back to article Pastebin: The remote backdoor server for the cheap and lazy

Malware writers are using the Pastebin web clipboard to host backdoor code, researcher Denis Sinegubko suggests. The code-sharing site was used to store code that was later tapped in attacks against websites running a vulnerable instance of the popular RevSlider plugin. Sinegubko, a Sucuri staffer known for his whitehat …

  1. Valeyard

    it has legit uses

    I've used pastebin for a lot of legitimate reasons

    Last week one of my apps was somehow tripping out my API with a new request, so just pointing the app to pastbin instead let me look at the (non-confidential) json code inside as it arrived so i could see exactly what the API saw without trawling through lots of server-side logs

    it's not just for anonymous to release statements on..

    1. Destroy All Monsters Silver badge
      Holmes

      You wascabby wabbit

      Please explain exactly why you use Pastebin for this instead of proper tooling.

      1. Valeyard

        Re: You wascabby wabbit

        it's a crappy game app that took about a week to make and is on the app store for free

        (I say this for other readers, i know from experience never to actually engage in a dialogue with you)

  2. JDX Gold badge

    wp_nonce_once

    Is that a real WP variable or part of the dodgy code?

    1. batfastad

      Re: wp_nonce_once

      Part of Wordpress, it's full of dodgy code.

  3. streaky

    Uhm.

    Speaking as the owner of a competitor site to pastebin, I've never heard so much trash in all my days.

    Blacklist pastebin isn't the answer to any sort of problem.

    Firstly you'll note wordpress is the actual issue here (as described) - if you want to be worried about something be worried about the insecurity of your actual app. What happened there might not be relevant to your problems (it's extremely likely it isn't).

    Secondly what we're really talking about is the ability to both upload content and then fetch it from somewhere. Good luck with that particular game of whack-a-mole. What you're essentially saying is don't allow internet access of any sort. That might be a reality depending on the systems involved but there's no sensible half measures with this problem.

    1. Brewster's Angle Grinder Silver badge

      Re: Uhm.

      According to the article, the problem isn't Wordpress, it's the "popular RevSlider plugin". Blaming Wordpress for its plugins would be like blaming Microsoft for all the crappy software that runs...on...Windows—

      Oh.

    2. druck Silver badge
      Meh

      Re: Uhm.

      Even my company which winds it's web filters up to 11 on the annoyance scale, isn't blocking pastebin.

    3. Ben Tasker Silver badge

      Re: Uhm.

      Firstly you'll note wordpress is the actual issue here (as described) - if you want to be worried about something be worried about the insecurity of your actual app. What happened there might not be relevant to your problems (it's extremely likely it isn't)

      Does seem odd doesn't it? The attacker has managed to execute arbitrary code in order to retrieve some other arbitrary code and execute it and the solution is block pastebin?

      There may be some logic to blocking it if you've absolutely no need for it - as it's (apparently) currently being commonly used as a low tech C&C you do at least block that route, but if enough people do block pastebin it's use as a C&C will drop and the blocking becomes worthless.

    4. e^iπ+1=0

      Re: Uhm.

      "What you're essentially saying is don't allow internet access of any sort."

      Or, whitelist.

    5. Michael Wojcik Silver badge

      Re: Uhm.

      a competitor site to pastebin

      What web site isn't? The whole point of HTTP is retrieving data. Depending on payload size, decoder size, and amount of work the attacker wants to go through, the payload could be disguised as nearly anything on nearly any site.

      How many abandoned blogs are out there with unmonitored, open comment functions?

      Hell, just encode the payload as a GIF or PNG and stash it on an image-sharing site. (Other formats work as well, of course, but GIF and PNG are probably the simplest of the common image formats to work with.)

      This is clearly a low-hanging-fruit recommendation, but it does so little to prune the attack tree that it hardly seems worthwhile. I never use Pastebin, and I can't see much value in blocking it.

  4. adnim
    Meh

    Any site

    where a user can store and retrieve data exactly as written can be used as part of an attack.

    Why single out Pastebin?

    Ahhhh... someone noticed the obvious, it being in plain/obfuscated/encrypted sight text

  5. FuzzyTheBear Silver badge
    Coat

    it's usefull

    Yes , there are legitimate uses for pastebin specially when one's debugging and using IRC to chat with knowledgeable folks .. pasting 100 lines on an IRC channel is not the right idea , you post where people ( not just one ) but where a wide number of people can read and check ( error logs , crash dumps etc ) and that would be on pastebin and similar.

    Trying to kill their site is not the right idea . It will only make things worse for the lot of legitimate users and programmers that try to solve complex problems.

    But then again .. follow the money trail ..

  6. Stevie

    Bah!

    I'm shocked, SHOCKED to find etc etc etc.

  7. MissingSecurity
    Devil

    The world doesn't revolve around development (sometimes :P)

    Firstly, to temper any dev who takes this the wrong way, blacklisting pastebin is sad state of affairs, HOWEVER, even the dev communities understand piss poor coding is a problem and that not enough diligence has been done for secure coding.

    So looking at this from a InfoSec perspective, the question I would put to an organization is, Are you confident in the quality of your apps to prevent this type of attack, and if not, this is a risk, and it can be mitigated by blocking pastebin.

    We all have ideas of how things should be, from context of addressing this problem now, if you're susceptible to attack from pastebin codes, I'd say reducing that risk immediately by block pastebin is not a bad idea.

  8. Anonymous Coward
    Anonymous Coward

    Shirly if things have got to the pastebin stage then you've already been pwned?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022