Hacker News new | past | comments | ask | show | jobs | submit login
Pastebin abused (michielovertoom.com)
171 points by lehmannro on May 28, 2011 | hide | past | web | favorite | 50 comments

I thought everyone knew this. Pastebin hasn't been used seriously for pasting code snippets for years, everyone's moved to one of the (much) better pastebins. Here's just a few i can think of off the top of my head:






and http://rafb.net/paste/ before it was shut down

I always preferred http://pastie.org/ as it's the prettiest and most readable of the bunch. You can select from a good list of syntax highlighting color schemes, for instance (and they have Twilight and Vibrant Ink...)

Here's an example I found on their recent pastes page:


Go play with the Theme dropdown.

I wouldn't be so quick to dismiss Pastebin's legitimate uses. I see it get used all the time for sharing debug output and system logs (generally between systems where there isn't any other easy method of communication).

The other ones may be prettier but Pastebin has mindshare.

What do you mean by "mindshare"? It's not like there is any real community on those sites. For me most of them are completely interchangeable. The only exception is Gist, which has the advantage of version control.

Lots of people (that I know, anyway) know what Pastebin is, and don't know of any of the other, similar sites. If they need to paste some output, they type "pastebin.com" into their address bar and that's it.

I think pastebin is still a very good site for code pastes. I haven't seen a site which offers more features and functionality. Sure if you just want a quick public anonymous post of some plain text, any will do. In my case pastebin.com is the only one i've found that had syntax highlighting for some of the more obscure languages I use (such as Go).

I'd also like to add http://ideone.com/

If you, like me, are still addicted to typing in 'rafb..': http://rafb.me/

Some of them sound downright sad: http://pastebin.com/v70Z85aC

Another I just saw was a keylog of someone changing their password after their Facebook account was flagged for suspicious activity. Obviously, they've got bigger problems.

Question: should I contact this person and tell them what happened?

(Thinking about it, it would be trivial to write a script that monitors for this kind of stuff, and e-mails the victim, or sends them a facebook message, explaining what happened. But, uh, seems like it might expose me to liability at worst, and angry reply emails at best.)

Could use an anonymous remailer.

I know, irregardless is not even a word!

Welcome to the internet, this is pretty old news. You want to see more interesting stuff? Next time you stumble upon an owned computer, try to follow where the network stack is leading to and you'll sometimes find IRC channels with really interesting mechanics and things in them to control these computers.

Interesting, do you know of any blog posts or articles that discusses these rooms, or more on how to do this? And I may be showing my out-of-touchness with black-hat culture, but I assume by "owned" computer, you mean one that's a botnet node?

Tip: botnet hunting is a perfect example of something you should not learn from a set of instructions on someones blog. To do so would be a criminal sacrifice of an opportunity for joyous discovery and autodidacticism.

It's called botnet hunting for a reason. The thrill of the chase.

I'm really glad that I was 13 before the era where you could just go and get detailed instructions on every possible piece of knowledge, and before there were places like stackexchange where people scramble to answer your every question in seconds. Instead I had to spend hours days and weeks doing this stuff from scratch, and without that, I doubt if I'd be paying the rent with computers right now.

Sorry if this sounds a bit condesending, I'm just trying to help people get the maximum utility from their time skulking around in virtual alleyways chasing criminals. Surely a noble aim? ;)

I'd say a good way to get started would be to install Windows XP on a machine, start downloading and installing pirated warez, then watch `netstat` or install Wireshark.

I would suggest two modifications to your plan: Using a VM (easier and fairly safe, very few viruses can break out of a VM), and getting the viruses some other way (I don't see that many in pirated material). One way that works is to follow the links next time a spambot hits a large IRC channel you're in.

Why is it considered an abuse?

Here is a description on what service pastebin provides: "Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time."

It doesn't make pastebin abused just because some internet individual thinks it is only for interesting source code.

It's possibly abuse because it's possibly used for illegal activities.

"just because some internet individual"

Your condescending tone implies undisclosed motives. I might be wrong, feel free to correct me.

Judging by the comments on the linked article, I'd say quite a few black-hats and crackers/etc are upset he's bringing this to light for those of us who were unaware.

This has been the case for a while. Anything you paste there will be seen by everyone + google. I did a simple pastebin for myself a while back that doesnt have a public directory - http://tinypaste.com - Also has code compilation built in, via codepad

I think you've missed the point. It's not interesting that public pastes are public; it's interesting that pastebin is being used as a dead drop.

There's a discussion in Cory Doctorow's "For The Win" (excellent novel, btw, download it today) of how to coordinate groups of anonymous activists online. A favorite tactic of the fictional activists in the book was to take over the comment thread of some arbitrary old blog post for a short period of time, using it as a chat channel.

Obviously, Pastebin works too.

Never thought about this. It's scary what even a basic search such as site:pastebin.com password username can return.

Have you tried searching for "site:pastebin.com mysql_connect" ? That's even scarier. There's people that do post their database password and username publicly.

That is unlikely to matter - mysql and postsql doesn't allow connections from outside of localhost by default on Ubuntu (and properly other unixes as well).

So really, yeah if you already have local access you can pwn the box, but you have pretty much done that already.

Seems like a logical step to me, especially for dodgy automated tools. Making your programs paste the illegal info in pastebin makes a lot of sense from a plausible deniability standpoint. "No sir, I didn't plant the bug there, I just found this log on a public website."

Pastebin's owner seems to not mind automated tools using the site ( http://stackoverflow.com/questions/833887/pastebin-api , comment on question ), so the only solution I see is a "report public paste" feature. But that would be near useless against the volume of computer generated content created. And worse yet, the address that pasted it is just another victim, so there's little hope going against it.

Though I really hope I'm wrong, pastebin is a great website.

I see things like that on pastebin since ages. I thought it was common knowledge that pastebin hosted that kind of content until today.

WARNING - don't click on the tinypic link in the comments

[Edit: not sure if the pic's fake or not, but it's a photo of the top halves of two corpses]

Thanks for the tip, I removed the link from that comment. It was a gruesome picture indeed, fake or not.

Real and recent. They were Libyan rebels.

If you could send the original link to (my first name) at (photobucket.com) I'll make sure it gets removed.

I forked the code in this article and made it parse a Pastebin site hosted on the I2P Darknet (http://i2p2.de). Expected to find alot of more stuff like this in a completly anonymous enviroment like I2P. But no, the anonymous people on I2P seems like a nice bunch.

Here is the code: http://blog.kejsarmakten.se/all/software/2011/05/29/i2p-past...

It's kind of rude not to edit out the usernames and passwords from his examples.

He states "I have changed some details to protect the innocent."

While I haven't tested any of the examples myself, I'd assume they're subtly munged.

I can confirm that the adult site passwords do not work.


This has been happening for a long time. I remember stumbling across an /etc/passwd file that was from a Yahoo! server awhile ago.

I'm surprised they don't use asymmetric encryption to hide their tracks. It seems obvious to encrypt the contents using a public key before sending it to pastebin, so that only the attacker (or attackers) can decrypt it.

Two words: plausible deniability.

Makes me want to run google searches on all my passwords, just in case...

Don't do that: google might leak them somehow.

Welcome to the internet.

Well, pastebins are free, you can post anything there. If you don't want to see stuff like that, then DON'T CHECK OUT THE PUBLIC PASTES.

pastebin.com sucks. Use LodgeIt[] or Gist[].

[LodgeIt]: http://paste.pocoo.org/

[Gist]: http://gist.github.com/

This is why you always must remember to set good expiration settings and edit out any confidential content (like passwords or identifying chunks of code) when you use a pastebin.

Why is this news, hasn't this been the case since the very start? Any time I see a link to a pastebin site I always take a look at the public shares just to see what's up there and it's always filled with this stuff.

Thought this was going to be about the posting of the full version of that paywalled Wall Street Journal article on Iran's plans for its own internet. Thank god that's still okay.

No commenters? I guess they're all checking out whether the porn site passwords are actually valid.

Unfortunately, they're not.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact