Pastebin abused • 27 May 2011
I was looking at a snippet of code on the well-known paste site pastebin.com, when I noticed a list of 'public pastes'. I clicked a few, just out of curiosity, expecting to see some interesting program code snippets, but instead I stumbled upon some strange things, like logs of computer cracks, copies of conversations with all kinds of private information in them, and output of what seems to be keyloggers.
I decided to investigate further and wrote a small program which would watch the pastebin.com site for public pastes and download them all. See the end of the article for the source code.
These are some things I encountered. I have changed some details to protect the innocent.
A lot of pastes mention some wifi adapter with Windows INI-like configuration details with them, and encoded passwords etc... I'm not sure what/who pastes these, but it looks like there is some security being attacked:
net4 Atheros AR9285 802.11b/g/n WiFi Adapter [firstname.lastname@example.org] password=jHCn3Viu2odSpO6as3KVCN9Chlg== member=true reward=Cash [Eagleownager] password=9bHZEoeeAb4EPrXD7uxrKskF6 UZ41QaCa reward=Cash
Apparently there exist a keylogger out there which sends the data it captures to pastebin.com (and presumably the URL of the paste to some emailadress of the attacker). The window title of the app is between [brackets], and what the victim types into the app is on the line after that. You'll see passwords, emails and chats, and even special keys like [BACK] for Backspace.
[Jagex]: [Graphics - Google Chrome]: [RuneScape - The Number 1 Free Multiplayer Game - Google Chrome]: sbiesaie11 imustthinkofyou <-- A Runescape login [ashoofteh_2012 - Yahoo! Mail - Google Chrome]: [Yahoo! Messenger]: ashafteh_2012[TAB]sasymaukan <-- A Yahoo username/password login [ritual - Buscar con Google - Google Chrome]: tienda de piercing madrid hortaleza [ritual tienda de piercing madrid hortaleza - Buscar con Google - Google Chrome]: calle monta del cuerb[BACK]vo [whats app - Buscar con Google - Google Chrome]: wakeboard tabla [wakeboard tabla - Buscar con Google - Google Chrome]: [Wakeboard, comprar tabla, video, wakeshop, ba?adores, chaleco, neopreno, botas en WAKEADDICTION eco]: [youtube.ocm - ?Google? paie?ka? ?Google Chrome?]: youy[BACK] [YouTube - ?Broadcast Yourself?.? ?Google Chrome?]: ikalbasa rocks in dc server
Questionable logs with private information
Talk from shady alleys of the Internet.
Cyrus says: *I would show you my current project partner's picture but... it's a little lewd x.x;;\ *I was naughty and well... I... hacked her... webcam... *.-.;;.... Sam says: *;o;.. Cyrus says: *Then I took a screen shot for fap value x.x;;! *'Cause the fap is worth it x.x;;! vCaLLMeJaKe is available 12:56 am Hello my name is Carolinda Joneson and i live at 403 Waterfowl Glenn Drive Tucson, TX 16063 hit me up my phone number is 117-205-8075 and i like police at my door... lots of em. 4h and 24m ago Comment vCaLLMeJaKe 12:57 am would you like to buy shells? vCaLLMeJaKe 1:08 am its hitting fine for me? Completed with 1619 (198.34 MB) packets averaging 134.92 packets per second huh i dont know why thats happening for you i'll snd you a screen shot if you want Kyle RuNz YoU 1:09 am http://www.hackforums.net/showthread.php?tid=1089957 niqqa u tyin to giv me public shells? wow Kyle RuNz YoU 1:14 am kid i think im older than u lmfao uMad?
These announcements are accompagnied by wads of oldfashioned DOS-age 'ANSI ART', these are lists of songs on CD's that can be downloaded from somewhere.
_________________________[ Release Info ]_________________________ Artist :: VA Title :: LateNightTales: Mixed By Trentemuller Catalognr :: ALNCD25 Grabber :: EAC Encoder :: LAME Quality :: VBRkbps / 44.1kHz / Joint-Stereo Playtime :: 78:29 min Size :: 123.70 MB Released :: 27-05-2011 CD 1/1 1. This Mortal Coil - Waves Become Wings 2:01 2. Kid Congo & The Pink Monkey Birds - La Lliarona 3:23 3. The Black Angels - Science Killer 4:42 4. Chimes & Bells - The Mole (Trentemoeller Remix) 8:14
Lists and lists of web addresses with username:password pairs in front of them. Supposedly people like to swap these on pastebin.com?
... http://chester:email@example.com/members/members01.html http://middison:firstname.lastname@example.org/members/ http://bosri:email@example.com/members/index.html http://jbK0qpAg:L8ze353gEPuLrvBg@www.asianpornlovers.com/members/ http://g78123e:T8912563@playgal.com/members/ ...
This is the source code to the program I used to scrape these 'public pastes' from pastebin.com. Use at your own peril!
import BeautifulSoup import urllib2 import time import Queue import threading import sys import datetime import random import os pastesseen = set() pastes = Queue.Queue() def downloader(): while True: paste = pastes.get() fn = "pastebins/%s-%s.txt" % (paste, datetime.datetime.today().strftime("%Y-%m-%d")) content = urllib2.urlopen("http://pastebin.com/raw.php?i=" + paste).read() if "requesting a little bit too much" in content: print "Throttling... requeuing %s" % paste pastes.put(paste) time.sleep(0.1) else: f = open(fn, "wt") f.write(content) f.close() delay = 1.1 # random.uniform(1, 3) sys.stdout.write("Downloaded %s, waiting %f sec\n" % (paste, delay)) time.sleep(delay) pastes.task_done() def scraper(): scrapecount = 0 while scrapecount < 10: html = urllib2.urlopen("http://www.pastebin.com").read() soup = BeautifulSoup.BeautifulSoup(html) ul = soup.find("ul", "right_menu") for li in ul.findAll("li"): href = li.a["href"] if href in pastesseen: sys.stdout.write("%s already seen\n" % href) else: href = href[1:] # chop off leading / pastes.put(href) pastesseen.add(href) sys.stdout.write("%s queued for download\n" % href) delay = 12 # random.uniform(6,10) time.sleep(delay) scrapecount += 1 num_workers = 1 for i in range(num_workers): t = threading.Thread(target=downloader) t.setDaemon(True) t.start() if not os.path.exists("pastebins"): os.mkdir("pastebins") # Thanks, threecheese! s = threading.Thread(target=scraper) s.start() s.join()