Spamming Stopped by Pastebin

Labs Note

We wrote multiple times about malware attacks that store their scripts on Pastebin.com and load them either to the server once they break into it or directly to the infected web pages

However Pastebin.com can’t be called a reliable hosting for malware. You can report any paste and it will be removed if Pastebin.com finds it inacceptable. For example, when we find that a certain paste is being used in ongoing attacks, we report them.

What happens when a paste is removed from Pastebin.com? Of course, hackers eventually notice it and create new pastes and reconfigure the attack to use them, but for some period of time their attack is disrupted. From time to time we find signs of such disrupted attacks on infected sites. For example, recently our scanner found this file on a hacked site:skin/adminhtml/default/kontools/promailerv2.php.

Despite the .php extension, its content was pure HTML. The title of the page was “Pastebin.com – Page Removed” and the rest of the content was identical to what Pastebin.com returns when you request a removed or expired paste:

This page is no longer available. It has either expired, been removed by its creator, or removed by one of the Pastebin staff.

The code of the page contained the URL of the original paste: pastebin[.]com/HqhHiwSB. It was indeed removed. We found its original content in Google’s cache. It, as the filename implies, contained the code of a PHP script called “PRO Mailer V2” – a tool for sending out spam and phishing emails. It was uploaded on September 18, 2016 by someone in East Java, Indonesia, along with some other malicious scripts (shells, defacement, and spam tools).

If you ever come across a malicious campaign that actively uses Pastebin.com, please spend a few moments to report the pastes that it uses. You may help many people. If you ever have a need to publish some malicious (suspicious) code on Pastebin.com or another similar service (e.g. if you found it on your site and need advice), please make it unexecutable by adding some comments at the top, or by making other obvious changes that would prevent it being used in attacks directly off of Pastebin.com. Also consider making such pastes private and expire in a minimal reasonable time.

If you find the “Pastebin.com – Page Removed” files on your server, it’s a strong indication of a hack and you should investigate this issue. Let us know if you need a professional help.

You May Also Like