michielovertoom.com

Pastebin abused • 27 May 2011

I was looking at a snippet of code on the well-known paste site pastebin.com, when I noticed a list of 'public pastes'. I clicked a few, just out of curiosity, expecting to see some interesting program code snippets, but instead I stumbled upon some strange things, like logs of computer cracks, copies of conversations with all kinds of private information in them, and output of what seems to be keyloggers.

I decided to investigate further and wrote a small program which would watch the pastebin.com site for public pastes and download them all. See the end of the article for the source code.

These are some things I encountered. I have changed some details to protect the innocent.

Wifi Cracking

A lot of pastes mention some wifi adapter with Windows INI-like configuration details with them, and encoded passwords etc... I'm not sure what/who pastes these, but it looks like there is some security being attacked:

net4 Atheros AR9285 802.11b/g/n WiFi Adapter [eagle@eagle.com] password=jHCn3Viu2odSpO6as3KVCN9Chlg== member=true reward=Cash [Eagleownager] password=9bHZEoeeAb4EPrXD7uxrKskF6 UZ41QaCa reward=Cash

Keyloggers

Apparently there exist a keylogger out there which sends the data it captures to pastebin.com (and presumably the URL of the paste to some emailadress of the attacker). The window title of the app is between [brackets], and what the victim types into the app is on the line after that. You'll see passwords, emails and chats, and even special keys like [BACK] for Backspace.

[Jagex]: [Graphics - Google Chrome]: [RuneScape - The Number 1 Free Multiplayer Game - Google Chrome]: sbiesaie11 imustthinkofyou <-- A Runescape login [ashoofteh_2012 - Yahoo! Mail - Google Chrome]: [Yahoo! Messenger]: ashafteh_2012[TAB]sasymaukan <-- A Yahoo username/password login [ritual - Buscar con Google - Google Chrome]: tienda de piercing madrid hortaleza [ritual tienda de piercing madrid hortaleza - Buscar con Google - Google Chrome]: calle monta del cuerb[BACK]vo [whats app - Buscar con Google - Google Chrome]: wakeboard tabla [wakeboard tabla - Buscar con Google - Google Chrome]: [Wakeboard, comprar tabla, video, wakeshop, ba?adores, chaleco, neopreno, botas en WAKEADDICTION eco]: [youtube.ocm - ?Google? paie?ka? ?Google Chrome?]: youy[BACK] [YouTube - ?Broadcast Yourself?.? ?Google Chrome?]: ikalbasa rocks in dc server

Questionable logs with private information

Talk from shady alleys of the Internet.

Cyrus says: *I would show you my current project partner's picture but... it's a little lewd x.x;;\ *I was naughty and well... I... hacked her... webcam... *.-.;;.... Sam says: *;o;.. Cyrus says: *Then I took a screen shot for fap value x.x;;! *'Cause the fap is worth it x.x;;! vCaLLMeJaKe is available 12:56 am Hello my name is Carolinda Joneson and i live at 403 Waterfowl Glenn Drive Tucson, TX 16063 hit me up my phone number is 117-205-8075 and i like police at my door... lots of em. 4h and 24m ago Comment vCaLLMeJaKe 12:57 am would you like to buy shells? vCaLLMeJaKe 1:08 am its hitting fine for me? Completed with 1619 (198.34 MB) packets averaging 134.92 packets per second huh i dont know why thats happening for you i'll snd you a screen shot if you want Kyle RuNz YoU 1:09 am http://www.hackforums.net/showthread.php?tid=1089957 niqqa u tyin to giv me public shells? wow Kyle RuNz YoU 1:14 am kid i think im older than u lmfao uMad?

Ripped music

These announcements are accompagnied by wads of oldfashioned DOS-age 'ANSI ART', these are lists of songs on CD's that can be downloaded from somewhere.

_________________________[ Release Info ]_________________________ Artist :: VA Title :: LateNightTales: Mixed By Trentemuller Catalognr :: ALNCD25 Grabber :: EAC Encoder :: LAME Quality :: VBRkbps / 44.1kHz / Joint-Stereo Playtime :: 78:29 min Size :: 123.70 MB Released :: 27-05-2011 CD 1/1 1. This Mortal Coil - Waves Become Wings 2:01 2. Kid Congo & The Pink Monkey Birds - La Lliarona 3:23 3. The Black Angels - Science Killer 4:42 4. Chimes & Bells - The Mole (Trentemoeller Remix) 8:14

Porn collectors?

Lists and lists of web addresses with username:password pairs in front of them. Supposedly people like to swap these on pastebin.com?

... http://chester:landrover@sexycherrypie.com/members/members01.html http://middison:dairy@asianteens.com/members/ http://bosri:basilisk@fullpornpass.com/members/index.html http://jbK0qpAg:L8ze353gEPuLrvBg@www.asianpornlovers.com/members/ http://g78123e:T8912563@playgal.com/members/ ...

The code

This is the source code to the program I used to scrape these 'public pastes' from pastebin.com. Use at your own peril!

import BeautifulSoup import urllib2 import time import Queue import threading import sys import datetime import random import os pastesseen = set() pastes = Queue.Queue() def downloader(): while True: paste = pastes.get() fn = "pastebins/%s-%s.txt" % (paste, datetime.datetime.today().strftime("%Y-%m-%d")) content = urllib2.urlopen("http://pastebin.com/raw.php?i=" + paste).read() if "requesting a little bit too much" in content: print "Throttling... requeuing %s" % paste pastes.put(paste) time.sleep(0.1) else: f = open(fn, "wt") f.write(content) f.close() delay = 1.1 # random.uniform(1, 3) sys.stdout.write("Downloaded %s, waiting %f sec\n" % (paste, delay)) time.sleep(delay) pastes.task_done() def scraper(): scrapecount = 0 while scrapecount < 10: html = urllib2.urlopen("http://www.pastebin.com").read() soup = BeautifulSoup.BeautifulSoup(html) ul = soup.find("ul", "right_menu") for li in ul.findAll("li"): href = li.a["href"] if href in pastesseen: sys.stdout.write("%s already seen\n" % href) else: href = href[1:] # chop off leading / pastes.put(href) pastesseen.add(href) sys.stdout.write("%s queued for download\n" % href) delay = 12 # random.uniform(6,10) time.sleep(delay) scrapecount += 1 num_workers = 1 for i in range(num_workers): t = threading.Thread(target=downloader) t.setDaemon(True) t.start() if not os.path.exists("pastebins"): os.mkdir("pastebins") # Thanks, threecheese! s = threading.Thread(target=scraper) s.start() s.join()

Comments

renegade • 28 May 2011

Check out https://encrypted.google.com/search?hl=en&source=hp&biw=&bih=&q=%22BEGIN%20*%20PRIVATE%20KEY%20BLOCK%22 if you really want to be surprised. people postting their private keys on teh internets!

lol • 28 May 2011

god you're lame

blah • 28 May 2011

] presumably the URL of the paste to some emailadress of the attacker If they had the ability/ willingness to send email to the attacker, they would just send the contents of the paste and bypass pastebin entirely.

shut_the_fuck_up • 28 May 2011

jesus, shut up you fucking fag fag

jooj • 28 May 2011

I think it has always been like that. From the begining.

WhyTheAbusiveComments? • 28 May 2011

Why the abusive comments? Odd.

Harold • 28 May 2011

The bastards! And just look at how they're abusing tinypic -] [LINK REMOVED]

biff • 28 May 2011

grumpy anons flaming this post?

Carl • 28 May 2011

People have been abusing YouTube for a while as well. Here's an example: http://www.youtube.com/watch?v=dQw4w9WgXcQ

Rick • 29 May 2011

I came for the Rick Roll, and went away satisfied...

anon • 29 May 2011

Pastebin.com is a website where you can store text for a certain period of time. The website is mainly used by programmers to store pieces of sources code or configuration information, but anyone is more than welcome to paste any type of text. The idea behind the site is to make it more convenient for people to share large amounts of text online. http://pastebin.com/faq

Macuyiko • 29 May 2011

Your first example are not outputs from Wifi cracking. It's the contents of stolen "RSBot_Accounts.ini" files. These files get created by a popular Runescape bot. The reason why network card information is included is because the bot uses information from the network device (probably some part of the MAC address) to encrypt the password.

Special • 29 May 2011

Such high quality journalistic skills. Do you write for The Star? Gold medal at the special olympics.

threecheese • 29 May 2011

FYI line 58 s/b 'os.mkdir'.

Paul • 29 May 2011

Holy balls! You discovered the Internet!

anon • 29 May 2011

what's up with you haters? i found it interesting. thanks for the post.

LOL@hackerculture • 29 May 2011

WAAAAAAAAAAAAAAHHHHH, I WANT THE INTERNET TO BE A CRIME RIDDEN CESSPOOL, BECAUSE I'M A BRAINWASHED 15 YEAR OLD ANARCHIST THAT HATES MY PARENTS AND RELIGION. ANON IZ LEGIONZZZZZZZ LULLZZZZZZ. DOWN WITH AUTHORITIES WAAAAAAAAAAAAAAHH WAHHHHHHHHHH.

- • 29 May 2011

Define abuse.

Jeff Dupont • 29 May 2011

Interesting find, although nowhere near as peculiar as the amount of haters who left comments; was this supposed to be some kind of secret that you've *revealed*? For the key logger bit, I wonder why the programmer who wrote it didn't encrypt the data before storing it to a public site. Oh well. *Insert abusive comment*

Name • 29 May 2011

Interesting indeed and the abuse keeps going on. Those comments might indeed be meant to discourage you. Thank you for explaining and sharing this.

@Jeff • 29 May 2011

It's impossible to make criticisms of hacker culture anymore, as the culture has shifted further and further to the left to the point of embracing criminality in toto. Look at HN, reddit, and /.. The slightest whiff of anything resembling conservatism is met with outrage and derision. Meanwhile, criminality is set on a pedestal as "giving it to the man" e.g, the comments above complaining about this blog entry. The irony being of course that the hackers embracing criminality and left wing causes have been propagandized by the very elites that they supposedly rail against. Anon culture and hackers are now Cat's Paws for the international progressive left.

zaq • 29 May 2011

How about obfuscating the passwords so that the victims do get their data spread even further?

Michiel Overtoom • 29 May 2011

@zaq: As I wrote in the article, I have changed all names, passwords and other possibly private information in the examples.

axzc • 29 May 2011

paste 3 shows hackforums.net - eternal home of the script kiddies.

KKK • 29 May 2011

That's an amazing discovery! Have you thought of writing a paper on this?

Me • 29 May 2011

Nice post!

X • 29 May 2011

o_o http://i.imgur.com/BqHp5.jpg

http://is.gd/E9BhfM • 29 May 2011

@LOL@hackerculture: jamie hyneman voice

Aaron • 29 May 2011

@Jeff Nice diatribe...it was apropros of what?? Wait, you probably think restroom graffiti (or perhaps "restroom hacking") is a vast left wing conspiracy as well?

Melpomene • 29 May 2011

Here is the code with working intendation (after copypaste) http://pastebin.com/B1xGMPR8

Melpomene • 29 May 2011

I forked this and made it parse a I2P Pastebin (internet invisibility project www.i2p2.de). http://blog.kejsarmakten.se/all/software/2011/05/29/i2p-pastebin-parser.html

WTF@Jeff • 30 May 2011

@Jeff : What the fuck are you talking about?! Linking criminality with left-wing liberals as if the two were intertwined somehow. Jesus H Christ! Fucking Fox News idiot right there. I'd say it's more nihilistic tendencies, but then again, I'm not some dumbass who thinks it's the left-wing who are under some propaganda spell. "Look at HN, reddit, and /.. The slightest whiff of anything resembling conservatism is met with outrage and derision." Ha ha ha! You're on a roll. Let me guess... Palin 2012? Fuck me sideways!

anony • 30 May 2011

nice article, but you should have at least blurred out some of the passwords.

mrhinkydink • 30 May 2011

Pastebin and its ilk have always been a great source for "private" proxy lists. And other stuff, as you have demonstrated. But... it's always been that way. No big surprise.

Michiel Overtoom • 30 May 2011

@anony: That's what I did. I munged them a bit so they won't work.

@WTF@Jeff • 30 May 2011

Thank you. I couldn't have said it any better myself.

lolwat • 30 May 2011

loling at this script. u shud totally should make the pastebin filenames more safe. ..\..\..\..\windowslovesu.txt

anonymous • 31 May 2011

https://www.corelan.be/index.php/2011/03/22/pastenum-pastebinpastie-enumeration-tool/

wafter • 31 May 2011

My favorite comment here "It's impossible to make criticisms of hacker culture anymore, as the culture has shifted further and further to the left..." lol!

wtf • 1 Jun 2011

The keylogger was written by [Zero] and is called cyber-shark...it is available on hacker forum. It is not being detected by AV yet and has been around in current form since at least 3/10/11

brian • 20 Jun 2011

ive seen a few that are now pasting encrypted stop giving them ideas to be more abusive lol

chawker • 23 Jul 2011

LOL what a great discovery. You probably have wonders to unfold in the back of your refrigerator too.

China White • 4 Nov 2011

LOL chawker :)) Well Michael, then just imagine what's going on with the private pastes... It will blow your mind!!! :)

RedditPerson • 30 Dec 2011

I'm just shocked at all the anger in these comments. What just happened here? Did the author shed light on a "secret" that wannabe-hackers and/or immature kids have been using?

reddit_woman • 22 Mar

Oh no! How dare people abuse the holy temple that is Pastebin (peace be upon it)! Shame and shun ye all, evil vile coders and hackers!

surgesurfer • 26 Mar

how do the other pastebins do this?

pastemonitor • 26 Mar

If the content posted on Pastebin is of interest, I built a more general tool for monitoring public pastes that go through it. www.pastemonitor.com lets you watch for specific terms and optionally get alerts when they're found in new public pastes.

jeanson • 19 Jun

-------- Hello All Customer --------- I'm hacker from S. Korea , i have shop Cvv and other tools Having experience in information technology in 7 years I am a big seller and has been hacker I need best buyer and long time business I sure you will happy if bussiness with me ------- Yahoo Messenger : jeanson.ancheta ---- E-mail :jeanson.ancheta@yahoo.com ---- ICQ number: 690824310 ---- Phone number:(+1) 8323568819 ---------------- My work is online 24/24 ---------------- ********** Western union Transfer : [IMG]http://i828.photobucket.com/albums/zz207/blusky4/Western-Union-Money-Transfer-1.jpg[/IMG] Transfer : US,UK,CA,AU,EU and very easy to cashout African - 500$ for MTCN 8000$ - 400$ for MTCN 6000$ - 250$ for MTCN 4000$ - 150$ for MTCN 1500$ = Give me your western union info and payment me fee transfer's Then i will done transfer for you After about 30 mins you'll have MTCN and sender name country sender to cash money ********** Dumps Pin / Track 1&2 : - Dumps,Tracks 1&2 Us = 90$ per 1 - Dumps,Tracks 1&2 Uk = 110$ per 1 - Dumps,Tracks 1&2 Ca = 120$ per 1 - Dumps,Tracks 1&2 Au = 120$ per 1 - Dumps,Tracks 1&2 Eu = 130$ per 1 Will check with hight balance Track1: 5232556061018719WYATT/ROBERTSON1007101171410000271 000000 Track2: 5232556061018719=10071011000042400000 Track1: B4490360696278529COPPEDGE/MATHILDE D130610100000000000407000027 4 Track2: 4490360696278529=13061010407000027400 pin: 5678,5432,5187,5505,and much pin other ********** Sell Cvv (Very Good and Fresh , Work 100%) : [IMG]http://i828.photobucket.com/albums/zz207/blusky4/visa_master_am_discover-1.gif[/IMG] * List cvv i have and price i have : -------------------------------- - Us (Visa,Master) = 4$ per 1 - Us (Amex,Dis) = 5$ per 1 - Us Bin 10$ , US Dob 15$ - Us fullz info = 25$ per 1 -------------------------------- - Uk (Visa,Master) = 8$ per 1 - Uk (Amex,Dis) = 10$ per 1 - Uk Bin 15$ , UK Dob 20$ - Uk fullz info = 30$ per 1 -------------------------------- - Ca (Visa,Master) = 10$ per 1 - Ca (Amex,Dis) = 12$ per 1 - Ca Bin 15$ , CA Dob 20$ - Ca fullz info = 30$ per 1 -------------------------------- - Au (Visa,Master) = 10$ per 1 - Au (Amex,Dis) = 15$ per 1 - Au Bin 17$ , AU Dob 20$ - Au fullz info = 30$ per 1 -------------------------------- - Eu (Visa,Master) = 20$ per 1 - Eu (Amex,Dis) = 23$ per 1 - Eu Bin 25$ , AU Dob 30$ - Eu fullz info = 40$ per 1 -------------------------------- - Italy = 20$ per 1 (fullz info = 35$) - Spain = 20$ per 1 (fullz info = 35$) - Denmark = 25$ per 1 (fullz info = 35$) - Sweden = 20$ per 1 (fullz info = 35$) - France = 20$ per 1 (fullz info = 35$) - Germany = 20$ per 1 (fullz info = 35$) - Ireland = 20$ per 1 (fullz info = 35$) - Mexico = 15$ per 1 (fullz info = 30$) - Asia = 15$ per 1 (fullz info = 30$) - And many country orther...let me know if have i will sell for you. all cvv very good and fresh , work 100% with hight balance. will change if cvv not good or dont work. ********** BANK LOGIN and TRANFER BANK : (COUNTRY : US,UK,CA,EU,ASIAN...) - Bank Us : ( HALIFAX,BOA,CHASE,Wells Fargo...) . Balance 6000$ = 500$ . Balance 8000$ = 600$ . Balance 12000$ = 800$ . Balance 15000$ = 1000$ . Balance 20000$ = 1200$ - Bank UK : ( LLOYDS TSB,BARCLAYS,Standard Chartered,HSBC...) . Balance 10000 GBP = 700$ . Balance 12000 GBP = 800$ . Balance 16000 GBP = 900$ . Balance 20000 GBP = 1400$ . Balance 30000 GBP = 1600$ - You can contact me for more and many Bank Logins you need. _________ Mistery Shopper Reply 10$/1_________ ***** Provide PriSock SSH with Bulk Private 100%, Cheapest price + donation Hosting Unix -Sock Create from Server like 1 hosting Should you buy I will send full info, including: IP/user/Pass Link Login ConTrolPanel Hosting Disk space Unlimited Bandwidth Transfer 8 TB -You use SSH for work, to run forum hosting and your website also -Transactions in 3 minutes will receive -Competitive price may renew the request **Costing: SSH 1month : 5$ SSH 3month : 12$ SSH 6month : 25$ SSH 1 year : 40$ -Paypal Us Verifiled + Confirmed SSN: 15$/1month -Bank US to Verified Paypal : 20$/1bank -Sell Fileserve Premium : 1year 30$ ___________ RDP(Remote Desktop Protocal) ____________ - RDP Australia :$10 ( Warranty: 30 day ) - RDP Europe :$10 (Europe`s Best Quality Remote Desktop Protocol Tool ) - RDP ASIA :$10 ( High Quality Remote Desktop Protocol 2003/2008 Tool ) - RDP Netherlands :$10 ( Warranty: 20 day ) - RDP With AMS & PHP Mailer Unlimited : $20 - RDP With AMS & Unlimited SMTP : $20 - RDP WIth AMS ( Germany ) : $10 ( Warranty: 30 day ) - UK RDP WITH AMS : $10 ( Warranty: 30 day ) - USA RDP WITH AMS : $10 ( Warranty: 15 day ) - AMS 4.3 REGISTRATION CODE/ Advance Mail Sender Portable software : $3 ___________ Shell C99 ____________ - Shell C99 : $10 ___________Cpanel Hosting__________ - Cpanel Hosting : $10 ____________ SCAMPAGES ___________ -All types of scampages for cheap rates. ___________SMTP (Simple Mail Transfer Protocol)________ - 5 INBOX SMTP PACK : $15( IP Inbox SMTP ) - Smtp Scanner (Scan SMTP fresh.Daily 500smtp ) - Unlimited Domain Smtp Server inbox : $15 - IP SMTP unlimited Inbox : $15 (Unlimited for the day ) ___________ Mailer _____________ - Limited PHP Mailer : $10 (Duration 7 Days Guaranty) ( Can send upto 2k per shot and 100k per day ) - Unlimited PHP Mailer Server : $15 ( 21 days guaranty Inbox 100% ) ___________ Webmail ______________ - Random Webmail spam/inbox : $8 - Unlimited Webmail Server inbox : $15 __________ SSH Tunnelier _________ - SSH Tunnelier (Root IP USA) : $8 - SSH Tunnel( CA IP) : 10$ - SSH Tunnel(AU IP) : 10$ - SSH Tunnel(FR IP) : 10$ - SSH Tunnel(UK IP) : 10$ _________ VPN __________ - U.S. VPN : $15 - Canada VPN : $15 -U.K VPN : $15 - China VPN :$15 - Deutsch VPN :$15 - And more countries... ______________SELL ACCT DATING SITES______________ -Match -Zoosk -PlentyOfFish -OkCupid -ChristianMingle -eHarmony -DateHookup -OurTime -SeniorPeopleMeet -BlackPeopleMeet -SpeedDate -Chemistry -HowAboutWe -JDate -MeetLocals - And more sites... - Have all details for login and I can transfer balance to your account if you want Bank To Bank Transfer To Any Usa Bank Bank To Bank Transfer To Any Uk Bank Bank To Bank Transfer To Any Euro Country Bank Amount To Pay For That Depend On Amount You Want To Transfer - chat with me for know more details: (Yahoo Messenger : (jeanson.ancheta) ********** Ship (Laptop/Iphone/Ipad) : - The price of transportation of high-end electronics = Laptop Apple = 250$ = Laptop HP Dell = 140$ = Laptop Toshiba Samsung = 140$ = Laptop Vaio = 200$ = Iphone 3GS = 130$ = Iphone 4G = 160$ = Iphone 4GS = 190$ = Ipad2 = 180$ = Black Berry = 150$ === Transit time from 1 to 2 days === Every 5 hours will send a shipping tracking ********** Sell Account Paypal Verification : [IMG]http://i828.photobucket.com/albums/zz207/blusky4/paypal-logo-1.jpg[/IMG] = Account Paypal 1500$ = 150$ = Account Paypal 2500$ = 200$ = Account Paypal 4000$ = 300$ = Account Paypal 7000$ = 500$ ( Email address PayPal password ) fullz infomation - I always check the balance and details before selling ******************** Business rule ******************** Before make business or add my ID let's read carefull my rule because i really hate Spamer,Ripper and Scamer 1. With me I never give test free or Screenshot . Business with me , first is TRUST me , not trust don't contact 2. Payment first...it's my rules work... 3. I always check and update new cvv good and fresh every day 4. I will change cvv if not good or dont work 5. Orther stuff you can buy 1 for test ! but for Cvv minimum or is 5 6. If you buy over 30 stuff, I will discount for you 7. I accept payment with Bitcoins(BTC), Perfect Money(PM) and Westernunion (WU) 8. Hope you are best customer and we can to work a long time business Thanks all read my post ....... hope to see you soon ---------------------------------------------------------------------------

Leave a comment

name (required)



content last edited on May 29, 2011, 08:46 - rendered in 2.82 msec