$OPTARG" 316 | DNS=1 317 | elif [[ "$OPTARG" == mayhemic ]]; then 318 | MALHOSTURL="http://secure.mayhemiclabs.com/malhosts/malhosts.txt" 319 | MALHOSTFILE="malhosts.txt" 320 | PARSE="$OPTARG" 321 | DNS=1 322 | else 323 | echo "Unknown reputation list!" 324 | exit 1 325 | fi 326 | ;; 327 | N) 328 | DOWNLOAD="NO" 329 | ;; 330 | p) 331 | PIPE=1 332 | ;; 333 | T) 334 | if [[ "$OPTARG" == apache ]]; then 335 | APACHE=1 336 | elif [[ "$OPTARG" == apachev ]]; then 337 | APACHEV=1 338 | elif [[ "$OPTARG" == argus ]]; then 339 | ARGUS=1 340 | elif [[ "$OPTARG" == bind ]]; then 341 | BIND=1 342 | elif [[ "$OPTARG" == bro-dns ]]; then 343 | BRODNS=1 344 | elif [[ "$OPTARG" == bro-conn ]]; then 345 | BROCONN=1 346 | elif [[ "$OPTARG" == custom-ip ]]; then 347 | CUSTOMIP=1 348 | elif [[ "$OPTARG" == custom-dns ]]; then 349 | CUSTOMDNS=1 350 | elif [[ "$OPTARG" == hosts ]]; then 351 | HOSTS=1 352 | elif [[ "$OPTARG" == httpry ]]; then 353 | HTTPRY=1 354 | elif [[ "$OPTARG" == passivedns ]]; then 355 | PDNS=1 356 | elif [[ "$OPTARG" == sonicwall ]]; then 357 | SWALL=1 358 | elif [[ "$OPTARG" == tcpdump ]]; then 359 | TCPDUMP=1 360 | elif [[ "$OPTARG" == tshark ]]; then 361 | TSHARK=1 362 | else 363 | echo "Unknown type!" 364 | exit 1 365 | fi 366 | LOG_SET=1 367 | ;; 368 | w) 369 | WLISTDOM="$OPTARG" 370 | ;; 371 | v) 372 | VERBOSELIST=1 373 | ;; 374 | V) 375 | VERBOSELOG=1 376 | ;; 377 | \?) 378 | exit 1 379 | ;; 380 | esac 381 | done 382 | 383 | # Check for option dependency 384 | if [[ $LOG_SET = 1 ]] && [[ $FILE_SET = 0 ]]; then 385 | echo "Missing option: \`\`-T'' requires \`\`-f'' and vice versa" 386 | exit 1 387 | elif [[ $FILE_SET = 1 ]] && [[ $LOG_SET = 0 ]]; then 388 | echo "Missing option: \`\`-T'' requires \`\`-f'' and vice versa" 389 | exit 1 390 | fi 391 | 392 | echo -e "\n${BLUE}PID${END}: ${ORANGE}$$${END}" 1>&2 393 | 394 | # vars 395 | MALHOSTDEFAULT="http://secure.mayhemiclabs.com/malhosts/malhosts.txt" 396 | MALFILEDEFAULT="malhosts.txt" 397 | 398 | download 399 | parse 400 | 401 | # logging 402 | if [[ $LOG = 1 ]]; then 403 | exec > >(tee "$LOGFILE") 2>&1 404 | echo -e "\n --> Logging stdout & stderr to $LOGFILE" 405 | fi 406 | 407 | # DNS parsing for log files 408 | if [[ $BRODNS = 1 ]]; then 409 | PROG=BRO-DNS; COUNT=$(wc -l < $FILE) 410 | compare "bro-cut query < \$FILE | $(eval wlistchk) | unique" 411 | fi 412 | if [[ $BROCONN = 1 ]]; then 413 | PROG=BRO-CONN; COUNT=$(wc -l < $FILE) 414 | compare "bro-cut id.orig_h id.resp_h < \$FILE | tr '\t' '\n' | $(eval wlistchk) | unique" 415 | fi 416 | if [[ $PDNS = 1 ]]; then 417 | PROG=PassiveDNS; COUNT=$(wc -l < $FILE) 418 | compare "sed 's/||/:/g' < \$FILE | $(eval wlistchk) | cut -d \: -f5 | sed 's/\.$//' | unique" 419 | fi 420 | if [[ $HTTPRY = 1 ]]; then 421 | PROG=HttPry; COUNT=$(wc -l < $FILE) 422 | compare "awk '{ print $7 }' < \$FILE | $(eval wlistchk) | sed -e '/^-$/d' -e '/^$/d' | unique" 423 | fi 424 | if [[ $TSHARK = 1 ]]; then 425 | PROG=TShark; COUNT=$(wc -l < $FILE) 426 | compare "tshark -nr \$FILE -R udp.port-eq53 -e dns.qry.name -T fields 2>/dev/null \ 427 | | $(eval wlistchk) | sed -e '/#/d' | unique" 428 | fi 429 | if [[ $TCPDUMP = 1 ]]; then 430 | PROG=TCPDump; COUNT=$(wc -l < $FILE) 431 | compare "tcpdump -nnr \$FILE udp port 53 2>/dev/null | grep -o 'A? .*\.' | $(eval wlistchk) \ 432 | | sed -e 's/A? //' -e '/[#,\)$]/d' -e '/^[a-zA-Z0-9].\{1,4\}$/d' -e 's/\.$//'| unique" 433 | fi 434 | if [[ $ARGUS = 1 ]]; then 435 | PROG=ARGUS; COUNT=$(wc -l < $FILE) 436 | compare "ra -nnr \$FILE -s suser:512 - udp port 53 | $(eval wlistchk) | \ 437 | sed -e 's/s\[..\]\=.\{1,13\}//' -e 's/\.\{1,20\}$//' -e 's/^[0-9\.]*$//' -e '/^$/d' | unique" 438 | fi 439 | if [[ $BIND = 1 ]]; then 440 | PROG=BIND; COUNT=$(wc -l < $FILE) 441 | compare "awk '/query/ { print \$15 } /resolving/ { print \$13 }' \$FILE | $(eval wlistchk) \ 442 | | grep -v resolving | sed -e 's/'\"'\"'//g' -e 's/\/.*\/.*://' -e '/[\($]/d' | unique" 443 | fi 444 | if [[ $SWALL = 1 ]]; then 445 | PROG=SonicWALL; COUNT=$(wc -l < $FILE) 446 | compare "grep -h -o 'dstname=.* a' \$FILE 2>/dev/null | $(eval wlistchk) \ 447 | | sed -e 's/dstname=//' -e 's/ a.*//' | unique" 448 | fi 449 | if [[ $HOSTS = 1 ]]; then 450 | PROG="Hosts File"; COUNT=$(wc -l < $FILE) 451 | compare "sed -e '/^$/d' -e '/^#/d' < \$FILE | $(eval wlistchk) | cut -f3 \ 452 | | awk 'BEGIN { RS=\" \"; OFS = \"\n\"; ORS = \"\n\" } { print }' | sed '/^$/d' | unique" 453 | fi 454 | if [[ $CUSTOMDNS = 1 ]]; then 455 | PROG="Custom DNS File"; COUNT=$(wc -l < $FILE) 456 | compare "cat \$FILE | $(eval wlistchk) | unique" 457 | fi 458 | 459 | # IP parsing for log files 460 | if [[ $CUSTOMIP = 1 ]]; then 461 | { rm $MALHOSTFILE && sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | uniq > $MALHOSTFILE; } < $MALHOSTFILE 462 | parse 463 | PROG="Custom IP File"; COUNT=$(wc -l < $FILE) 464 | compare "cat $FILE | $(eval wlistchk) | unique" 465 | fi 466 | 467 | if [[ $APACHE = 1 ]]; then 468 | PROG="Apache Log File"; COUNT=$(wc -l < $FILE) 469 | compare "awk '{ print $1 }' < \$FILE | $(eval wlistchk) | unique" 470 | fi 471 | 472 | if [[ $APACHEV = 1 ]]; then 473 | PROG="Apache Log File"; COUNT=$(wc -l < $FILE) 474 | compare "awk '{ print $2 }' < \$FILE | $(eval wlistchk) | unique" 475 | fi 476 | -------------------------------------------------------------------------------- /mandiant_apt1.dns: -------------------------------------------------------------------------------- 1 | advanbusiness.com 2 | aoldaily.com 3 | aolon1ine.com 4 | applesoftupdate.com 5 | arrowservice.net 6 | attnpower.com 7 | aunewsonline.com 8 | avvmail.com 9 | bigdepression.net 10 | bigish.net 11 | blackberrycluter.com 12 | blackcake.net 13 | bluecoate.com 14 | booksonlineclub.com 15 | bpyoyo.com 16 | businessconsults.net 17 | businessformars.com 18 | busketball.com 19 | canadatvsite.com 20 | canoedaily.com 21 | chileexe77.com 22 | cnndaily.com 23 | cnndaily.net 24 | cnnnewsdaily.com 25 | cometoway.org 26 | companyinfosite.com 27 | competrip.com 28 | comrepair.net 29 | conferencesinfo.com 30 | copporationnews.com 31 | cslisten.com 32 | defenceonline.net 33 | dnsweb.org 34 | downloadsite.me 35 | earthsolution.org 36 | e-cardsshop.com 37 | firefoxupdata.com 38 | freshreaders.net 39 | giftnews.org 40 | globalowa.com 41 | gmailboxes.com 42 | hkcastte.com 43 | hugesoft.org 44 | hvmetal.com 45 | idirectech.com 46 | ifexcel.com 47 | infobusinessus.org 48 | infosupports.com 49 | issnbgkit.net 50 | jobsadvanced.com 51 | livemymsn.com 52 | lksoftvc.net 53 | maltempata.com 54 | marsbrother.com 55 | mcafeepaying.com 56 | mediaxsds.net 57 | microsoft-update-info.com 58 | micyuisyahooapis.com 59 | msnhome.org 60 | myyahoonews.com 61 | nationtour.net 62 | newsesport.com 63 | newsonet.net 64 | newsonlinesite.com 65 | newspappers.org 66 | nirvanaol.com 67 | ns06.net 68 | nytimesnews.net 69 | olmusic100.com 70 | onefastgame.net 71 | oplaymagzine.com 72 | pcclubddk.net 73 | phoenixtvus.com 74 | pop-musicsite.com 75 | progammerli.com 76 | purpledaily.com 77 | regicsgf.net 78 | reutersnewsonline.com 79 | rssadvanced.org 80 | safalife.com 81 | saltlakenews.org 82 | satellitebbs.com 83 | searchforca.com 84 | shepmas.com 85 | skyswim.net 86 | softsolutionbox.net 87 | sportreadok.net 88 | staycools.net 89 | symanteconline.net 90 | syscation.com 91 | syscation.net 92 | tfxdccssl.net 93 | thehealthmood.net 94 | tibethome.org 95 | todayusa.org 96 | usabbs.org 97 | usapappers.com 98 | ushongkong.org 99 | usnewssite.com 100 | usnftc.org 101 | ustvb.com 102 | uszzcs.com 103 | voiceofman.com 104 | webservicesupdate.com 105 | worthhummer.net 106 | yahoodaily.com 107 | youipcam.com 108 | 08elec.purpledaily.com 109 | 09back.purpledaily.com 110 | 3ml.infosupports.com 111 | 3pma.firefoxupdata.com 112 | 4cback.hugesoft.org 113 | 7cback.hugesoft.org 114 | 911.cnnnewsdaily.com 115 | a-ad.arrowservice.net 116 | a-af.arrowservice.net 117 | aam.businessconsults.net 118 | aar.bigdepression.net 119 | aarco.bigdepression.net 120 | a-bne.arrowservice.net 121 | abs.businessconsults.net 122 | acer.firefoxupdata.com 123 | acli-mail.businessconsults.net 124 | a-co.purpledaily.com 125 | acu.businessconsults.net 126 | adb.businessconsults.net 127 | add.infosupports.com 128 | addr.infosupports.com 129 | adi002.hugesoft.org 130 | a-dl.arrowservice.net 131 | admin.arrowservice.net 132 | admin.datastorage01.org 133 | admin.firefoxupdata.com 134 | admin.softsolutionbox.net 135 | adobe.firefoxupdata.com 136 | ads.bpyoyo.com 137 | adt.businessconsults.net 138 | adt001.hugesoft.org 139 | adt002.hugesoft.org 140 | adtk.newsonet.net 141 | adtkl.bigish.net 142 | adtkl.gmailboxes.com 143 | adtlk.bigish.net 144 | ae.firefoxupdata.com 145 | a-ec.businessconsults.net 146 | a-ep.arrowservice.net 147 | aero.blackcake.net 148 | aes.infosupports.com 149 | a-ex.arrowservice.net 150 | af.arrowservice.net 151 | afda.businessconsults.net 152 | a-fj.purpledaily.com 153 | africa.mcafeepaying.com 154 | africa.todayusa.org 155 | africa.usabbs.org 156 | africadb.arrowservice.net 157 | afw.globalowa.com 158 | a-ga.purpledaily.com 159 | agl.softsolutionbox.net 160 | ago.businessconsults.net 161 | a-gon.arrowservice.net 162 | a-he.arrowservice.net 163 | a-he.softsolutionbox.net 164 | a-if.arrowservice.net 165 | a-iho.arrowservice.net 166 | aiic.arrowservice.net 167 | aip.comrepair.net 168 | airline.firefoxupdata.com 169 | airplane.defenceonline.net 170 | ait.busketball.com 171 | a-ja.purpledaily.com 172 | a-jsm.arrowservice.net 173 | a-jsm.infobusinessus.org 174 | ak47.infobusinessus.org 175 | ak47.msnhome.org 176 | alarm.arrowservice.net 177 | alarm.infobusinessus.org 178 | alcan.arrowservice.net 179 | alion.businessconsults.net 180 | alone.infosupports.com 181 | amanda.firefoxupdata.com 182 | amne.purpledaily.com 183 | ams.busketball.com 184 | amusement.firefoxupdata.com 185 | analysis.firefoxupdata.com 186 | anglo.arrowservice.net 187 | anti.firefoxupdata.com 188 | aol.arrowservice.net 189 | a-ol.arrowservice.net 190 | aol.infobusinessus.org 191 | aol.softsolutionbox.net 192 | aon.infobusinessus.org 193 | a-ov.businessconsults.net 194 | apa.infosupports.com 195 | apa.newsonet.net 196 | apa.safalife.com 197 | apejack.bigish.net 198 | apekl.newsonet.net 199 | a-pep.arrowservice.net 200 | app.blackcake.net 201 | app.infobusinessus.org 202 | apple.blackcake.net 203 | apple.firefoxupdata.com 204 | apple.infosupports.com 205 | apple.rssadvanced.org 206 | aps.bigdepression.net 207 | apss.newsonet.net 208 | apss.purpledaily.com 209 | ara.blackcake.net 210 | ara.infosupports.com 211 | ara2.blackcake.net 212 | ara2.infosupports.com 213 | arainfo.bigdepression.net 214 | arainfo.infosupports.com 215 | a-rdr.arrowservice.net 216 | ares.aunewsonline.com 217 | argsafhq.blackberrycluter.com 218 | a-ri.comrepair.net 219 | armi.arrowservice.net 220 | army.newsonlinesite.com 221 | army.todayusa.org 222 | ascn.arrowservice.net 223 | asiv.softsolutionbox.net 224 | asp.arrowservice.net 225 | asp.businessconsults.net 226 | asp.busketball.com 227 | asp.softsolutionbox.net 228 | ass.globalowa.com 229 | astone.newsonet.net 230 | atm.firefoxupdata.com 231 | atom.busketball.com 232 | a-uac.arrowservice.net 233 | a-un.purpledaily.com 234 | ausi.businessconsults.net 235 | auto.aoldaily.com 236 | auto.companyinfosite.com 237 | auto.firefoxupdata.com 238 | auto.gmailboxes.com 239 | auto.livemymsn.com 240 | auto.mcafeepaying.com 241 | auto.myyahoonews.com 242 | avast.firefoxupdata.com 243 | avph.earthsolution.org 244 | a-za.arrowservice.net 245 | a-za.businessconsults.net 246 | a-zx.purpledaily.com 247 | b.firefoxupdata.com 248 | bab.infosupports.com 249 | back.earthsolution.org 250 | back.firefoxupdata.com 251 | back.infobusinessus.org 252 | back.worthhummer.net 253 | backsun.busketball.com 254 | backup.infobusinessus.org 255 | backup.infosupports.com 256 | backup.msnhome.org 257 | backupsw.infobusinessus.org 258 | banner.infobusinessus.org 259 | barity.gmailboxes.com 260 | basketball.todayusa.org 261 | bass.busketball.com 262 | bat.bigdepression.net 263 | bat.blackcake.net 264 | bat.infosupports.com 265 | bat.safalife.com 266 | bbb.hugesoft.org 267 | bbh.dnsweb.org 268 | bbs.busketball.com 269 | bbs.firefoxupdata.com 270 | bbsfu.firefoxupdata.com 271 | bcc.blackberrycluter.com 272 | bcc.firefoxupdata.com 273 | bcc.infobusinessus.org 274 | bee.businessconsults.net 275 | bee.newspappers.org 276 | bee.usapappers.com 277 | bg-g.comrepair.net 278 | bhbt.infobusinessus.org 279 | bhbt.newsonet.net 280 | bing.firefoxupdata.com 281 | bitdefender.firefoxupdata.com 282 | bkav.firefoxupdata.com 283 | bkav2007.firefoxupdata.com 284 | bksy.businessconsults.net 285 | black.infobusinessus.org 286 | black.msnhome.org 287 | blackfish.defenceonline.net 288 | bll.dnsweb.org 289 | blog.arrowservice.net 290 | blog.busketball.com 291 | blog.firefoxupdata.com 292 | blog.regicsgf.net 293 | blow.reutersnewsonline.com 294 | blue.infosupports.com 295 | bluefin.aunewsonline.com 296 | bmi.businessconsults.net 297 | bob.dnsweb.org 298 | bobo.businessconsults.net 299 | bobo.oplaymagzine.com 300 | book.firefoxupdata.com 301 | book.pop-musicsite.com 302 | book.reutersnewsonline.com 303 | bot.bigdepression.net 304 | bourne.firefoxupdata.com 305 | bphb.arrowservice.net 306 | bring.busketball.com 307 | brog.regicsgf.net 308 | bswt.purpledaily.com 309 | built.arrowservice.net 310 | business.aunewsonline.com 311 | business.chileexe77.com 312 | business.infosupports.com 313 | business.jobsadvanced.com 314 | business.satellitebbs.com 315 | business.yahoodaily.com 316 | buy.infobusinessus.org 317 | buy.msnhome.org 318 | buycow.busketball.com 319 | buyer.arrowservice.net 320 | buz.businessconsults.net 321 | c.firefoxupdata.com 322 | caaid.newsonet.net 323 | cac.bigdepression.net 324 | cac.worthhummer.net 325 | cache.aolon1ine.com 326 | cacq.bigdepression.net 327 | cadfait.softsolutionbox.net 328 | cais.blackcake.net 329 | cais.hugesoft.org 330 | can.infobusinessus.org 331 | canada.cnndaily.com 332 | canary.firefoxupdata.com 333 | cappuccino.firefoxupdata.com 334 | car1.bigdepression.net 335 | care.jobsadvanced.com 336 | care.satellitebbs.com 337 | cars.firefoxupdata.com 338 | carvin.infosupports.com 339 | catalog.earthsolution.org 340 | ccsukl.purpledaily.com 341 | cdc01.hugesoft.org 342 | cdcd.newsonet.net 343 | cdd.purpledaily.com 344 | cdrnkl.worthhummer.net 345 | cecilia.firefoxupdata.com 346 | ce-ip.msnhome.org 347 | center.arrowservice.net 348 | center.busketball.com 349 | center.infosupports.com 350 | ceros.businessconsults.net 351 | cetv.firefoxupdata.com 352 | chat.infobusinessus.org 353 | chat.msnhome.org 354 | check.staycools.net 355 | check.thehealthmood.net 356 | chicken.hugesoft.org 357 | chicken.pop-musicsite.com 358 | chivas.firefoxupdata.com 359 | chq.newsonet.net 360 | christitannahill.appspot.com 361 | cib.businessconsults.net 362 | cibuc.blackcake.net 363 | citrix.globalowa.com 364 | citt.downloadsite.me 365 | city.gmailboxes.com 366 | class.arrowservice.net 367 | client.infobusinessus.org 368 | climate.newsonet.net 369 | climate.oplaymagzine.com 370 | clin.earthsolution.org 371 | cman.blackcake.net 372 | cmp.gmailboxes.com 373 | cobh.businessconsults.net 374 | coco.purpledaily.com 375 | code.jobsadvanced.com 376 | code.mcafeepaying.com 377 | coe.nationtour.net 378 | coe.reutersnewsonline.com 379 | coer.reutersnewsonline.com 380 | cok.purpledaily.com 381 | com.conferencesinfo.com 382 | comfile.softsolutionbox.net 383 | commpany.msnhome.org 384 | company.canadatvsite.com 385 | compfile.softsolutionbox.net 386 | compu.firefoxupdata.com 387 | compute.satellitebbs.com 388 | conn.firefoxupdata.com 389 | contact.arrowservice.net 390 | contact.bigish.net 391 | contact.firefoxupdata.com 392 | contact.jobsadvanced.com 393 | contact.purpledaily.com 394 | contact.yahoodaily.com 395 | content.cnnnewsdaily.com 396 | control.arrowservice.net 397 | control.blackberrycluter.com 398 | cook.globalowa.com 399 | cool.infobusinessus.org 400 | cool.newsonet.net 401 | corn.busketball.com 402 | corp.booksonlineclub.com 403 | corp.purpledaily.com 404 | cost.cnnnewsdaily.com 405 | count.blackcake.net 406 | country.canadatvsite.com 407 | cow.arrowservice.net 408 | cowboy.bigish.net 409 | cowboy.hugesoft.org 410 | crab.arrowservice.net 411 | crab.infobusinessus.org 412 | crab.msnhome.org 413 | crackling123.appspot.com 414 | cross.busketball.com 415 | crz.dnsweb.org 416 | cs.firefoxupdata.com 417 | csch.infosupports.com 418 | csupp.bigish.net 419 | ctcn.purpledaily.com 420 | ctcs.bigdepression.net 421 | ctcs.earthsolution.org 422 | ctimoon.marsbrother.com 423 | ctisk.purpledaily.com 424 | cubbh.newspappers.org 425 | cubh.businessconsults.net 426 | culture.chileexe77.com 427 | cure.firefoxupdata.com 428 | current.firefoxupdata.com 429 | cw.e-cardsshop.com 430 | cw.mcafeepaying.com 431 | cw.nationtour.net 432 | cw.pop-musicsite.com 433 | cw.searchforca.com 434 | cwe.newsonet.net 435 | cwe80.newsonet.net 436 | cwel.newsonet.net 437 | cws.gmailboxes.com 438 | d.bpyoyo.com 439 | da.comrepair.net 440 | daa.bigdepression.net 441 | daily.newsonlinesite.com 442 | data.firefoxupdata.com 443 | date.freshreaders.net 444 | date.gmailboxes.com 445 | date.rssadvanced.org 446 | date.voiceofman.com 447 | datehelp.firefoxupdata.com 448 | dating.satellitebbs.com 449 | db.firefoxupdata.com 450 | default.arrowservice.net 451 | defense.usabbs.org 452 | del.advanbusiness.com 453 | demo.myyahoonews.com 454 | den.blackcake.net 455 | denel.businessconsults.net 456 | densun.comrepair.net 457 | des.blackcake.net 458 | des.infosupports.com 459 | develop.firefoxupdata.com 460 | dhfx.businessconsults.net 461 | dias.globalowa.com 462 | digi.firefoxupdata.com 463 | dith.blackcake.net 464 | dl.firefoxupdata.com 465 | dlkl.purpledaily.com 466 | dnn.firefoxupdata.com 467 | dns.chileexe77.com 468 | dns.infobusinessus.org 469 | dns.issnbgkit.net 470 | dns.progammerli.com 471 | dns.webservicesupdate.com 472 | dns1.firefoxupdata.com 473 | dnsg.bigdepression.net 474 | do.hugesoft.org 475 | doa.bigdepression.net 476 | docu.arrowservice.net 477 | documents.aoldaily.com 478 | documents.aunewsonline.com 479 | documents.busketball.com 480 | documents.cnndaily.com 481 | documents.downloadsite.me 482 | documents.e-cardsshop.com 483 | documents.nationtour.net 484 | documents.voiceofman.com 485 | dod.dnsweb.org 486 | doekl.newsonet.net 487 | domain.arrowservice.net 488 | domain.busketball.com 489 | domain.firefoxupdata.com 490 | dorkia.firefoxupdata.com 491 | dot.hugesoft.org 492 | dotnet.safalife.com 493 | dove.blackcake.net 494 | down.infobusinessus.org 495 | down.msnhome.org 496 | down.safalife.com 497 | download.applesoftupdate.com 498 | download.firefoxupdata.com 499 | download.freshreaders.net 500 | download.gmailboxes.com 501 | download.idirectech.com 502 | download.symanteconline.net 503 | download.voiceofman.com 504 | downloads.applesoftupdate.com 505 | downupdate.bigish.net 506 | dp.booksonlineclub.com 507 | dq.booksonlineclub.com 508 | drb.arrowservice.net 509 | drinkwater.gmailboxes.com 510 | drop.firefoxupdata.com 511 | dsh.newsonet.net 512 | dsw.blackcake.net 513 | dvid.blackcake.net 514 | dvid.infosupports.com 515 | dvn.newsonet.net 516 | dyn.msnhome.org 517 | dyn.newsonet.net 518 | dyns.infosupports.com 519 | e.advanbusiness.com 520 | e.aoldaily.com 521 | e.applesoftupdate.com 522 | e.aunewsonline.com 523 | e.canoedaily.com 524 | e.cnndaily.com 525 | e.ifexcel.com 526 | e.microsoft-update-info.com 527 | e.msnhome.org 528 | e.reutersnewsonline.com 529 | e.satellitebbs.com 530 | e.staycools.net 531 | e.todayusa.org 532 | e.usabbs.org 533 | e.usapappers.com 534 | e.usnewssite.com 535 | e.yahoodaily.com 536 | eaof.hugesoft.org 537 | east.freshreaders.net 538 | eatbeef.gmailboxes.com 539 | ecli-cow.infobusinessus.org 540 | edit.aolon1ine.com 541 | edu.firefoxupdata.com 542 | education.jobsadvanced.com 543 | education.rssadvanced.org 544 | eeaa.firefoxupdata.com 545 | eee.reutersnewsonline.com 546 | egcc.bigdepression.net 547 | email.advanbusiness.com 548 | email.aoldaily.com 549 | email.applesoftupdate.com 550 | email.aunewsonline.com 551 | email.canadatvsite.com 552 | email.canoedaily.com 553 | email.cnndaily.com 554 | email.cnndaily.net 555 | email.companyinfosite.com 556 | email.defenceonline.net 557 | email.downloadsite.me 558 | email.e-cardsshop.com 559 | email.firefoxupdata.com 560 | email.hugesoft.org 561 | email.jobsadvanced.com 562 | email.mcafeepaying.com 563 | email.micyuisyahooapis.com 564 | email.newsonlinesite.com 565 | email.pop-musicsite.com 566 | email.satellitebbs.com 567 | email.symanteconline.net 568 | email.todayusa.org 569 | email.usabbs.org 570 | email.usapappers.com 571 | email.usnewssite.com 572 | email.voiceofman.com 573 | email.yahoodaily.com 574 | emam.firefoxupdata.com 575 | en.firefoxupdata.com 576 | energy.e-cardsshop.com 577 | energy.mcafeepaying.com 578 | energy.nationtour.net 579 | energy.pop-musicsite.com 580 | energy.searchforca.com 581 | energy.usabbs.org 582 | engine.usabbs.org 583 | engineering.newsonlinesite.com 584 | environment.firefoxupdata.com 585 | eoaf.hugesoft.org 586 | epod.businessconsults.net 587 | eu.usabbs.org 588 | eum.businessconsults.net 589 | europa.cnndaily.com 590 | europe.canadatvsite.com 591 | ever.arrowservice.net 592 | everest.firefoxupdata.com 593 | eye.businessconsults.net 594 | f3tel.bigish.net 595 | face.firefoxupdata.com 596 | facebook.firefoxupdata.com 597 | faq.firefoxupdata.com 598 | fashion.cnnnewsdaily.com 599 | fax.canadatvsite.com 600 | fax.cnndaily.net 601 | fax.companyinfosite.com 602 | fax.defenceonline.net 603 | fax.downloadsite.me 604 | fax.e-cardsshop.com 605 | fax.jobsadvanced.com 606 | fax.mcafeepaying.com 607 | fax.micyuisyahooapis.com 608 | fax.newsonlinesite.com 609 | fax.pop-musicsite.com 610 | fax.symanteconline.net 611 | fax.voiceofman.com 612 | fcn.hugesoft.org 613 | fed.purpledaily.com 614 | ffej.newsonet.net 615 | ffej.purpledaily.com 616 | fher.bigish.net 617 | fher.businessconsults.net 618 | fhh.purpledaily.com 619 | file.cnnnewsdaily.com 620 | file.firefoxupdata.com 621 | files.cnndaily.com 622 | files.downloadsite.me 623 | fileshare.usabbs.org 624 | fileyp.firefoxupdata.com 625 | film.downloadsite.me 626 | fim.msnhome.org 627 | fim.purpledaily.com 628 | finance.aoldaily.com 629 | finance.aunewsonline.com 630 | finance.chileexe77.com 631 | finance.cnnnewsdaily.com 632 | finance.newsonlinesite.com 633 | finance.staycools.net 634 | finance.thehealthmood.net 635 | finance.todayusa.org 636 | finance.usabbs.org 637 | finance.usnewssite.com 638 | finance.yahoodaily.com 639 | financial.advanbusiness.com 640 | fine.worthhummer.net 641 | fineca.blackberrycluter.com 642 | fineca.newsonet.net 643 | finekl.bigish.net 644 | finekl.purpledaily.com 645 | finekl.worthhummer.net 646 | fiona.firefoxupdata.com 647 | fire.firefoxupdata.com 648 | fire1.firefoxupdata.com 649 | first.voiceofman.com 650 | fjod.businessconsults.net 651 | fkfc.arrowservice.net 652 | flash.aoldaily.com 653 | flash.aunewsonline.com 654 | flash.cnndaily.com 655 | flash.firefoxupdata.com 656 | flash.jobsadvanced.com 657 | flash.livemymsn.com 658 | flash.mcafeepaying.com 659 | flash.msnhome.org 660 | flash.usnewssite.com 661 | flash.yahoodaily.com 662 | flucare.worthhummer.net 663 | fly.blackcake.net 664 | fme.busketball.com 665 | f-mi.purpledaily.com 666 | fmp.bigish.net 667 | fmp.worthhummer.net 668 | fnem.businessconsults.net 669 | fni.bigish.net 670 | fni.businessconsults.net 671 | fni.newsonet.net 672 | fnpc.arrowservice.net 673 | fnrn.businessconsults.net 674 | fntel.bigish.net 675 | fok.firefoxupdata.com 676 | follow.purpledaily.com 677 | food.busketball.com 678 | food.msnhome.org 679 | football.canoedaily.com 680 | forum.infobusinessus.org 681 | free.gmailboxes.com 682 | friends.arrowservice.net 683 | froum.msnhome.org 684 | fs.mcafeepaying.com 685 | fs.searchforca.com 686 | fstl.bigish.net 687 | fstl.businessconsults.net 688 | fstl.worthhummer.net 689 | ftp.advanbusiness.com 690 | ftp.aoldaily.com 691 | ftp.applesoftupdate.com 692 | ftp.aunewsonline.com 693 | ftp.bpyoyo.com 694 | ftp.canadatvsite.com 695 | ftp.canoedaily.com 696 | ftp.cnndaily.com 697 | ftp.cnndaily.net 698 | ftp.companyinfosite.com 699 | ftp.defenceonline.net 700 | ftp.downloadsite.me 701 | ftp.e-cardsshop.com 702 | ftp.jobsadvanced.com 703 | ftp.mcafeepaying.com 704 | ftp.micyuisyahooapis.com 705 | ftp.msnhome.org 706 | ftp.newsonlinesite.com 707 | ftp.pop-musicsite.com 708 | ftp.purpledaily.com 709 | ftp.satellitebbs.com 710 | ftp.staycools.net 711 | ftp.symanteconline.net 712 | ftp.todayusa.org 713 | ftp.usabbs.org 714 | ftp.usapappers.com 715 | ftp.ustvb.com 716 | ftp.voiceofman.com 717 | ftph.infosupports.com 718 | ftrj.businessconsults.net 719 | fuck.reutersnewsonline.com 720 | fun.firefoxupdata.com 721 | function.canadatvsite.com 722 | function.symanteconline.net 723 | funny.canadatvsite.com 724 | funny.firefoxupdata.com 725 | fwb.blackcake.net 726 | fwb.infosupports.com 727 | fwmo.businessconsults.net 728 | fwmo.newsonet.net 729 | fy.firefoxupdata.com 730 | fza.marsbrother.com 731 | gaca.infobusinessus.org 732 | gaca.newsonet.net 733 | game.aoldaily.com 734 | game.firefoxupdata.com 735 | games.firefoxupdata.com 736 | gannett.infosupports.com 737 | gatu.arrowservice.net 738 | gayi.blackcake.net 739 | gee.safalife.com 740 | gege.newsonet.net 741 | gege.oplaymagzine.com 742 | geneticmedicine.conferencesinfo.com 743 | geo.firefoxupdata.com 744 | geology.e-cardsshop.com 745 | geology.pop-musicsite.com 746 | gg.arrowservice.net 747 | gg.infobusinessus.org 748 | ghma.earthsolution.org 749 | gjjr.newsonet.net 750 | gjmy.comrepair.net 751 | gl.gmailboxes.com 752 | glj.purpledaily.com 753 | global.pop-musicsite.com 754 | global.softsolutionbox.net 755 | globalization.firefoxupdata.com 756 | glx.newsonet.net 757 | gmail.bigdepression.net 758 | gmail.firefoxupdata.com 759 | gmail.infosupports.com 760 | google.applesoftupdate.com 761 | goverment.usabbs.org 762 | green.safalife.com 763 | ground.earthsolution.org 764 | ground.infosupports.com 765 | ground.msnhome.org 766 | gsti.busketball.com 767 | gsup.infobusinessus.org 768 | half.earthsolution.org 769 | half.infosupports.com 770 | happy.arrowservice.net 771 | happy.e-cardsshop.com 772 | happy.hugesoft.org 773 | happy.nationtour.net 774 | happyfish.firefoxupdata.com 775 | hav.earthsolution.org 776 | health.jobsadvanced.com 777 | hello.mediaxsds.net 778 | help.advanbusiness.com 779 | help.applesoftupdate.com 780 | help.firefoxupdata.com 781 | help.gmailboxes.com 782 | help.purpledaily.com 783 | help.reutersnewsonline.com 784 | help.thehealthmood.net 785 | hi.bpyoyo.com 786 | hill.arrowservice.net 787 | hill.booksonlineclub.com 788 | hill.businessformars.com 789 | hill.earthsolution.org 790 | hm.firefoxupdata.com 791 | home.arrowservice.net 792 | home.firefoxupdata.com 793 | home.msnhome.org 794 | home.reutersnewsonline.com 795 | home.staycools.net 796 | hon.bigdepression.net 797 | host.arrowservice.net 798 | host.issnbgkit.net 799 | host.regicsgf.net 800 | hostname.regicsgf.net 801 | hot.thehealthmood.net 802 | hotel.safalife.com 803 | house.globalowa.com 804 | house.gmailboxes.com 805 | house.newsonet.net 806 | housew.newsonet.net 807 | hpd.newsonet.net 808 | hq.lksoftvc.net 809 | hrsy.newsonet.net 810 | https.lksoftvc.net 811 | https.msnhome.org 812 | https.progammerli.com 813 | hu.firefoxupdata.com 814 | hun.firefoxupdata.com 815 | hy.purpledaily.com 816 | hy.worthhummer.net 817 | iabk.msnhome.org 818 | iabk.newsonet.net 819 | iai.firefoxupdata.com 820 | iamge.usabbs.org 821 | idtheft.hugesoft.org 822 | iea.businessconsults.net 823 | iexchangefxn.firefoxupdata.com 824 | ifc.firefoxupdata.com 825 | image.aunewsonline.com 826 | image.satellitebbs.com 827 | image.todayusa.org 828 | image.usabbs.org 829 | image.usnewssite.com 830 | images.spmiller.org 831 | important.firefoxupdata.com 832 | index.arrowservice.net 833 | india.arrowservice.net 834 | indian.arrowservice.net 835 | indian.e-cardsshop.com 836 | indonesia.newsonlinesite.com 837 | info.aoldaily.com 838 | info.applesoftupdate.com 839 | info.bigish.net 840 | info.businessconsults.net 841 | info.companyinfosite.com 842 | info.defenceonline.net 843 | info.firefoxupdata.com 844 | info.freshreaders.net 845 | info.idirectech.com 846 | info.mcafeepaying.com 847 | info.msnhome.org 848 | info.newspappers.org 849 | info.rssadvanced.org 850 | info.saltlakenews.org 851 | info.softsolutionbox.net 852 | info.symanteconline.net 853 | info.theagenews.com 854 | info.thehealthmood.net 855 | info.usapappers.com 856 | info.usnewssite.com 857 | information.aunewsonline.com 858 | information.cnndaily.com 859 | information.defenceonline.net 860 | information.downloadsite.me 861 | information.jobsadvanced.com 862 | ins.globalowa.com 863 | insat.firefoxupdata.com 864 | int.busketball.com 865 | int.freshreaders.net 866 | intel.busketball.com 867 | intel.gmailboxes.com 868 | intel.infosupports.com 869 | inter.earthsolution.org 870 | international.canadatvsite.com 871 | invest.gmailboxes.com 872 | ips.firefoxupdata.com 873 | iri.infosupports.com 874 | iri.worthhummer.net 875 | irl.infosupports.com 876 | irs.businessconsults.net 877 | irs.hugesoft.org 878 | irsauctions.hugesoft.org 879 | irssales.hugesoft.org 880 | iscu.purpledaily.com 881 | iswb.softsolutionbox.net 882 | it.firefoxupdata.com 883 | it.newsonlinesite.com 884 | itau.businessconsults.net 885 | itinfo.firefoxupdata.com 886 | japan.yahoodaily.com 887 | java.earthsolution.org 888 | jbei.purpledaily.com 889 | jeff.firefoxupdata.com 890 | jeph.earthsolution.org 891 | jf.firefoxupdata.com 892 | jfn.firefoxupdata.com 893 | jfs.newsonet.net 894 | jhd.newsonet.net 895 | jhd.safalife.com 896 | jhsfkjlhjsf.firefoxupdata.com 897 | job.firefoxupdata.com 898 | job.jobsadvanced.com 899 | job.yahoodaily.com 900 | jobs.mediaxsds.net 901 | johnford985.appspot.com 902 | jr.blackcake.net 903 | juda.firefoxupdata.com 904 | jwss.infobusinessus.org 905 | kf.firefoxupdata.com 906 | khoda.firefoxupdata.com 907 | king-kl.newsonet.net 908 | kit.dnsweb.org 909 | kit.infosupports.com 910 | klape.globalowa.com 911 | klati.newsonet.net 912 | klbakerm.purpledaily.com 913 | klbar.purpledaily.com 914 | klbis.bigish.net 915 | klbis.globalowa.com 916 | klbis.purpledaily.com 917 | kl-care.newsonet.net 918 | klcirf.worthhummer.net 919 | klcocon.msnhome.org 920 | klecca.newsonet.net 921 | klecca.purpledaily.com 922 | klenvi.purpledaily.com 923 | kl-hqun.gmailboxes.com 924 | kl-hqun.newsonet.net 925 | kliee.newsonet.net 926 | kl-knab.newsonet.net 927 | kllhd.bigish.net 928 | kllhd.globalowa.com 929 | kl-mfa.newsonet.net 930 | klmfat.purpledaily.com 931 | klnrdc.newsonet.net 932 | klnrdc.purpledaily.com 933 | klotp.purpledaily.com 934 | klpiec.newsonet.net 935 | kl-rfc.newsonet.net 936 | kl-rio.newsonet.net 937 | kluscc.newsonet.net 938 | kl-vfw.globalowa.com 939 | klwest.purpledaily.com 940 | knab.newsonet.net 941 | knews.bigdepression.net 942 | koa.purpledaily.com 943 | ks.aoldaily.com 944 | ks.aunewsonline.com 945 | ks.cnndaily.com 946 | ks.firefoxupdata.com 947 | ks.jobsadvanced.com 948 | ks.mcafeepaying.com 949 | ks.petrotdl.com 950 | ks.usnewssite.com 951 | ks.yahoodaily.com 952 | ksaa.firefoxupdata.com 953 | ksap.firefoxupdata.com 954 | kshan.firefoxupdata.com 955 | kusw.blackcake.net 956 | lab.msnhome.org 957 | lan.msnhome.org 958 | launch.todayusa.org 959 | law.canoedaily.com 960 | law.myyahoonews.com 961 | lawste.purpledaily.com 962 | lawste2.purpledaily.com 963 | lcan.arrowservice.net 964 | leets.hugesoft.org 965 | leon.firefoxupdata.com 966 | lhd.globalowa.com 967 | lib.freshreaders.net 968 | life.blackcake.net 969 | link.applesoftupdate.com 970 | linkup.businessconsults.net 971 | linux.firefoxupdata.com 972 | lion.businessconsults.net 973 | listen.pop-musicsite.com 974 | live.firefoxupdata.com 975 | living.firefoxupdata.com 976 | ln.purpledaily.com 977 | lnz.worthhummer.net 978 | loading.bigish.net 979 | local.dnsweb.org 980 | log.bigdepression.net 981 | log.blackcake.net 982 | log.infosupports.com 983 | log.issnbgkit.net 984 | log.sportreadok.net 985 | login.aolon1ine.com 986 | login.blackcake.net 987 | login.businessconsults.net 988 | login.firefoxupdata.com 989 | login.infosupports.com 990 | login.safalife.com 991 | logo.freshreaders.net 992 | logo.staycools.net 993 | logo.thehealthmood.net 994 | logon.firefoxupdata.com 995 | logs.chileexe77.com 996 | logs.issnbgkit.net 997 | logs.pcclubddk.net 998 | logs.sportreadok.net 999 | lone.infosupports.com 1000 | loper.purpledaily.com 1001 | lost.msnhome.org 1002 | lost.yahoodaily.com 1003 | love.arrowservice.net 1004 | love.busketball.com 1005 | love.msnhome.org 1006 | lovecocon.bigish.net 1007 | loveit.gmailboxes.com 1008 | lrl.infosupports.com 1009 | lucie.dnsweb.org 1010 | lucy.bigdepression.net 1011 | lucy.blackcake.net 1012 | lucy.booksonlineclub.com 1013 | lucy.businessconsults.net 1014 | lucy2.businessconsults.net 1015 | lucy2.infosupports.com 1016 | lw.businessconsults.net 1017 | lw.infobusinessus.org 1018 | lw.msnhome.org 1019 | lw.purpledaily.com 1020 | lwave.arrowservice.net 1021 | m.cslisten.com 1022 | m.ifexcel.com 1023 | macfee.firefoxupdata.com 1024 | magazine.downloadsite.me 1025 | magazine.yahoodaily.com 1026 | magic.tfxdccssl.net 1027 | mail.advanbusiness.com 1028 | mail.aoldaily.com 1029 | mail.applesoftupdate.com 1030 | mail.arrowservice.net 1031 | mail.aunewsonline.com 1032 | mail.bigish.net 1033 | mail.businessconsults.net 1034 | mail.canadatvsite.com 1035 | mail.canoedaily.com 1036 | mail.chileexe77.com 1037 | mail.cnndaily.com 1038 | mail.cnndaily.net 1039 | mail.companyinfosite.com 1040 | mail.defenceonline.net 1041 | mail.downloadsite.me 1042 | mail.e-cardsshop.com 1043 | mail.firefoxupdata.com 1044 | mail.infosupports.com 1045 | mail.jobsadvanced.com 1046 | mail.lksoftvc.net 1047 | mail.mcafeepaying.com 1048 | mail.micyuisyahooapis.com 1049 | mail.msnhome.org 1050 | mail.newsonet.net 1051 | mail.newsonlinesite.com 1052 | mail.oplaymagzine.com 1053 | mail.pop-musicsite.com 1054 | mail.safalife.com 1055 | mail.satellitebbs.com 1056 | mail.softsolutionbox.net 1057 | mail.symanteconline.net 1058 | mail.todayusa.org 1059 | mail.usabbs.org 1060 | mail.usapappers.com 1061 | mail.usnewssite.com 1062 | mail.ustvb.com 1063 | mail.voiceofman.com 1064 | mail.yahoodaily.com 1065 | mail2.syscation.net 1066 | mailbbs.firefoxupdata.com 1067 | mails.firefoxupdata.com 1068 | mailsrv.firefoxupdata.com 1069 | main.busketball.com 1070 | man001.blackcake.net 1071 | man001.infosupports.com 1072 | map.firefoxupdata.com 1073 | maria.reutersnewsonline.com 1074 | marines.defenceonline.net 1075 | max.arrowservice.net 1076 | mc.bigish.net 1077 | mcsc.businessconsults.net 1078 | me.busketball.com 1079 | media.aoldaily.com 1080 | media.aunewsonline.com 1081 | media.cnndaily.com 1082 | media.jobsadvanced.com 1083 | media.mcafeepaying.com 1084 | media.purpledaily.com 1085 | media.usnewssite.com 1086 | media.yahoodaily.com 1087 | medicine.chileexe77.com 1088 | medicine.yahoodaily.com 1089 | meg.firefoxupdata.com 1090 | meily.msnhome.org 1091 | memberd.booksonlineclub.com 1092 | message.firefoxupdata.com 1093 | messenger.msnhome.org 1094 | method.ns06.net 1095 | mfa.globalowa.com 1096 | mfc.newsonet.net 1097 | micro.applesoftupdate.com 1098 | microsoft.firefoxupdata.com 1099 | milk.arrowservice.net 1100 | mini.arrowservice.net 1101 | mint.hugesoft.org 1102 | mko.busketball.com 1103 | mlls.globalowa.com 1104 | mobile.firefoxupdata.com 1105 | money.sportreadok.net 1106 | moon.blackcake.net 1107 | moon.infosupports.com 1108 | mor.newsonet.net 1109 | more.msnhome.org 1110 | mos.arrowservice.net 1111 | moto.busketball.com 1112 | moto.msnhome.org 1113 | moto.purpledaily.com 1114 | moto1.newsonet.net 1115 | moto2.earthsolution.org 1116 | motoa.purpledaily.com 1117 | motor.earthsolution.org 1118 | movie.canadatvsite.com 1119 | movies.infobusinessus.org 1120 | mpe.arrowservice.net 1121 | msn.firefoxupdata.com 1122 | music.bpyoyo.com 1123 | music.msnhome.org 1124 | music.pop-musicsite.com 1125 | music.todayusa.org 1126 | mx.blackcake.net 1127 | my.firefoxupdata.com 1128 | my550.firefoxupdata.com 1129 | myfamily.infosupports.com 1130 | mynet.firefoxupdata.com 1131 | myoil.purpledaily.com 1132 | mysql.msnhome.org 1133 | na.bigdepression.net 1134 | na.msnhome.org 1135 | nat.bigdepression.net 1136 | nature.arrowservice.net 1137 | nav.booksonlineclub.com 1138 | navi.businessconsults.net 1139 | navi.earthsolution.org 1140 | nci.bigdepression.net 1141 | nci.dnsweb.org 1142 | nci.safalife.com 1143 | ncih.dnsweb.org 1144 | ncsc.businessconsults.net 1145 | ne.hugesoft.org 1146 | nes.nationtour.net 1147 | net.firefoxupdata.com 1148 | net.infosupports.com 1149 | new.arrowservice.net 1150 | new.booksonlineclub.com 1151 | new.firefoxupdata.com 1152 | new.globalowa.com 1153 | newport.bigdepression.net 1154 | newport.infosupports.com 1155 | newport.safalife.com 1156 | news.advanbusiness.com 1157 | news.aoldaily.com 1158 | news.aolon1ine.com 1159 | news.applesoftupdate.com 1160 | news.bigdepression.net 1161 | news.blackcake.net 1162 | news.booksonlineclub.com 1163 | news.bpyoyo.com 1164 | news.businessconsults.net 1165 | news.busketball.com 1166 | news.canadatvsite.com 1167 | news.canoedaily.com 1168 | news.chileexe77.com 1169 | news.cnndaily.com 1170 | news.cnnnewsdaily.com 1171 | news.defenceonline.net 1172 | news.dnsweb.org 1173 | news.downloadsite.me 1174 | news.e-cardsshop.com 1175 | news.firefoxupdata.com 1176 | news.freshreaders.net 1177 | news.hugesoft.org 1178 | news.infosupports.com 1179 | news.issnbgkit.net 1180 | news.jobsadvanced.com 1181 | news.lksoftvc.net 1182 | news.marsbrother.com 1183 | news.mcafeepaying.com 1184 | news.mediaxsds.net 1185 | news.micyuisyahooapis.com 1186 | news.msnhome.org 1187 | news.myyahoonews.com 1188 | news.nationtour.net 1189 | news.newsonlinesite.com 1190 | news.newspappers.org 1191 | news.nytimesnews.net 1192 | news.pcclubddk.net 1193 | news.pop-musicsite.com 1194 | news.reutersnewsonline.com 1195 | news.rssadvanced.org 1196 | news.safalife.com 1197 | news.saltlakenews.org 1198 | news.satellitebbs.com 1199 | news.softsolutionbox.net 1200 | news.sportreadok.net 1201 | news.staycools.net 1202 | news.symanteconline.net 1203 | news.thehealthmood.net 1204 | news.todayusa.org 1205 | news.usapappers.com 1206 | news.voiceofman.com 1207 | news.yahoo.com.conferencesinfo.com 1208 | news.yahoodaily.com 1209 | newstar.nytimesnews.net 1210 | newstar.reutersnewsonline.com 1211 | newstime.firefoxupdata.com 1212 | newyork.usabbs.org 1213 | ngc.blackcake.net 1214 | ngng.firefoxupdata.com 1215 | nh.microsoft-update-info.com 1216 | nhc.newsonet.net 1217 | nhs.newsonet.net 1218 | nhs1.msnhome.org 1219 | nhs1.newsonet.net 1220 | nhsl.newsonet.net 1221 | nic.safalife.com 1222 | nicenews.firefoxupdata.com 1223 | night.firefoxupdata.com 1224 | nis.purpledaily.com 1225 | nl.firefoxupdata.com 1226 | nod.downloadsite.me 1227 | nol.firefoxupdata.com 1228 | norin.firefoxupdata.com 1229 | notebook.firefoxupdata.com 1230 | nousage.arrowservice.net 1231 | nrfn.newsonet.net 1232 | ns.issnbgkit.net 1233 | nt.firefoxupdata.com 1234 | nucor001.purpledaily.com 1235 | nukor001.hugesoft.org 1236 | nullmx.firefoxupdata.com 1237 | num.safalife.com 1238 | o.ifexcel.com 1239 | object.todayusa.org 1240 | office.msnhome.org 1241 | okie.businessconsults.net 1242 | old.firefoxupdata.com 1243 | oliver.arrowservice.net 1244 | once.downloadsite.me 1245 | onk.newsonet.net 1246 | online.livemymsn.com 1247 | online.mcafeepaying.com 1248 | online.msnhome.org 1249 | online.pop-musicsite.com 1250 | online.reutersnewsonline.com 1251 | ope.purpledaily.com 1252 | opp.infosupports.com 1253 | oppa.bigdepression.net 1254 | opts.msnhome.org 1255 | orca.arrowservice.net 1256 | ord.firefoxupdata.com 1257 | orient.earthsolution.org 1258 | otp.blackberrycluter.com 1259 | otps.globalowa.com 1260 | ou.infosupports.com 1261 | ou1.blackcake.net 1262 | ou1.infosupports.com 1263 | ou2.blackcake.net 1264 | ou2.infosupports.com 1265 | ou3.infosupports.com 1266 | ou4.infosupports.com 1267 | ou5.infosupports.com 1268 | ou6.infosupports.com 1269 | ou7.infosupports.com 1270 | outlook.firefoxupdata.com 1271 | outlooks.firefoxupdata.com 1272 | owa.arrowservice.net 1273 | owa.businessconsults.net 1274 | owa.purpledaily.com 1275 | owa.softsolutionbox.net 1276 | pacific.blackcake.net 1277 | pacific.worthhummer.net 1278 | pack.cnnnewsdaily.com 1279 | pact.hugesoft.org 1280 | paekl.gmailboxes.com 1281 | papper.booksonlineclub.com 1282 | papper.firefoxupdata.com 1283 | pars.earthsolution.org 1284 | part.bigdepression.net 1285 | part.earthsolution.org 1286 | parth.earthsolution.org 1287 | pay.aunewsonline.com 1288 | pay.freshreaders.net 1289 | payse.firefoxupdata.com 1290 | pcie.arrowservice.net 1291 | pda.applesoftupdate.com 1292 | pda.msnhome.org 1293 | pda.reutersnewsonline.com 1294 | pda.staycools.net 1295 | pda.usapappers.com 1296 | pdoc.earthsolution.org 1297 | pear.blackcake.net 1298 | pear.firefoxupdata.com 1299 | pear.infosupports.com 1300 | people.softsolutionbox.net 1301 | phb.arrowservice.net 1302 | phe.reutersnewsonline.com 1303 | philippines.cnndaily.com 1304 | pic.firefoxupdata.com 1305 | picture.chileexe77.com 1306 | pink.firefoxupdata.com 1307 | plane.usabbs.org 1308 | planning.firefoxupdata.com 1309 | play.conferencesinfo.com 1310 | play.firefoxupdata.com 1311 | pme.worthhummer.net 1312 | png.sportreadok.net 1313 | pop.advanbusiness.com 1314 | pop.aoldaily.com 1315 | pop.applesoftupdate.com 1316 | pop.aunewsonline.com 1317 | pop.blackcake.net 1318 | pop.businessconsults.net 1319 | pop.canadatvsite.com 1320 | pop.canoedaily.com 1321 | pop.cnndaily.com 1322 | pop.cnndaily.net 1323 | pop.companyinfosite.com 1324 | pop.defenceonline.net 1325 | pop.dnsweb.org 1326 | pop.downloadsite.me 1327 | pop.e-cardsshop.com 1328 | pop.firefoxupdata.com 1329 | pop.infosupports.com 1330 | pop.jobsadvanced.com 1331 | pop.mcafeepaying.com 1332 | pop.micyuisyahooapis.com 1333 | pop.msnhome.org 1334 | pop.newsonlinesite.com 1335 | pop.pop-musicsite.com 1336 | pop.satellitebbs.com 1337 | pop.staycools.net 1338 | pop.symanteconline.net 1339 | pop.todayusa.org 1340 | pop.usabbs.org 1341 | pop.usapappers.com 1342 | pop.usnewssite.com 1343 | pop.voiceofman.com 1344 | pop.yahoodaily.com 1345 | pop2.blackcake.net 1346 | pop2.infosupports.com 1347 | pop3.blackcake.net 1348 | pop3.infosupports.com 1349 | pop4.blackcake.net 1350 | pop5.blackcake.net 1351 | pop6.infosupports.com 1352 | pop9.infosupports.com 1353 | popw.infosupports.com 1354 | popwk.msnhome.org 1355 | portbab.infosupports.com 1356 | portpop.businessconsults.net 1357 | ppt.arrowservice.net 1358 | prc.newsonet.net 1359 | prefix.firefoxupdata.com 1360 | prefix.usapappers.com 1361 | pro.reutersnewsonline.com 1362 | proc.blackberrycluter.com 1363 | proc.purpledaily.com 1364 | product.satellitebbs.com 1365 | program.reutersnewsonline.com 1366 | progress.purpledaily.com 1367 | protoc.infosupports.com 1368 | psp.advanbusiness.com 1369 | psp.staycools.net 1370 | psu.businessconsults.net 1371 | psu.nytimesnews.net 1372 | psu.worthhummer.net 1373 | ptp.firefoxupdata.com 1374 | pz.booksonlineclub.com 1375 | qedh.earthsolution.org 1376 | qhun-mons.businessformars.com 1377 | qiao1.bigdepression.net 1378 | qiao1.safalife.com 1379 | qiao2.bigdepression.net 1380 | qiao3.bigdepression.net 1381 | qiao4.bigdepression.net 1382 | qiao5.bigdepression.net 1383 | qiao6.bigdepression.net 1384 | qiao7.bigdepression.net 1385 | qiao8.bigdepression.net 1386 | qua.businessconsults.net 1387 | qual.bigdepression.net 1388 | quick.earthsolution.org 1389 | quiet.earthsolution.org 1390 | qusc12.infosupports.com 1391 | rank.firefoxupdata.com 1392 | rcs.purpledaily.com 1393 | reas.hugesoft.org 1394 | record.companyinfosite.com 1395 | records.marsbrother.com 1396 | red.firefoxupdata.com 1397 | red.infosupports.com 1398 | reg.firefoxupdata.com 1399 | release.busketball.com 1400 | release.purpledaily.com 1401 | release.softsolutionbox.net 1402 | report.cnnnewsdaily.com 1403 | report.regicsgf.net 1404 | reports.saltlakenews.org 1405 | research.purpledaily.com 1406 | research.softsolutionbox.net 1407 | rice.bigish.net 1408 | rj.msnhome.org 1409 | rj.purpledaily.com 1410 | rnew.firefoxupdata.com 1411 | roger.businessconsults.net 1412 | root.newspappers.org 1413 | root.saltlakenews.org 1414 | rou.pop-musicsite.com 1415 | rsut.purpledaily.com 1416 | s.ifexcel.com 1417 | s.microsoft-update-info.com 1418 | saf.blackberrycluter.com 1419 | saf.globalowa.com 1420 | safbejn.worthhummer.net 1421 | safe.canadatvsite.com 1422 | safe.msnhome.org 1423 | safety.canadatvsite.com 1424 | safety.msnhome.org 1425 | safety.newsonlinesite.com 1426 | safr.firefoxupdata.com 1427 | sale.advanbusiness.com 1428 | sale.staycools.net 1429 | sales.usnewssite.com 1430 | sam.blackcake.net 1431 | sam.firefoxupdata.com 1432 | sam.infosupports.com 1433 | satellite.yahoodaily.com 1434 | sauu.firefoxupdata.com 1435 | sav.safalife.com 1436 | sb.hugesoft.org 1437 | sbh.businessconsults.net 1438 | scc.globalowa.com 1439 | scc.purpledaily.com 1440 | science.firefoxupdata.com 1441 | scorpion.firefoxupdata.com 1442 | scpkl.bigish.net 1443 | sea.arrowservice.net 1444 | sea001.arrowservice.net 1445 | search.blackcake.net 1446 | search.firefoxupdata.com 1447 | search.searchforca.com 1448 | security.canadatvsite.com 1449 | security.mcafeepaying.com 1450 | security.nationtour.net 1451 | security.symanteconline.net 1452 | self.firefoxupdata.com 1453 | sells.aunewsonline.com 1454 | sells.usnewssite.com 1455 | send.issnbgkit.net 1456 | serv.firefoxupdata.com 1457 | serve.firefoxupdata.com 1458 | server.applesoftupdate.com 1459 | service.applesoftupdate.com 1460 | service.arrowservice.net 1461 | service.firefoxupdata.com 1462 | service.issnbgkit.net 1463 | service.symanteconline.net 1464 | services.busketball.com 1465 | services.gmailboxes.com 1466 | servmail.firefoxupdata.com 1467 | servmailb.firefoxupdata.com 1468 | servmails.firefoxupdata.com 1469 | set.msnhome.org 1470 | sfn.globalowa.com 1471 | sh.firefoxupdata.com 1472 | share.aoldaily.com 1473 | share.aunewsonline.com 1474 | share.canoedaily.com 1475 | share.jobsadvanced.com 1476 | share.usnewssite.com 1477 | shit.msnhome.org 1478 | shop.e-cardsshop.com 1479 | shop.msnhome.org 1480 | shop.newsonlinesite.com 1481 | shop.pop-musicsite.com 1482 | shop.yahoodaily.com 1483 | shot.businessconsults.net 1484 | shot.newspappers.org 1485 | shot.usapappers.com 1486 | sifcc.arrowservice.net 1487 | signal.satellitebbs.com 1488 | sinbg.comrepair.net 1489 | sisc.purpledaily.com 1490 | sites.progammerli.com 1491 | sk2.gmailboxes.com 1492 | skills.cnndaily.com 1493 | skills.usnewssite.com 1494 | sklcenter.msnhome.org 1495 | sky.applesoftupdate.com 1496 | sky.canoedaily.com 1497 | sky.downloadsite.me 1498 | sky.safalife.com 1499 | slnoa.hugesoft.org 1500 | slnoa.newsonet.net 1501 | slrfc.newsonet.net 1502 | slrj.softsolutionbox.net 1503 | slrou.blackcake.net 1504 | slrouji.infosupports.com 1505 | sls.purpledaily.com 1506 | slutc.globalowa.com 1507 | sma.firefoxupdata.com 1508 | smile.firefoxupdata.com 1509 | smlk.firefoxupdata.com 1510 | smooth.newsonet.net 1511 | smtp.advanbusiness.com 1512 | smtp.aoldaily.com 1513 | smtp.applesoftupdate.com 1514 | smtp.aunewsonline.com 1515 | smtp.canadatvsite.com 1516 | smtp.canoedaily.com 1517 | smtp.cnndaily.com 1518 | smtp.cnndaily.net 1519 | smtp.companyinfosite.com 1520 | smtp.defenceonline.net 1521 | smtp.downloadsite.me 1522 | smtp.e-cardsshop.com 1523 | smtp.firefoxupdata.com 1524 | smtp.infosupports.com 1525 | smtp.jobsadvanced.com 1526 | smtp.mcafeepaying.com 1527 | smtp.micyuisyahooapis.com 1528 | smtp.msnhome.org 1529 | smtp.newsonlinesite.com 1530 | smtp.pop-musicsite.com 1531 | smtp.safalife.com 1532 | smtp.satellitebbs.com 1533 | smtp.symanteconline.net 1534 | smtp.todayusa.org 1535 | smtp.usabbs.org 1536 | smtp.usapappers.com 1537 | smtp.usnewssite.com 1538 | smtp.voiceofman.com 1539 | smtp.yahoodaily.com 1540 | snoopy.safalife.com 1541 | snoot.earthsolution.org 1542 | sns.syscation.com 1543 | sns.syscation.net 1544 | soft.advanbusiness.com 1545 | soft.applesoftupdate.com 1546 | soft.cnnnewsdaily.com 1547 | soft.firefoxupdata.com 1548 | soft.nytimesnews.net 1549 | soft.thehealthmood.net 1550 | software.advanbusiness.com 1551 | software.nytimesnews.net 1552 | solar.e-cardsshop.com 1553 | solar.pop-musicsite.com 1554 | solar.reutersnewsonline.com 1555 | soler.businessconsults.net 1556 | sona.arrowservice.net 1557 | sonah.earthsolution.org 1558 | songhong.firefoxupdata.com 1559 | sope.purpledaily.com 1560 | sos.businessconsults.net 1561 | sotp.purpledaily.com 1562 | source.livemymsn.com 1563 | sp.booksonlineclub.com 1564 | sp.msnhome.org 1565 | space.canadatvsite.com 1566 | spah.earthsolution.org 1567 | spahi.dnsweb.org 1568 | spckl.bigish.net 1569 | spcmon.businessformars.com 1570 | special.earthsolution.org 1571 | sports.aoldaily.com 1572 | sports.aunewsonline.com 1573 | sports.businessconsults.net 1574 | sports.canoedaily.com 1575 | sports.chileexe77.com 1576 | sports.firefoxupdata.com 1577 | sports.newsonlinesite.com 1578 | sports.nytimesnews.net 1579 | sports.rssadvanced.org 1580 | sports.staycools.net 1581 | sports.thehealthmood.net 1582 | sports.todayusa.org 1583 | sports.usnewssite.com 1584 | sports.voiceofman.com 1585 | sports.yahoodaily.com 1586 | sports3.earthsolution.org 1587 | sprts.firefoxupdata.com 1588 | spte.bigdepression.net 1589 | squick.bigish.net 1590 | sremx.bigish.net 1591 | srs.businessconsults.net 1592 | srs.dnsweb.org 1593 | srs.infosupports.com 1594 | srvmail.firefoxupdata.com 1595 | sslsrv1.infosupports.com 1596 | sslsrv2.infosupports.com 1597 | sslsrv5.infosupports.com 1598 | sslsrv5.msnhome.org 1599 | sslsrv6.infosupports.com 1600 | ssun.arrowservice.net 1601 | star.canoedaily.com 1602 | star.satellitebbs.com 1603 | star.usabbs.org 1604 | stars.advanbusiness.com 1605 | stars.nytimesnews.net 1606 | static.firefoxupdata.com 1607 | stell.purpledaily.com 1608 | step.msnhome.org 1609 | stk.blackcake.net 1610 | stk.infosupports.com 1611 | stock.bigish.net 1612 | stock.firefoxupdata.com 1613 | stone.pop-musicsite.com 1614 | stone.symanteconline.net 1615 | stulaw.bigish.net 1616 | stuwal.gmailboxes.com 1617 | stuwal.newsonet.net 1618 | submarine.defenceonline.net 1619 | submarine.downloadsite.me 1620 | suffering.e-cardsshop.com 1621 | suffering.mcafeepaying.com 1622 | suffering.nationtour.net 1623 | suffering.pop-musicsite.com 1624 | suffering.searchforca.com 1625 | sun.arrowservice.net 1626 | sun.newspappers.org 1627 | sun.usapappers.com 1628 | support.advanbusiness.com 1629 | support.applesoftupdate.com 1630 | support.companyinfosite.com 1631 | support.livemymsn.com 1632 | support.mcafeepaying.com 1633 | support.msnhome.org 1634 | support.satellitebbs.com 1635 | support.searchforca.com 1636 | support.symanteconline.net 1637 | support.thehealthmood.net 1638 | support.todayusa.org 1639 | support.voiceofman.com 1640 | support.webservicesupdate.com 1641 | sute.newsonet.net 1642 | sw.hugesoft.org 1643 | swiss.firefoxupdata.com 1644 | sword.bigish.net 1645 | sword.msnhome.org 1646 | syn.arrowservice.net 1647 | sync.ns06.net 1648 | sys.businessconsults.net 1649 | sys.newspappers.org 1650 | sys.usapappers.com 1651 | sysj.firefoxupdata.com 1652 | system.satellitebbs.com 1653 | sysy.firefoxupdata.com 1654 | tag.applesoftupdate.com 1655 | tape.businessconsults.net 1656 | tape.dnsweb.org 1657 | tape.purpledaily.com 1658 | tclient.arrowservice.net 1659 | tclient.msnhome.org 1660 | teach.usabbs.org 1661 | tech.applesoftupdate.com 1662 | tech.firefoxupdata.com 1663 | tech.saltlakenews.org 1664 | tech.usapappers.com 1665 | tele.firefoxupdata.com 1666 | telnet.msnhome.org 1667 | test.bpyoyo.com 1668 | test.chileexe77.com 1669 | test.firefoxupdata.com 1670 | test.issnbgkit.net 1671 | test.msnhome.org 1672 | test.newsonet.net 1673 | thanhnien.firefoxupdata.com 1674 | thec.firefoxupdata.com 1675 | think.arrowservice.net 1676 | think.purpledaily.com 1677 | tia.gmailboxes.com 1678 | time.firefoxupdata.com 1679 | time.issnbgkit.net 1680 | time.mediaxsds.net 1681 | time.msnhome.org 1682 | time1.mediaxsds.net 1683 | times.nytimesnews.net 1684 | tk.firefoxupdata.com 1685 | tnjs.firefoxupdata.com 1686 | tod.newsonet.net 1687 | top.ifexcel.com 1688 | topmoney.purpledaily.com 1689 | train.msnhome.org 1690 | train.newsonet.net 1691 | travel.cnndaily.net 1692 | travel.firefoxupdata.com 1693 | travel.msnhome.org 1694 | travel.nationtour.net 1695 | trb.arrowservice.net 1696 | trip.arrowservice.net 1697 | trip.msnhome.org 1698 | triu.booksonlineclub.com 1699 | ts.firefoxupdata.com 1700 | tt.firefoxupdata.com 1701 | ttl.tfxdccssl.net 1702 | tx.businessconsults.net 1703 | ug-aa.hugesoft.org 1704 | ug-aaon.hugesoft.org 1705 | ug-aeai.hugesoft.org 1706 | ug-ag.hugesoft.org 1707 | ug-asg.hugesoft.org 1708 | ug-ati.hugesoft.org 1709 | ug-bdai.hugesoft.org 1710 | ug-bdai.msnhome.org 1711 | ug-bdfa.hugesoft.org 1712 | ug-bpd.hugesoft.org 1713 | ug-cccc.hugesoft.org 1714 | ug-ccr.hugesoft.org 1715 | ug-chsaw.hugesoft.org 1716 | ug-co.hugesoft.org 1717 | ug-cti.hugesoft.org 1718 | ug-dfait.hugesoft.org 1719 | ug-enrc.hugesoft.org 1720 | ug-ga.hugesoft.org 1721 | ug-hst.hugesoft.org 1722 | ug-hst.msnhome.org 1723 | ug-irpf.hugesoft.org 1724 | ug-kfc.hugesoft.org 1725 | ug-man.hugesoft.org 1726 | ug-mbi.hugesoft.org 1727 | ug-nema.hugesoft.org 1728 | ug-opm.hugesoft.org 1729 | ug-piec.hugesoft.org 1730 | ug-pmet.hugesoft.org 1731 | ug-pnl.hugesoft.org 1732 | ug-rev.hugesoft.org 1733 | ug-rj.arrowservice.net 1734 | ug-rj.hugesoft.org 1735 | ug-sbig.hugesoft.org 1736 | ug-tree.hugesoft.org 1737 | ug-tta.hugesoft.org 1738 | ug-volpe.hugesoft.org 1739 | ug-west.hugesoft.org 1740 | unifh.earthsolution.org 1741 | up.bpyoyo.com 1742 | up.safalife.com 1743 | upback.purpledaily.com 1744 | update.advanbusiness.com 1745 | update.aoldaily.com 1746 | update.aunewsonline.com 1747 | update.booksonlineclub.com 1748 | update.busketball.com 1749 | update.companyinfosite.com 1750 | update.defenceonline.net 1751 | update.dnsweb.org 1752 | update.downloadsite.me 1753 | update.firefoxupdata.com 1754 | update.freshreaders.net 1755 | update.idirectech.com 1756 | update.livemymsn.com 1757 | update.lksoftvc.net 1758 | update.mcafeepaying.com 1759 | update.msnhome.org 1760 | update.nationtour.net 1761 | update.progammerli.com 1762 | update.reutersnewsonline.com 1763 | update.safalife.com 1764 | update.satellitebbs.com 1765 | update.searchforca.com 1766 | update.staycools.net 1767 | update.symanteconline.net 1768 | update.tfxdccssl.net 1769 | update.thehealthmood.net 1770 | update.todayusa.org 1771 | update.usabbs.org 1772 | update.yahoodaily.com 1773 | update7.firefoxupdata.com 1774 | update8.firefoxupdata.com 1775 | updater.firefoxupdata.com 1776 | updatevn.firefoxupdata.com 1777 | upload.firefoxupdata.com 1778 | u-rfc.msnhome.org 1779 | url.blackcake.net 1780 | url.infosupports.com 1781 | us.cnndaily.com 1782 | us.issnbgkit.net 1783 | us.rssadvanced.org 1784 | utex.earthsolution.org 1785 | value.arrowservice.net 1786 | vedio.reutersnewsonline.com 1787 | velp.earthsolution.org 1788 | via.blackcake.net 1789 | via.infosupports.com 1790 | via.msnhome.org 1791 | video.msnhome.org 1792 | vip.issnbgkit.net 1793 | vip.pcclubddk.net 1794 | vip.sportreadok.net 1795 | vis.firefoxupdata.com 1796 | visual.earthsolution.org 1797 | vockl.bigish.net 1798 | vol.infosupports.com 1799 | vop.earthsolution.org 1800 | vope.purpledaily.com 1801 | vopm.earthsolution.org 1802 | vpn.businessconsults.net 1803 | vpn.businessformars.com 1804 | vpn.globalowa.com 1805 | vpn.softsolutionbox.net 1806 | vsec.bigdepression.net 1807 | vseh.earthsolution.org 1808 | walk.bigish.net 1809 | walste.purpledaily.com 1810 | wangye.e-cardsshop.com 1811 | wangye.reutersnewsonline.com 1812 | wapi.businessconsults.net 1813 | was.arrowservice.net 1814 | water.firefoxupdata.com 1815 | wave.pop-musicsite.com 1816 | wcasekl.purpledaily.com 1817 | wcov.businessconsults.net 1818 | wdeh.businessconsults.net 1819 | weather.aunewsonline.com 1820 | weather.chileexe77.com 1821 | weather.freshreaders.net 1822 | weather.staycools.net 1823 | weather.usnewssite.com 1824 | weather.yahoodaily.com 1825 | web.advanbusiness.com 1826 | web.applesoftupdate.com 1827 | web.arrowservice.net 1828 | web.companyinfosite.com 1829 | web.firefoxupdata.com 1830 | web.infosupports.com 1831 | web.newspappers.org 1832 | web.rssadvanced.org 1833 | web.saltlakenews.org 1834 | web.searchforca.com 1835 | web.thehealthmood.net 1836 | web.webservicesupdate.com 1837 | webdata.firefoxupdata.com 1838 | webjbs.firefoxupdata.com 1839 | weblog.bigish.net 1840 | weblog.msnhome.org 1841 | webmail.advanbusiness.com 1842 | webmail.aoldaily.com 1843 | webmail.applesoftupdate.com 1844 | webmail.arrowservice.net 1845 | webmail.aunewsonline.com 1846 | webmail.blackcake.net 1847 | webmail.businessconsults.net 1848 | webmail.canoedaily.com 1849 | webmail.cnndaily.com 1850 | webmail.companyinfosite.com 1851 | webmail.msnhome.org 1852 | webmail.newsonet.net 1853 | webmail.satellitebbs.com 1854 | webmail.softsolutionbox.net 1855 | webmail.todayusa.org 1856 | webmail.usabbs.org 1857 | webmail.usapappers.com 1858 | webmail.usnewssite.com 1859 | webmail.ustvb.com 1860 | webmail.worthhummer.net 1861 | webmail.yahoodaily.com 1862 | webmailh.firefoxupdata.com 1863 | webmails.firefoxupdata.com 1864 | webmailw.firefoxupdata.com 1865 | webs.newspappers.org 1866 | wed5.blackcake.net 1867 | wed5.infosupports.com 1868 | week.canadatvsite.com 1869 | week.canoedaily.com 1870 | weg.firefoxupdata.com 1871 | wehmail.firefoxupdata.com 1872 | west.freshreaders.net 1873 | west.newsonet.net 1874 | west1.newsonet.net 1875 | westjoe.purpledaily.com 1876 | westking.bigish.net 1877 | westking.comrepair.net 1878 | westkl.blackberrycluter.com 1879 | westkl.worthhummer.net 1880 | westnew.marsbrother.com 1881 | wfcx.businessconsults.net 1882 | wff.businessconsults.net 1883 | wgl.infobusinessus.org 1884 | wgw.businessconsults.net 1885 | wh1.bigish.net 1886 | what.arrowservice.net 1887 | whi.bigish.net 1888 | windows.firefoxupdata.com 1889 | wins.msnhome.org 1890 | wish.e-cardsshop.com 1891 | wk.gmailboxes.com 1892 | wmp.businessconsults.net 1893 | wnam.businessconsults.net 1894 | wnara.businessconsults.net 1895 | wned.businessconsults.net 1896 | wnew.businessconsults.net 1897 | woil.businessconsults.net 1898 | women.firefoxupdata.com 1899 | wopec.businessconsults.net 1900 | wopm.businessconsults.net 1901 | work.canadatvsite.com 1902 | work.canoedaily.com 1903 | work.jobsadvanced.com 1904 | work.satellitebbs.com 1905 | work.todayusa.org 1906 | work.yahoodaily.com 1907 | workstation.arrowservice.net 1908 | world.businessconsults.net 1909 | world.nationtour.net 1910 | wow.newspappers.org 1911 | wow.saltlakenews.org 1912 | wpcs.businessconsults.net 1913 | wpot.arrowservice.net 1914 | wpot.businessconsults.net 1915 | wptex.businessconsults.net 1916 | wpvn.businessconsults.net 1917 | wpvn.softsolutionbox.net 1918 | wrim.businessconsults.net 1919 | wsyggfw.newsonet.net 1920 | wtom.businessconsults.net 1921 | wwab.purpledaily.com 1922 | wwebmails.firefoxupdata.com 1923 | wwt.blackcake.net 1924 | www.advanbusiness.com 1925 | www.aoldaily.com 1926 | www.aolon1ine.com 1927 | www.applesoftupdate.com 1928 | www.arrowservice.net 1929 | www.attnpower.com 1930 | www.aunewsonline.com 1931 | www.avvmail.com 1932 | www.bigish.net 1933 | www.bluecoate.com 1934 | www.bpyoyo.com 1935 | www.businessformars.com 1936 | www.busketball.com 1937 | www.canadatvsite.com 1938 | www.canoedaily.com 1939 | www.cnndaily.com 1940 | www.cnndaily.net 1941 | www.cometoway.org 1942 | www.companyinfosite.com 1943 | www.competrip.com 1944 | www.comtoway.com 1945 | www.conferencesinfo.com 1946 | www.copporationnews.com 1947 | www.defenceonline.net 1948 | www.doemarkennel.com 1949 | www.downloadsite.me 1950 | www.e-cardsshop.com 1951 | www.firefoxupdata.com 1952 | www.freshreaders.net 1953 | www.giftnews.org 1954 | www.globalowa.com 1955 | www.gmailboxes.com 1956 | www.hkcastte.com 1957 | www.hvmetal.com 1958 | www.idirectech.com 1959 | www.ifexcel.com 1960 | www.jjpopp.com 1961 | www.jobsadvanced.com 1962 | www.livemymsn.com 1963 | www.maltempata.com 1964 | www.mcafeepaying.com 1965 | www.microsoft-update-info.com 1966 | www.micyuisyahooapis.com 1967 | www.msnhome.org 1968 | www.myyahoonews.com 1969 | www.nationtour.net 1970 | www.newsesport.com 1971 | www.newsonlinesite.com 1972 | www.newspappers.org 1973 | www.nirvanaol.com 1974 | www.olmusic100.com 1975 | www.online.mcafeepaying.com 1976 | www.phoenixtvus.com 1977 | www.pop-musicsite.com 1978 | www.rssadvanced.org 1979 | www.safety-update.com 1980 | www.satellitebbs.com 1981 | www.searchforca.com 1982 | www.shepmas.com 1983 | www.skyswim.net 1984 | www.staycools.net 1985 | www.symanteconline.net 1986 | www.syscation.com 1987 | www.syscation.net 1988 | www.tibethome.org 1989 | www.todayusa.org 1990 | www.ueopen.com 1991 | www.usabbs.org 1992 | www.usapappers.com 1993 | www.ushongkong.org 1994 | www.ustvb.com 1995 | www.uszzcs.com 1996 | www.voiceofman.com 1997 | www.webservicesupdate.com 1998 | www.widewebsense.com 1999 | www.worthhummer.net 2000 | www.youipcam.com 2001 | www-01.marsbrother.com 2002 | www-049.businessformars.com 2003 | www1.bigdepression.net 2004 | www1.earthsolution.org 2005 | www1.infosupports.com 2006 | www1.saltlakenews.org 2007 | www2.bigdepression.net 2008 | www3.msnhome.org 2009 | wwwcb.newspappers.org 2010 | www-ctr.businessconsults.net 2011 | wwwi.earthsolution.org 2012 | wwwt.infosupports.com 2013 | x-admin.msnhome.org 2014 | xawh.earthsolution.org 2015 | x-book.msnhome.org 2016 | x-fmgg.arrowservice.net 2017 | xinge3344.cccpan.com 2018 | xinge3344.ys168.com 2019 | xmer.businessconsults.net 2020 | x-stone.arrowservice.net 2021 | xtap.newsonet.net 2022 | xwclient.arrowservice.net 2023 | xwclient.msnhome.org 2024 | xwclient.newsonet.net 2025 | yang.bigdepression.net 2026 | yang.infosupports.com 2027 | yang1.bigdepression.net 2028 | yang1.infosupports.com 2029 | yang2.infosupports.com 2030 | yard.earthsolution.org 2031 | ysb.msnhome.org 2032 | ysb.purpledaily.com 2033 | z0.booksonlineclub.com 2034 | z4.booksonlineclub.com 2035 | za.booksonlineclub.com 2036 | zapts.firefoxupdata.com 2037 | zc.firefoxupdata.com 2038 | zero.firefoxupdata.com 2039 | zh.lksoftvc.net 2040 | zone.aoldaily.com 2041 | zone.canoedaily.com 2042 | zone.companyinfosite.com 2043 | zone.msnhome.org 2044 | zone.searchforca.com 2045 | zone.todayusa.org 2046 | ztl.firefoxupdata.com 2047 | -------------------------------------------------------------------------------- /test/TEST: -------------------------------------------------------------------------------- 1 | Example files to test with. Make sure matching works! 2 | The lists do change, in that case, your best bet is to compare 3 | the same file which should *always* result in a match. 4 | 5 | Note: Add -v or -V to debug. 6 | 7 | e.g. 8 | 9 | # Match DNS names against malhosts.txt list 10 | ./mal-dnssearch.sh -c test/malhosts.test 11 | 12 | # Match IPs by comparing the same file 13 | ./mal-dnssearch.sh -z test/compromised-ips.test -0 test/compromised-ips.test 14 | 15 | # Match IPs from Snort Labs' ip-filter list 16 | ./mal-dnssearch.sh -z test/ip-filter.test -1 17 | 18 | # Match default list (DNS) against two log inputs 19 | ./mal-dnssearch.sh -p test/malhosts.test -d test/dns.pcap 20 | 21 | # Same as above but use the an alternative mal host (DNS) file 22 | ./mal-dnssearch.sh -p test/malhosts.test -s test/dns.pcap -7 -N 23 | 24 | Note: Use -N to skip download in the case where you already have the file 25 | 26 | # Create your own 27 | echo -e "badwebsite.com\negativeperson.net\nevilcountry.org" > list.test 28 | for i in $(seq 1 254); do echo 192.168.1.$i; done > list.test 29 | -------------------------------------------------------------------------------- /test/compromised-ips.test: -------------------------------------------------------------------------------- 1 | 1.33.188.250 2 | 1.82.184.23 3 | 1.82.184.24 4 | 1.214.219.12 5 | 1.234.4.227 6 | 1.234.9.7 7 | 1.234.20.209 8 | 1.234.31.20 9 | 1.234.51.243 10 | 1.234.90.158 11 | -------------------------------------------------------------------------------- /test/dns.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jonschipp/mal-dnssearch/3283217f2bd856788cae0171fcd3bf0f76894754/test/dns.pcap -------------------------------------------------------------------------------- /test/ip-filter.test: -------------------------------------------------------------------------------- 1 | 1.1.193.141 2 | 1.1.196.218 3 | 1.1.197.137 4 | 1.1.198.218 5 | 1.1.198.242 6 | 1.1.199.114 7 | 1.1.199.161 8 | 1.1.202.67 9 | 1.1.204.27 10 | 1.1.205.22 11 | -------------------------------------------------------------------------------- /test/malhosts.test: -------------------------------------------------------------------------------- 1 | 01ebfef.netsolhost.com 2 | 0bq.ru 3 | 0koryu0.easter.ne.jp 4 | 0x1.su 5 | 110mb.com 6 | 11.lamarianella.info 7 | 123002915.cn.com 8 | 123mdw.com 9 | 125search.com 10 | 12danji.com 11 | -------------------------------------------------------------------------------- /test/mandiant_apt1.dns: -------------------------------------------------------------------------------- 1 | advanbusiness.com 2 | aoldaily.com 3 | aolon1ine.com 4 | applesoftupdate.com 5 | arrowservice.net 6 | attnpower.com 7 | aunewsonline.com 8 | avvmail.com 9 | bigdepression.net 10 | bigish.net 11 | -------------------------------------------------------------------------------- /tools/mal-dns2bro.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # Aaron Eppert 4 | # 5 | # September 28, 2015 Initial Release Aaron Eppert 6 | # September 29, 2015 Dynamic header creation and field filling Aaron Eppert 7 | # March 9, 2016 Added '-S' option to strip URIs and Aaron Eppert 8 | # removed '-T' option so a mixed type file 9 | # may be supplied and heuristics generate the 10 | # required type 11 | 12 | import os 13 | import re 14 | import sys 15 | import string 16 | import socket 17 | from urlparse import urlparse 18 | 19 | from optparse import OptionParser, OptionGroup 20 | from optparse import HelpFormatter as fmt 21 | 22 | 23 | def warning(text): 24 | sys.stderr.write("WARNING: %s\n" % (text)) 25 | 26 | 27 | def error(text): 28 | sys.stderr.write("ERROR: %s\n" % (text)) 29 | sys.exit(1) 30 | 31 | 32 | def decorate(fn): 33 | def wrapped(self=None, desc=""): 34 | return '\n'.join([fn(self, s).rstrip() for s in desc.split('\n')]) 35 | return wrapped 36 | fmt.format_description = decorate(fmt.format_description) 37 | 38 | 39 | class bro_intel_indicator_type: 40 | def __init__(self, strip_uri=False): 41 | self.__INDICATOR_TYPE_unsupported = ['Intel::SOFTARE', 42 | 'Intel::USER_NAME', 43 | 'Intel::FILE_NAME', 44 | 'Intel::CERT_HASH'] 45 | 46 | self.__INDICATOR_TYPE_handler = [(self.__handle_intel_addr, 'Intel::ADDR'), 47 | (self.__handle_intel_domain, 'Intel::DOMAIN'), 48 | (self.__handle_intel_url, 'Intel::URL'), 49 | (self.__handle_intel_email, 'Intel::EMAIL'), 50 | (self.__handle_intel_file_hash, 'Intel::FILE_HASH')] 51 | 52 | def __is_valid_ipv6_address(self, address): 53 | try: 54 | socket.inet_pton(socket.AF_INET6, address) 55 | except socket.error: # not a valid address 56 | return False 57 | return True 58 | 59 | def __is_valid_ipv4_address(self, address): 60 | try: 61 | socket.inet_pton(socket.AF_INET, address) 62 | except AttributeError: # no inet_pton here, sorry 63 | try: 64 | socket.inet_aton(address) 65 | except socket.error: 66 | return False 67 | return address.count('.') == 3 68 | except socket.error: # not a valid address 69 | return False 70 | return True 71 | 72 | def __handle_intel_addr(self, indicator): 73 | ret = (False, None) 74 | if self.__is_valid_ipv4_address(indicator) or self.__is_valid_ipv6_address(indicator): 75 | ret = (True, 'Intel::ADDR') 76 | return ret 77 | 78 | # We will call this minimalist, but effective. 79 | def __handle_intel_url(self, indicator): 80 | ret = (False, None) 81 | 82 | t_uri_present = re.findall(r'^https?://', indicator) 83 | if t_uri_present is not None and len(t_uri_present) > 0: 84 | error('Aborting - URI present (e.g. http(s)://) - %s' % (indicator)) 85 | else: 86 | rx = re.compile(r'^[https?://]?' # http:// or https:// 87 | r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+[A-Z]{2,6}\.?|' # domain... 88 | r'localhost|' # localhost... 89 | r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})' # ...or ip 90 | r'(?::\d+)?' # optional port 91 | r'(?:/?|[/?]\S+)$', re.IGNORECASE) 92 | t = rx.search(indicator) 93 | if t: 94 | ret = (True, 'Intel::URL') 95 | return ret 96 | 97 | def __handle_intel_email(self, indicator): 98 | ret = (False, None) 99 | rx = r"(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)" 100 | t_email = re.findall(rx, indicator) 101 | if len(t_email) > 0: 102 | ret = (True, 'Intel::EMAIL') 103 | return ret 104 | 105 | def __handle_intel_domain(self, indicator): 106 | ret = (False, None) 107 | rx = r'(?=^.{4,253}$)(^((?!-)[a-zA-Z0-9-]{1,63}(? 0: 110 | if indicator in t_domain[0]: 111 | ret = (True, 'Intel::DOMAIN') 112 | return ret 113 | 114 | # Pretty weak, but should suffice for now. 115 | def __handle_intel_file_hash(self, indicator): 116 | ret = (False, None) 117 | VALID_HASH_LEN = {32: 'md5', 118 | 40: 'sha1', 119 | 64: 'sha256'} 120 | if VALID_HASH_LEN.get(len(indicator), None): 121 | ret = (True, 'Intel::FILE_HASH') 122 | return ret 123 | 124 | def determine(self, indicator): 125 | for ith in self.__INDICATOR_TYPE_handler: 126 | (t_okay, t_val) = ith[0](indicator) 127 | 128 | if t_okay: 129 | return t_val 130 | error("Could not determine indicator type for %s" % (indicator)) 131 | 132 | 133 | class mal_dns2bro: 134 | def __init__(self, args_dict): 135 | self.args_dict = args_dict 136 | self.append_intel_line = None 137 | self.sorted_hdr = [(0, '#fields', None), 138 | (1, 'indicator', None), 139 | (2, 'indicator_type', None)] 140 | 141 | self.if_in = ['-', 142 | 'Conn::IN_ORIG', 143 | 'Conn::IN_RESP', 144 | 'Files::IN_HASH', 145 | 'Files::IN_NAME', 146 | 'DNS::IN_REQUEST', 147 | 'DNS::IN_RESPONSE', 148 | 'HTTP::IN_HOST_HEADER', 149 | 'HTTP::IN_REFERRER_HEADER', 150 | 'HTTP::IN_USER_AGENT_HEADER', 151 | 'HTTP::IN_X_FORWARDED_FOR_HEADER', 152 | 'HTTP::IN_URL', 153 | 'SMTP::IN_MAIL_FROM', 154 | 'SMTP::IN_RCPT_TO', 155 | 'SMTP::IN_FROM', 156 | 'SMTP::IN_TO', 157 | 'SMTP::IN_RECEIVED_HEADER', 158 | 'SMTP::IN_REPLY_TO', 159 | 'SMTP::IN_X_ORIGINATING_IP_HEADER', 160 | 'SMTP::IN_MESSAGE', 161 | 'SSL::IN_SERVER_CERT', 162 | 'SSL::IN_CLIENT_CERT', 163 | 'SSL::IN_SERVER_NAME', 164 | 'SMTP::IN_HEADER'] 165 | 166 | self._bitt = bro_intel_indicator_type() 167 | 168 | self.option_to_header = [('#fields', '#fields', lambda: None), 169 | ('indicator', 'indicator', lambda: None), 170 | ('type', 'indicator_type', lambda: None), 171 | ('source', 'meta.source', self.__source), 172 | ('url', 'meta.url', self.__url), 173 | ('notice', 'meta.do_notice', self.__notice), 174 | ('if_in', 'meta.if_in', self.__if_in), 175 | ('whitelist', 'meta.whitelist', self.__whitelist), 176 | ('desc', 'meta.desc', self.__desc), 177 | ('cif_severity', 'meta.cif_severity', self.__cif_severity), 178 | ('cif_impact', 'meta.cif_impact', self.__cif_impact), 179 | ('cif_confidence', 'meta.cif_confidence', self.__confidence)] 180 | 181 | def __verify_chars(self, t): 182 | return all(ord(l) > 31 and ord(l) < 127 and l in string.printable for l in t) 183 | 184 | def __find_header_order(self, t): 185 | ret = -1 186 | try: 187 | ret = map(lambda x: x[0], self.option_to_header).index(t) 188 | except ValueError: 189 | error('Invalid header!') 190 | return ret 191 | 192 | def __cif_severity(self): 193 | ret = '' 194 | VALID_SEVERITY = ['low', 'medium', 'med', 'high'] 195 | if self.args_dict['cif_severity'] in VALID_SEVERITY: 196 | ret = self.args_dict['cif_severity'] 197 | else: 198 | ret = '-' 199 | return (self.__find_header_order('cif_severity'), ret) 200 | 201 | def __cif_impact(self): 202 | ret = '' 203 | if self.args_dict['cif_impact'] is not None and len(self.args_dict['cif_impact']) > 0 and self.__verify_chars(self.args_dict['cif_impact']): 204 | ret = self.args_dict['cif_impact'] 205 | else: 206 | ret = '-' 207 | return (self.__find_header_order('cif_impact'), ret) 208 | 209 | def __desc(self): 210 | ret = '' 211 | if self.args_dict['desc'] is not None and len(self.args_dict['desc']) > 0 and self.__verify_chars(self.args_dict['desc']): 212 | ret = self.args_dict['desc'] 213 | else: 214 | ret = '-' 215 | return (self.__find_header_order('desc'), ret) 216 | 217 | def __if_in(self): 218 | ret = '' 219 | if self.args_dict['if_in'] is not None and len(self.args_dict['if_in']) > 0 and self.args_dict['if_in'] in self.if_in: 220 | ret = self.args_dict['if_in'] 221 | else: 222 | ret = '-' 223 | return (self.__find_header_order('if_in'), ret) 224 | 225 | def __notice(self): 226 | ret = 'F' 227 | _to_bro = {'true': 'T', 228 | 'false': 'F'} 229 | if self.args_dict['notice'] is not None and _to_bro.get(self.args_dict['notice'], None) is not None: 230 | ret = _to_bro.get(self.args_dict['notice']) 231 | return (self.__find_header_order('notice'), ret) 232 | 233 | def __source(self): 234 | ret = '' 235 | if self.args_dict['source'] is not None and len(self.args_dict['source']) > 0 and self.__verify_chars(self.args_dict['source']): 236 | ret = self.args_dict['source'] 237 | else: 238 | ret = 'mal-dnssearch' 239 | return (self.__find_header_order('source'), ret) 240 | 241 | def __url(self): 242 | ret = '' 243 | if self.args_dict['url'] is not None and len(self.args_dict['url']) > 0 and self.__verify_chars(self.args_dict['url']): 244 | ret = self.args_dict['url'] 245 | else: 246 | ret = '-' 247 | return (self.__find_header_order('url'), ret) 248 | 249 | def __whitelist(self): 250 | ret = '' 251 | if self.args_dict['whitelist'] is not None and len(self.args_dict['whitelist']) > 0: 252 | ret = self.args_dict['whitelist'] 253 | else: 254 | ret = '-' 255 | return (self.__find_header_order('whitelist'), ret) 256 | 257 | def __confidence(self): 258 | ret = None 259 | if self.args_dict['cif_confidence'] is not None and len(self.args_dict['cif_confidence']) > 0: 260 | try: 261 | t_int = int(self.args_dict['cif_confidence']) 262 | if isinstance(t_int, (int, long)) and (t_int > 0 and t_int < 100): 263 | ret = str(t_int) 264 | except ValueError: 265 | ret = None 266 | return (self.__find_header_order('cif_confidence'), ret) 267 | 268 | def __in_whitelist(self, t): 269 | ret = False 270 | if self.args_dict['whitelist'] is not None and len(self.args_dict['whitelist']) > 0: 271 | if len(re.findall(str.decode(self.args_dict['whitelist']), t)) > 0: 272 | ret = True 273 | return ret 274 | 275 | def __file(self): 276 | ret = None 277 | if self.args_dict['file'] is not None and len(self.args_dict['file']) > 0 and os.path.exists(self.args_dict['file']): 278 | ret = open(self.args_dict['file'], 'rb') 279 | else: 280 | ret = sys.stdin 281 | return ret 282 | 283 | def __prep_append_intel_line(self): 284 | self.append_intel_line = '\t'.join([t[2]()[1] for t in self.sorted_hdr[3:]]) 285 | 286 | def __put_header(self): 287 | ret = '' 288 | t_args_dict_to_field_name = map(lambda x: x[0], self.option_to_header) 289 | for k in self.args_dict.keys(): 290 | if self.args_dict[k] is not None: 291 | try: 292 | t_index = t_args_dict_to_field_name.index(k) 293 | self.sorted_hdr.append((t_index, self.option_to_header[t_index][1], self.option_to_header[t_index][2])) 294 | except ValueError: 295 | pass 296 | 297 | if len(self.sorted_hdr) > 0: 298 | self.sorted_hdr.sort(key=lambda x: x[0]) 299 | ret = '\t'.join(map(lambda x: x[1], self.sorted_hdr)) 300 | else: 301 | error('Failed to generate header') 302 | sys.stdout.write(ret + "\n") 303 | 304 | def __strip_uri(self, line): 305 | ret = '' 306 | parsed = urlparse(line) 307 | 308 | if len(parsed) > 0: 309 | if parsed.netloc: 310 | ret += parsed.netloc 311 | if parsed.path: 312 | ret += parsed.path 313 | if parsed.params: 314 | ret += ";" + parsed.params 315 | if parsed.query: 316 | ret += '?' + parsed.query 317 | if parsed.fragment: 318 | ret += '#' + parsed.fragment 319 | return ret 320 | 321 | def __type(self, line): 322 | ret = self._bitt.determine(line) 323 | return ret 324 | 325 | def format(self): 326 | t_fd = self.__file() 327 | 328 | if t_fd is not None: 329 | self.__put_header() 330 | self.__prep_append_intel_line() 331 | 332 | for line in t_fd: 333 | t_line = line.strip() 334 | if len(t_line) > 0: 335 | if self.args_dict['strip_uri']: 336 | t_line = self.__strip_uri(t_line) 337 | 338 | # Special case, we need to generate the indicator_type 339 | # based on the input data 340 | t_type = self.__type(t_line) 341 | 342 | print '%s\t%s\t%s' % (t_line, t_type, self.append_intel_line) 343 | 344 | if t_fd is not sys.stdin: 345 | t_fd.close() 346 | 347 | 348 | def main(): 349 | parser = OptionParser() 350 | parser.add_option('-f', dest='file', help='Read parsed list from file (if option is ommited, use stdin)') 351 | parser.add_option('-g', dest='cif_severity', help="""Reported Severity: 'low', 'medium', 'med', 'high'""") 352 | parser.add_option('-c', dest='cif_confidence', help="""Confidence percentage - 0...100""") 353 | parser.add_option('-k', dest='cif_impact', help='meta.cif_impact') 354 | parser.add_option('-d', dest='desc', help='Description of entry (meta.desc)') 355 | parser.add_option('-i', dest='if_in', help='Location seen in Bro (def: null)') 356 | parser.add_option('-n', dest='notice', help="""Call Notice Framework on matches: 357 | true 358 | false 359 | (def: false)""") 360 | parser.add_option('-S', dest='strip_uri', action="store_true", help='Strip URI(s) if present') 361 | parser.add_option('-s', dest='source', help='Name for data source (def: mal-dnssearch)') 362 | parser.add_option('-u', dest='url', help='URL of feed (if applicable)') 363 | parser.add_option('-w', dest='whitelist', help="""Whitelist pattern (e.g. -w "192\.168", -w "bad|host|evil")""") 364 | 365 | (options, args) = parser.parse_args() 366 | 367 | if len(sys.argv) < 1: 368 | parser.print_help() 369 | sys.exit(1) 370 | 371 | args_dict = {} 372 | for o in options.__dict__.keys(): 373 | args_dict[o] = options.__dict__[o] 374 | 375 | md2b = mal_dns2bro(args_dict) 376 | md2b.format() 377 | 378 | if __name__ == '__main__': 379 | main() 380 | -------------------------------------------------------------------------------- /tools/mal-dns2bro.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # functions 4 | usage() 5 | { 6 | cat < Intel::Type value or short name (e.g. \`\`-T ip'', \`\`-T Intel::ADDR'') 24 | Intel::ADDR ip 25 | Intel::DOMAIN dns 26 | Intel::URL url 27 | Intel::SOFTWARE software 28 | Intel::EMAIL e-mail 29 | Intel::USER_NAME user 30 | Intel::FILE_HASH filehash 31 | Intel::FILE_NAME filename 32 | Intel::CERT_HASH certhash 33 | 34 | -f Read parsed list from file (if option is ommited, use stdin) 35 | -i Location seen in Bro (def: null) 36 | -n Call Notice Framework on matches, 'true/false' (def: false) 37 | -s Name for data source (def: mal-dnssearch) 38 | -u URL of feed (if applicable) 39 | -d meta.desc - 40 | -g meta.cif_severity 41 | -k meta.cif_impact 42 | -w Whitelist pattern (e.g. \`\`-w "192\.168"'', \`\`-w "bad|host|evil"'' 43 | Or set \$WHITELIST in your shell (e.g. \`\`export WHITELIST="you|get|clipped"'') 44 | 45 | Usage: $0 -T [ -f ] [ -s ] [ -n ] [ -i ] [ -u ] [ -w ] 46 | e.g. 47 | > ./mal-dnssearch.sh -M mayhemic -p | $0 -T dns > mayhemic.intel 48 | > $0 -T dns -f apt1.list -s mandiant -n true -i HTTP::IN_HOST_HEADER > mandiant.intel 49 | EOF 50 | } 51 | 52 | argcheck() { 53 | # if less than n argument 54 | if [ $ARGC -lt $1 ]; then 55 | echo "Missing arguments! Use \`\`-h'' for help." 56 | exit 1 57 | fi 58 | } 59 | 60 | format() { 61 | 62 | echo -e "\n[*] Waiting for input.. (Did you pipe stdin or specify a file?)\n" 1>&2 63 | 64 | awk -v type=$TYPE -v source=$SOURCE -v url=$URL -v notice=$NOTICE -v if_in=$IF_IN -v wlist=$WLIST -v desc=$DESC -v cif_severity=$CIF_SEVERITY -v cif_impact=$CIF_IMPACT 'BEGIN \ 65 | { 66 | print "#fields\tindicator\tindicator_type\tmeta.source\tmeta.url\tmeta.do_notice\tmeta.if_in\tmeta.whitelist\tmeta.desc\tmeta.cif_severity\tmeta.cif_impact" 67 | } 68 | { 69 | if (length($1) > 0) { 70 | $2=type; $3=source; $4=url; $5=notice; $6=if_in; $7=wlist; $8=desc; $9=cif_severity; $10=cif_impact; 71 | print $1"\t"$2"\t"$3"\t"$4"\t"$5"\t"$6"\t"$7"\t"$8"\t"$9"\t"$10; 72 | } 73 | }' 74 | 75 | } 76 | 77 | whitelist() 78 | { 79 | if [ -z $WHITELIST ]; then 80 | echo "grep -v -i -E '___somestringthatwontmatch___'" 81 | elif [ -f $WHITELIST ]; then 82 | echo "grep -v -i -f $WHITELIST" 83 | else 84 | echo "grep -v -i -E '(somestringthatwontmatch|$WHITELIST)'" 85 | fi 86 | } 87 | 88 | # Initializations 89 | SOURCE="mal-dnssearch" 90 | NOTICE="F" 91 | URL="-" 92 | IF_IN="-" 93 | WLIST="-" 94 | DESC="-" 95 | CIF_SEVERITY="-" 96 | CIF_IMPACT="-" 97 | ARGC=$# 98 | FILE_SET=0 99 | TYPE_SET=0 100 | 101 | argcheck 1 102 | 103 | while getopts "hd:f:g:k:i:n:T:s:u:w:" OPTION 104 | do 105 | case $OPTION in 106 | g) CIF_SEVERITY="$OPTARG" 107 | ;; 108 | k) CIF_IMPACT="$OPTARG" 109 | ;; 110 | d) DESC="$OPTARG" 111 | ;; 112 | f) 113 | FILE="$OPTARG" 114 | FILE_SET=1 115 | ;; 116 | h) 117 | usage 118 | exit 0 119 | ;; 120 | i) 121 | IF_IN="$OPTARG" 122 | ;; 123 | n) 124 | if [[ "$OPTARG" == true ]]; then 125 | NOTICE="T" 126 | elif [[ "$OPTARG" == false ]]; then 127 | NOTICE="F" 128 | else 129 | echo "Unknown notice value!" 130 | exit 1 131 | fi 132 | ;; 133 | T) 134 | if [[ "$OPTARG" == ip ]] || [[ "$OPTARG" == "Intel::ADDR" ]]; then 135 | TYPE=Intel::ADDR 136 | elif [[ "$OPTARG" == dns ]] || [[ "$OPTARG" == "Intel::DOMAIN" ]]; then 137 | TYPE=Intel::DOMAIN 138 | elif [[ "$OPTARG" == e-mail ]] || [[ "$OPTARG" == "Intel::EMAIL" ]]; then 139 | TYPE=Intel::EMAIL 140 | elif [[ "$OPTARG" == url ]] || [[ "$OPTARG" == "Intel::URL" ]]; then 141 | TYPE=Intel::URL 142 | elif [[ "$OPTARG" == software ]] || [[ "$OPTARG" == "Intel::SOFTWARE" ]]; then 143 | TYPE=Intel::SOFTWARE 144 | elif [[ "$OPTARG" == user ]] || [[ "$OPTARG" == "Intel::USER_NAME" ]]; then 145 | TYPE=Intel::USER_NAME 146 | elif [[ "$OPTARG" == filehash ]] || [[ "$OPTARG" == "Intel::FILE_HASH" ]]; then 147 | TYPE=Intel::FILE_HASH 148 | elif [[ "$OPTARG" == filename ]] || [[ "$OPTARG" == "Intel::FILE_NAME" ]]; then 149 | TYPE=Intel::FILE_NAME 150 | elif [[ "$OPTARG" == certhash ]] || [[ "$OPTARG" == "Intel::CERT_HASH" ]]; then 151 | TYPE=Intel::CERT_HASH 152 | else 153 | echo "Unknown type!" 154 | exit 1 155 | fi 156 | TYPE_SET=1 157 | ;; 158 | s) 159 | SOURCE="$OPTARG" 160 | ;; 161 | u) 162 | URL="$OPTARG" 163 | ;; 164 | w) 165 | if [ -z $WHITELIST ]; then 166 | WHITELIST="$OPTARG" 167 | fi 168 | ;; 169 | \?) 170 | exit 1 171 | ;; 172 | esac 173 | done 174 | 175 | if [ $TYPE_SET -eq 1 ]; then 176 | 177 | if [ $FILE_SET -eq 0 ]; then 178 | cat - | eval "$(eval whitelist)" | format 179 | fi 180 | 181 | if [ $FILE_SET -eq 1 ] && [ -f $FILE ]; then 182 | cat $FILE | eval "$(eval whitelist)" | format 183 | fi 184 | 185 | else 186 | echo "Missing option: \`\`-T'' is required''" 187 | exit 1 188 | fi 189 | --------------------------------------------------------------------------------