michielovertoom.com

Pastebin abused • 27 May 2011

I was looking at a snippet of code on the well-known paste site pastebin.com, when I noticed a list of 'public pastes'. I clicked a few, just out of curiosity, expecting to see some interesting program code snippets, but instead I stumbled upon some strange things, like logs of computer cracks, copies of conversations with all kinds of private information in them, and output of what seems to be keyloggers.

I decided to investigate further and wrote a small program which would watch the pastebin.com site for public pastes and download them all. See the end of the article for the source code.

These are some things I encountered. I have changed some details to protect the innocent.

Wifi Cracking

A lot of pastes mention some wifi adapter with Windows INI-like configuration details with them, and encoded passwords etc... I'm not sure what/who pastes these, but it looks like there is some security being attacked:

net4 Atheros AR9285 802.11b/g/n WiFi Adapter [eagle@eagle.com] password=jHCn3Viu2odSpO6as3KVCN9Chlg== member=true reward=Cash [Eagleownager] password=9bHZEoeeAb4EPrXD7uxrKskF6 UZ41QaCa reward=Cash

Keyloggers

Apparently there exist a keylogger out there which sends the data it captures to pastebin.com (and presumably the URL of the paste to some emailadress of the attacker). The window title of the app is between [brackets], and what the victim types into the app is on the line after that. You'll see passwords, emails and chats, and even special keys like [BACK] for Backspace.

[Jagex]: [Graphics - Google Chrome]: [RuneScape - The Number 1 Free Multiplayer Game - Google Chrome]: sbiesaie11 imustthinkofyou <-- A Runescape login [ashoofteh_2012 - Yahoo! Mail - Google Chrome]: [Yahoo! Messenger]: ashafteh_2012[TAB]sasymaukan <-- A Yahoo username/password login [ritual - Buscar con Google - Google Chrome]: tienda de piercing madrid hortaleza [ritual tienda de piercing madrid hortaleza - Buscar con Google - Google Chrome]: calle monta del cuerb[BACK]vo [whats app - Buscar con Google - Google Chrome]: wakeboard tabla [wakeboard tabla - Buscar con Google - Google Chrome]: [Wakeboard, comprar tabla, video, wakeshop, ba?adores, chaleco, neopreno, botas en WAKEADDICTION eco]: [youtube.ocm - ?Google? paie?ka? ?Google Chrome?]: youy[BACK] [YouTube - ?Broadcast Yourself?.? ?Google Chrome?]: ikalbasa rocks in dc server

Questionable logs with private information

Talk from shady alleys of the Internet.

Cyrus says: *I would show you my current project partner's picture but... it's a little lewd x.x;;\ *I was naughty and well... I... hacked her... webcam... *.-.;;.... Sam says: *;o;.. Cyrus says: *Then I took a screen shot for fap value x.x;;! *'Cause the fap is worth it x.x;;! vCaLLMeJaKe is available 12:56 am Hello my name is Carolinda Joneson and i live at 403 Waterfowl Glenn Drive Tucson, TX 16063 hit me up my phone number is 117-205-8075 and i like police at my door... lots of em. 4h and 24m ago Comment vCaLLMeJaKe 12:57 am would you like to buy shells? vCaLLMeJaKe 1:08 am its hitting fine for me? Completed with 1619 (198.34 MB) packets averaging 134.92 packets per second huh i dont know why thats happening for you i'll snd you a screen shot if you want Kyle RuNz YoU 1:09 am http://www.hackforums.net/showthread.php?tid=1089957 niqqa u tyin to giv me public shells? wow Kyle RuNz YoU 1:14 am kid i think im older than u lmfao uMad?

Ripped music

These announcements are accompagnied by wads of oldfashioned DOS-age 'ANSI ART', these are lists of songs on CD's that can be downloaded from somewhere.

_________________________[ Release Info ]_________________________ Artist :: VA Title :: LateNightTales: Mixed By Trentemuller Catalognr :: ALNCD25 Grabber :: EAC Encoder :: LAME Quality :: VBRkbps / 44.1kHz / Joint-Stereo Playtime :: 78:29 min Size :: 123.70 MB Released :: 27-05-2011 CD 1/1 1. This Mortal Coil - Waves Become Wings 2:01 2. Kid Congo & The Pink Monkey Birds - La Lliarona 3:23 3. The Black Angels - Science Killer 4:42 4. Chimes & Bells - The Mole (Trentemoeller Remix) 8:14

Porn collectors?

Lists and lists of web addresses with username:password pairs in front of them. Supposedly people like to swap these on pastebin.com?

... http://chester:landrover@sexycherrypie.com/members/members01.html http://middison:dairy@asianteens.com/members/ http://bosri:basilisk@fullpornpass.com/members/index.html http://jbK0qpAg:L8ze353gEPuLrvBg@www.asianpornlovers.com/members/ http://g78123e:T8912563@playgal.com/members/ ...

The code

This is the source code to the program I used to scrape these 'public pastes' from pastebin.com. Use at your own peril!

import BeautifulSoup import urllib2 import time import Queue import threading import sys import datetime import random import os pastesseen = set() pastes = Queue.Queue() def downloader(): while True: paste = pastes.get() fn = "pastebins/%s-%s.txt" % (paste, datetime.datetime.today().strftime("%Y-%m-%d")) content = urllib2.urlopen("http://pastebin.com/raw.php?i=" + paste).read() if "requesting a little bit too much" in content: print "Throttling... requeuing %s" % paste pastes.put(paste) time.sleep(0.1) else: f = open(fn, "wt") f.write(content) f.close() delay = 1.1 # random.uniform(1, 3) sys.stdout.write("Downloaded %s, waiting %f sec\n" % (paste, delay)) time.sleep(delay) pastes.task_done() def scraper(): scrapecount = 0 while scrapecount < 10: html = urllib2.urlopen("http://www.pastebin.com").read() soup = BeautifulSoup.BeautifulSoup(html) ul = soup.find("ul", "right_menu") for li in ul.findAll("li"): href = li.a["href"] if href in pastesseen: sys.stdout.write("%s already seen\n" % href) else: href = href[1:] # chop off leading / pastes.put(href) pastesseen.add(href) sys.stdout.write("%s queued for download\n" % href) delay = 12 # random.uniform(6,10) time.sleep(delay) scrapecount += 1 num_workers = 1 for i in range(num_workers): t = threading.Thread(target=downloader) t.setDaemon(True) t.start() if not os.path.exists("pastebins"): os.mkdir("pastebins") # Thanks, threecheese! s = threading.Thread(target=scraper) s.start() s.join()

Comments

renegade • 28 May 2011

Check out https://encrypted.google.com/search?hl=en&source=hp&biw=&bih=&q=%22BEGIN%20*%20PRIVATE%20KEY%20BLOCK%22 if you really want to be surprised. people postting their private keys on teh internets!

lol • 28 May 2011

god you're lame

blah • 28 May 2011

] presumably the URL of the paste to some emailadress of the attacker If they had the ability/ willingness to send email to the attacker, they would just send the contents of the paste and bypass pastebin entirely.

shut_the_fuck_up • 28 May 2011

jesus, shut up you fucking fag fag

jooj • 28 May 2011

I think it has always been like that. From the begining.

WhyTheAbusiveComments? • 28 May 2011

Why the abusive comments? Odd.

Harold • 28 May 2011

The bastards! And just look at how they're abusing tinypic -] [LINK REMOVED]

biff • 28 May 2011

grumpy anons flaming this post?

Carl • 28 May 2011

People have been abusing YouTube for a while as well. Here's an example: http://www.youtube.com/watch?v=dQw4w9WgXcQ

Rick • 29 May 2011

I came for the Rick Roll, and went away satisfied...

anon • 29 May 2011

Pastebin.com is a website where you can store text for a certain period of time. The website is mainly used by programmers to store pieces of sources code or configuration information, but anyone is more than welcome to paste any type of text. The idea behind the site is to make it more convenient for people to share large amounts of text online. http://pastebin.com/faq

Macuyiko • 29 May 2011

Your first example are not outputs from Wifi cracking. It's the contents of stolen "RSBot_Accounts.ini" files. These files get created by a popular Runescape bot. The reason why network card information is included is because the bot uses information from the network device (probably some part of the MAC address) to encrypt the password.

Special • 29 May 2011

Such high quality journalistic skills. Do you write for The Star? Gold medal at the special olympics.

threecheese • 29 May 2011

FYI line 58 s/b 'os.mkdir'.

Paul • 29 May 2011

Holy balls! You discovered the Internet!

anon • 29 May 2011

what's up with you haters? i found it interesting. thanks for the post.

LOL@hackerculture • 29 May 2011

WAAAAAAAAAAAAAAHHHHH, I WANT THE INTERNET TO BE A CRIME RIDDEN CESSPOOL, BECAUSE I'M A BRAINWASHED 15 YEAR OLD ANARCHIST THAT HATES MY PARENTS AND RELIGION. ANON IZ LEGIONZZZZZZZ LULLZZZZZZ. DOWN WITH AUTHORITIES WAAAAAAAAAAAAAAHH WAHHHHHHHHHH.

- • 29 May 2011

Define abuse.

Jeff Dupont • 29 May 2011

Interesting find, although nowhere near as peculiar as the amount of haters who left comments; was this supposed to be some kind of secret that you've *revealed*? For the key logger bit, I wonder why the programmer who wrote it didn't encrypt the data before storing it to a public site. Oh well. *Insert abusive comment*

Name • 29 May 2011

Interesting indeed and the abuse keeps going on. Those comments might indeed be meant to discourage you. Thank you for explaining and sharing this.

@Jeff • 29 May 2011

It's impossible to make criticisms of hacker culture anymore, as the culture has shifted further and further to the left to the point of embracing criminality in toto. Look at HN, reddit, and /.. The slightest whiff of anything resembling conservatism is met with outrage and derision. Meanwhile, criminality is set on a pedestal as "giving it to the man" e.g, the comments above complaining about this blog entry. The irony being of course that the hackers embracing criminality and left wing causes have been propagandized by the very elites that they supposedly rail against. Anon culture and hackers are now Cat's Paws for the international progressive left.

zaq • 29 May 2011

How about obfuscating the passwords so that the victims do get their data spread even further?

Michiel Overtoom • 29 May 2011

@zaq: As I wrote in the article, I have changed all names, passwords and other possibly private information in the examples.

axzc • 29 May 2011

paste 3 shows hackforums.net - eternal home of the script kiddies.

KKK • 29 May 2011

That's an amazing discovery! Have you thought of writing a paper on this?

Me • 29 May 2011

Nice post!

X • 29 May 2011

o_o http://i.imgur.com/BqHp5.jpg

http://is.gd/E9BhfM • 29 May 2011

@LOL@hackerculture: jamie hyneman voice

Aaron • 29 May 2011

@Jeff Nice diatribe...it was apropros of what?? Wait, you probably think restroom graffiti (or perhaps "restroom hacking") is a vast left wing conspiracy as well?

Melpomene • 29 May 2011

Here is the code with working intendation (after copypaste) http://pastebin.com/B1xGMPR8

Melpomene • 29 May 2011

I forked this and made it parse a I2P Pastebin (internet invisibility project www.i2p2.de). http://blog.kejsarmakten.se/all/software/2011/05/29/i2p-pastebin-parser.html

WTF@Jeff • 30 May 2011

@Jeff : What the fuck are you talking about?! Linking criminality with left-wing liberals as if the two were intertwined somehow. Jesus H Christ! Fucking Fox News idiot right there. I'd say it's more nihilistic tendencies, but then again, I'm not some dumbass who thinks it's the left-wing who are under some propaganda spell. "Look at HN, reddit, and /.. The slightest whiff of anything resembling conservatism is met with outrage and derision." Ha ha ha! You're on a roll. Let me guess... Palin 2012? Fuck me sideways!

anony • 30 May 2011

nice article, but you should have at least blurred out some of the passwords.

mrhinkydink • 30 May 2011

Pastebin and its ilk have always been a great source for "private" proxy lists. And other stuff, as you have demonstrated. But... it's always been that way. No big surprise.

Michiel Overtoom • 30 May 2011

@anony: That's what I did. I munged them a bit so they won't work.

@WTF@Jeff • 30 May 2011

Thank you. I couldn't have said it any better myself.

lolwat • 30 May 2011

loling at this script. u shud totally should make the pastebin filenames more safe. ..\..\..\..\windowslovesu.txt

anonymous • 31 May 2011

https://www.corelan.be/index.php/2011/03/22/pastenum-pastebinpastie-enumeration-tool/

wafter • 31 May 2011

My favorite comment here "It's impossible to make criticisms of hacker culture anymore, as the culture has shifted further and further to the left..." lol!

wtf • 1 Jun 2011

The keylogger was written by [Zero] and is called cyber-shark...it is available on hacker forum. It is not being detected by AV yet and has been around in current form since at least 3/10/11

brian • 20 Jun 2011

ive seen a few that are now pasting encrypted stop giving them ideas to be more abusive lol

chawker • 23 Jul 2011

LOL what a great discovery. You probably have wonders to unfold in the back of your refrigerator too.

China White • 4 Nov 2011

LOL chawker :)) Well Michael, then just imagine what's going on with the private pastes... It will blow your mind!!! :)

RedditPerson • 30 Dec 2011

I'm just shocked at all the anger in these comments. What just happened here? Did the author shed light on a "secret" that wannabe-hackers and/or immature kids have been using?

reddit_woman • 22 Mar

Oh no! How dare people abuse the holy temple that is Pastebin (peace be upon it)! Shame and shun ye all, evil vile coders and hackers!

Leave a comment

name (required)



content last edited on May 29, 2011, 08:46 - rendered in 2.72 msec