Search Form

How Hackers Are Using Google To Pwn Your Site

Google HackingAs most of you know a few months back my site was hacked. What many people dont know is that was actually the first of 2 times the box was hacked. The first time the box was hacked I had made the mistake of making the web files on the server writeable by the web server. Again being this server (that my blog sits on) is not used for hardly any commercial activity I was a lot less security focus then something I would call “production” ready. I implemented mod_security and some other logging tools aswell as offloaded the server logs to a different server (yea the logs were owned by the apache user also).

So basically when I got owned the person found a file on my server that was web accessible which then he could execute commands on behalf of the web user. Now because the files and log files were owned by this user he could write to them and even delete them. Lucky for me this guy just wanted to put up his Turkish political statement and try to infect his virus to people. So all he did was do a search on the box for any index.* files and copied his index file to over write them. Then he also deleted all files matching *log. So it was pretty obvious how the person did it but I was not sure what file was the hole in my system. This is the point where you have to weigh catching the hacker vs running a box that has been compromised. Since I really only have blogs and a few low traffic forums running on this box I thought it would be a good chance to see what was vulnerable.

So I installed mod_security and ran it pretty hardcore. Over the next couple weeks I learned more about adjusting its rulesets to allow possibly exploitable code but log it. Nothing happened for many weeks then one morning I got a page that my box was not responding. I quickly attached to my remote server via its DRAC card (Dell Remote Access). The DRAC card lets me take control of the server as if I was sitting right infront of it. I could see the box was sitting in a “kernel panic” mode and that it had crashed. I rebooted the box remotely but kept most services down so I could investigate what had happened.

Sure enough I figured out that the hacker had been back and downloaded some files to the /tmp directory (which was world writeable). Only this time I had changed ownership of all index.* files so they could not write to them. I guess they realized that in order to take over my web server he was going to need to be a bit more aggressive so he downloaded a rootkit to my tmp directory then tried to run it but fortunately for me that made the kernel panic and the server was in a frozen crashed state.

I was able to figure this out and also exactly what file they used to execute commands on my box very quickly because it was pretty much the last thing in the weblogs before the box crashed. (yay!)

So now here is where it gets interesting…. Now that I had figured out how the person was hacking into my box I was curious how in the hell the person found the file. It was in a subdirectory that I had not used in YEARS. There was no link to it from anywhere on my site. The directory structure it was in was like … html/oldforums/oldstuff/badfile.php . How in the hell did this person find this file? Well after going through the logs greping for the ip range that hacked my box I found that the person found my site from Google! Specifically using Google code search. Now while this was interesting it still did not explain how the page was even indexed…. ohh wait I use Google Sitemaps and I had it on to index everything (the default setting) OUPS!!

Now to be honest… this is my fault. I in no way blame Google what so ever. I had old exploitable code on my server and I told sitemaps to index it so… my fault.

I have since been working with the sitemaps team and I had some suggestions to leave some files off by default (like .inc .func) or only allow common web files with extensions like .php .html .asp etc… I hope they do this cause as sitemaps gets more popular its only going to expose more idiot webmasters like me that run with the default settings.

Ok so just for shits I thought I would do some querys on Google Code Search to see what kind of exploits I could find. Now keep in mind this probably will not show your site but it will show code and versions that you might be running… so once someone locates a exploitable version of code they then could just search for “Powered By X” or whatever fingerprint you could put on the exploitable program/version.

Hmm I wonder If we could find some xss exploits…

lang:php (ECHO|PRINT) .*\$_(GET|POST|COOKIE|REQUEST|FILES)

100,000+ results

How About some SQL Injection exploits?

lang:php query\(.*\$_(GET|POST|COOKIE|REQUEST|FILES).*\)

3000 results

hrmm I wonder how easy it is to find host,user,pass for mysql databases…. Lets try:

lang:php mysql_connect\((”|’)[a-zA-Z0-9_.]+(”|’),(”|’)[a-zA-Z0-9]+(”|’) -localhost -127.0.0.1 -192.168

100 results found.

This query might be a little puzzling for those that are not Google ninjas like me so.. I will explain. Basically we are checking for anything that ends in .php extension. Then we search the file for mysql_connect. If it contains Mysql we look for the pattern of a connection string. lastly we use the minus sign to get rid of all localhost databases (cause we cant access them).

So did we find anything interesting? Well…

Lets just look at the first 10 results:

www.ubio.org/downloads/XID.TAR.gz – Unknown License – PHP
connect.php

$connection = mysql_connect(”RANSOM”,”GlobalWebUser”,”goober8″) or die(”Couldn’t connect.”);
$db_name = “dwf”;

Now in this case RANSOM is probably a local box…

ohh whats this:

$f = mysql_connect(”zeus.mbl.edu”,”tns”,”");
if (empty($limit)) $limit=50;

hrmm intersting….

more?

$db=mysql_connect(”62.149.150.11″,”Sql43254″,”M9dKTz3M”);
$selezione=mysql_select_db(”Sql43254_4″, $db);

I can post tons of other examples but I think I have made my point. Watch your logs for people coming from google code search and always make sure your running the latest version of your software.

Also keep in mind my searchers were only looking for .php files. This is a small percentage of all the different languages and filetypes out there.

Be scared. Be very scared.



Please read this disclaimer before acting on this post.
  • 170 comments. What say you?
    • RSS

Who's talking about it?

  1. Die Google-Codesuche und die Hacker | WebmasterCoffee-Blog
  2. Blackhat SEO
  3. Google services | milo
  4. Algunos tutoriales del PHP|Tek 2007 en PHPBSD.net
  5. WebProBlog - Internet Business and Marketing Trends» Blog Archive » Using Google As A Hacking Tool
  6. Fat Mobil Content » xmen tickets free How Hackers Are Using Google To Pwn Your Site
  7. All in a days work…
  8. How safe is your site? - WickedFire - Internet Marketing Affiliate Webmaster Forum
  9. links for 2006-12-27 » Whatever’s Interesting
  10. Web Militant SEO » Blog Archive » Google’s Site Vulnerability Search
  11. Guardian Unlimited: Technology
  12. SEM - Road to Riches » Posts » Google Ninjology
  13. A Day in the Life » Blog Archive » Another Reason Why I’m Not a Big Digg Fan
  14. Insanity On Stage » Archiv » links for 2006-12-28
  15. Cartoons Fans Lounge
  16. On The Rocks :: How Hackers Are Using Google To Pwn Your Site :: December :: 2006
  17. blog » Blog Archiv » Hacken leicht gemacht - dank Google - Solvium.de
  18. Quick Links 27 December 2006 at r9Studio tech LOG
  19. 硅谷�客
  20. Usando Google para encontrar sitios vulnerables » Internet Marketing MX
  21. edgeblog » Daily Links 12/27
  22. Websites Explained! » How hackers can use Google to hack your site
  23. writing secure PHP code | Phine Solutions
  24. Matthew R Williams » A reminder to secure your web servers
  25. How Hackers Are Using Google To Pwn Your Site « johnboy’s gnu/linux planet
  26. How Hackers Are Using Google To Pwn Your Site at innerangst.net
  27. Trip Hop Clan » Blog Archive » Nice intro on using Google to secure a website
  28. Basement Tapes » How Hackers Are Using Google To Pwn Your Site
  29. Free security advice » Blog Archive » Google helps to hack our websites
  30. IndianPad
  31. How Hackers Are Using Google To Pwn Your Site « Digged Stories
  32. How Hackers Are Using Google Code To Hack Your Site « Open Source and SEO
  33. Sheeped :: Google can be used to compromise insecure sites

Comments

  1. Design your own custom clothing

    Being hacked sucks so bad. Was hacked once and the guy deleted my site ;S Wasnt a profit site but one of my first ones and it really sucked. Security is one of the most important things for websites.

  2. gurtey

    i also think hackers use google code search…now here webmaster’s must be very careful !

  3. J Stafford

    Valuable info…what is really going on

  4. TheBlogISMine

    It’s a great article. Hacking is being increased these days, can anyone suggest a good WP plugin to keep your WP Blog safe???

  5. xxxfiles

    give me the tutorial all about web wurnelrable search tips please.!! thanks..!! Gracias.!

  6. Doolang

    Nice Google querys shoe , hackers are such a pain these days

  7. Aditya Iphone

    This is very serious article. Hacking is increased these days, can anyone suggest a good plugin to keep your wordpress safe???

  8. jim

    Sorry to hear, i currently got someone messing with my things and in my opinion these people need a hobby! Be warned, we will find you like Shoe did! Turn the Comp off and go outside once in awhile :)

  9. Jane Seymour

    [...]Thanks for sharing your work with us! Your theme is just awesome![...]

  10. MichaelM

    Cheap celphones in our store, cool price etc., many articles – best price, Samsung, Nokia and Motorola

  11. Keyifkafe

    Can you please post some links or websites that talk about more google searching techinques.

  12. idontknowhowtomarketdotcom

    Wow, it was somebody who was jealous… Maybe another blogger.

    Shannon

  13. Quit The Day Job

    At what point did you realize you were a genius? lol

  14. payday

    SQl injection is a cool hack you can shutdown the server just by entering ’shutdown–

    I found this problem at my last job
    hope I don’t shutdown you sql server

  15. appleare

    australia right this busy

  16. xashruak

    Air travel has become a major part of our society, with industries and individuals depending on air transport for their livelihood. But have you ever wondered what happens to the artifacts of our airborne culture when they’re no longer needed? More..
    xrtst303a

  17. coderbari

    Hmm!! Google Ninja!! Never heard this term before. anyway, those are really great queries. Thanks for posting them.

  18. Dark Fall

    Hm…I love Google so much and dont love hackers.

  19. Hiendgadget

    Nice tricks :D

  20. Hiendgadget

    That nice tricks :D

  21. Websites Hacked

    Increasingly worrisome problem this hacking thing
    Seems that there is a wordpress plugin that akes those blogs vulnerable but thee truth is any site is vulnerable
    Vigilance may be recommended if you have one or two sites but what happens when you have a hundred sites?!*

  22. izu mou

    Some people are using the wickness of search engine to exploit people,Thanks for the insight,sorry for the hacking of your blog.

  23. wolverine

    that was shocking dude…

  24. wolverine

    that was shocking man… i never knew this

  25. Ganesh

    I just don’t understand this coding stuff. Can you please explain it in human jargon? No offense meant. I wondered whether you can tell me a simple solution in plain words? :P

  26. Josten

    i swear google is doing a bit to much with makin stuff so easily accessible.

  27. ways to earn online

    Very interesting post. Hackers are everywhere seem like. Glad you could catch on to him. This is scary though. Makes me wonder….

  28. letterallcle

    day key global land stay university

  29. poor jokes

    thnx god ur site is up or i wont hav found a good blogger lyk u

  30. SEO Tricks

    Thanks for sharing those tips..
    I tried everything to secure my website

  31. Dunc

    I just tried the last search that you posted and spotted a couple of interesting things.

    Firstly, all the results show some kind of downloadable file such as a zip or rar, so unless the website owner had zipped a backup copy of the site and then uploaded it, there’s not much of a problem. Most of the results seem to be software projects e.g. results from sourceforge.

    Secondly, in the web results, the passwords are obscured.

    Maybe I’m missing something, but it seems to me that the only way a hacking attack could occur would be if someone zipped and uploaded a copy of their live site.

  32. Web Marketeer

    Thanks for the heads up, it is quite scary how many ways there are to get into our precious boxes! It is gratifying to have observant people like yourself who’ve actually actually traced the loophole and alerted the rest of us! It makes good sense to be acutely aware where and what the googlebots are indexing, and to make sure they only go where needed!

  33. Nate Hill

    Sorry to hear about what happened to your site but you have warned a lot of people. Well done! :)

  34. Victor

    You really made me shiver! I always thought my website is so well protected…

  35. UtahSEO-PR

    FRIGHTENING!

    The scary thing is… most sites have some vulnerabilit.

  36. Haji

    This is making me worried.
    How can we know if our site is being hacked? any idea?

    Haji

  37. A State of Trance

    Sorry to hear that, but truth is google starting to get dangerous

  38. Paul

    How can you telll if your site is being hacked? I bet for you it is especially risky since it could kill your business.

  39. Uzair

    These articles spread all over the internet make me think “Am I safe. ” I bet I would use blogger.com instead of self hosted wordpress because that way whole security tension rests on shoulders of google.

  40. Terry Tay

    Good article!

    That is definately a scary thought knowing that could happen to your site and even scarier for sites that bring in a nice income. You are quite knowledgable and were able to ferret out what was happening. Others may not be able to find out that their sites have been compromised. It’s articles like these that help people keep an eye out though. Thanks and keep up the great work!
    ~Terry

  41. Syed Balkhi

    it is because it have so many diggs… and i just added one more by digging it.

  42. Dave King

    ARGH!!!!!!!!!!!! Scared now. :( Thanks for the warning.

  43. Flash Gamer

    Wow very crazy. At least you were not effected too horribly.

  44. Blog Advertising Network

    It’s because the post is still on favorites :)

  45. SEOContest2008

    Wow Shoe! This post is more than 2 years old but still heavily visited and commented on, probably because it is in the favs list above.

  46. Paul

    What an incredible post! Thank you for going indepth cause I am not a Google Nija. WOW that is really all I can say.

  47. domprofesor

    Google didn’t fix this, you still can search for databases, USER/PASS combination and emails (are the easiest to find – lists of emails)

  48. The Abemore Perspective

    serious? no I think he was joking. isnt today april fools?

  49. VacationGuy

    hackers suck

  50. Justin

    Trivia – Does anyone have the correct pronunciation of the word pwn?

  51. MonetizeYourBlog

    google fixed this – you can’t see passwords anymore

  52. MonetizeYourBlog

    Google fixed this long time ago.

  53. Steve said:
    “I’m shitting bricks right now. Big bricks.”
    Yeah I shat myself to. Damn Mess.

  54. “I’m shitting bricks right now. Big bricks.”
    Yeah I shat myself to. Damn mess.

  55. Steve!

    I’m shitting bricks right now. Big bricks.

  56. james

    I had the same problem as yours, the hacker keep using my email to collect my member password, and access to my principle web page to withdraw my money. Of course this idiot hacker failed to withdraw. I had question, im not expert in computer program or any code your wrote above, what should I do now? my URL(actually is blogger from google) is http://www.metaforexcapital.com . Please help me.
    Thanks.
    james

  57. Sammy Ashouri

    Great post :) .

  58. Rohan

    These hackers also use google dorks

    Dorks means , some kind of commands which can give u results in any way u want

    like intitle , inurl, allinurl, and then they search for the cms systems,or softwares which are vulnerable

    so u must also watch out for these dorks, and see that none of the dorks lead to your sites getting hacked

  59. Kyle Howard

    As an aside, many people that frequent this blog sell information products on their website. If you don’t do this correctly, it is amazingly easy for people to steal your information product using Google.
    Try this search in google:
    site:yoursitename.com
    And make sure that your “Thank you” page isn’t showing up. Or try this search:
    inurl:cbreceipt
    To see all of the people who have their thank you page indexed by google for easy theft.

  60. Hafiz Dhanani

    Aaaaah. Scary the things you can do with google. Thankfully it won’t work on my blogspot blog, but when I transfer to my own server I’ll definitely keep this in mind!

    Hafiz
    http://how-to-earn-cash-make-money-online.blogspot.com

  61. Taong Grasa

    definitely a good read. i also had a blog sitting on my server and since i’m not that techie enough, I opted for blogspot. silly and lazy me!

  62. lain

    hmmm… google’s nightmare :P

  63. TvForPc

    Great information, hopefully google can make a way that this isnt allowed

  64. Steve

    Wow very intresting stuff, I guess we have to watch how we save our files.

  65. Utah SEO

    Dang, that’s a very scary situation. It seems like it’d be fairly easy for Google to filter out a lot of exposed SQL connections. I wonder if they’re being proactive about this at all. Probably not :)

  66. William Montanaro

    scary stuff, sometimes you just have to make sure it doesn’t happen to you!

  67. SEO Vibe

    Its not an art 99% of the population is capable of… but that last 1% can be quite ingenius. It always strikes me that hackers can put in such huge amounts of energy into hacking but many are too lazy to take a shower daily. They always look horrible when they videotape themselves in the act.

  68. Girish a.k.a KiHack

    Hacking….. not an art everyone is capable of, but still better to be careful.

  69. Tony Smith

    Great, like I wasn’t paranoid enough about hacking!

  70. Ehab

    CodeSearch reveals your config.php file HA HA

  71. Publishers Weblog

    Old news and old story. A lot of this has like already been done and over with. Nowadays Google can also be used to find out who has been pawned not just who to pawn. Have a browse here http://www.google.com :P

  72. PipholicDotCom

    this kind of problem always make me rethinking how to be really secured from those hackers. They sometime doing it just for unknown purpose, trying some new techniques etc. Also, this kind of problem is common on any opensource script

  73. Vickywebworld

    Is is actually possible to prevent these google hack. My site was once hack and my adwords cost was just wasted.

  74. Luigi Salas

    mmm… I will check my scripts :)

  75. Money Maker Boy

    you freaked the hell out of me i heard that many blogs got hacked

  76. Nikita Kondraskov

    You have made a clear point.
    I would recoment to block googs code crowler from indexing the site, if possible or acceptable !

  77. Michelle

    I think duplicate content is getting clamped on quite seriously – and with a timestamp Google will be able to tell which content came first . . .

  78. Harrisburg Web Design

    It is pretty scary how people are able to use search technology to bust into somebody’s box, but it just highlights the need to be more careful when coding. Sometimes it’s easy to get a little bit lazy with a piece of code… that’s how you end up getting run. The good news is that most sites aren’t worth hacking. The bad news is you often don’t learn you have a security flaw until your site has hit big and you really can’t afford to be exposed.

  79. CatherineL

    This is scary. I got hacked a couple of years ago, and I am quite technically challenged so even though not a lot of damage was done – it still took me a good while to sort it out.

  80. 3Terabyte

    I ike this topic. thanks for the informative post shoe.

  81. angie

    Great post! Very interesting!

  82. Instant Community

    Johhny i hackstuff has tons of information about google hacking. I use to refer to his site before, to see what are the latest exploits running around.

  83. SW

    Would the ‘box’ also be known as the “shoebox”?

    Seriously though, that sucks. Anything you learn about security that you think we’d benefit, keep passing it along. Much appreciated.

  84. Donald Mckenzie Jr

    I am just glad that your site was able to pull through. Just goes to show what jealous people will do. I agree that hackers are very dangerous nowadays on the internet. Everyone needs to keep a close eye and protect their online real estate.

  85. Krunal Chauhan

    I see this is the same way people are spamming .Edu and Gov sites with sql injections thats what i read on Daven’s blog

  86. Supermodel

    Never been hacked before but certainly will remember the advice.

  87. MyBlogContest

    This post just make me scared.

  88. Gecko Tales

    Hackers suck.

  89. Anthony

    Tamar,

    I agree with you. These haters showing up can blow it out their asses with their negativity. I appreciate Shoe highlighting areas of potential security breeches for non-technical folks like myself. Great post, Shoe.

    Anthony

  90. Blogs for Money

    “I had some suggestions to leave some files off by default (like .inc .func)”

    I disagree with this – some people might want the files indexing. The fact is, you should NEVER EVER have code in extensions that aren’t parsed by the scripting engine – call them .inc.php or .inc.asp. Just because Google doesn’t index them won’t stop people finding them, and since most people have their connection strings (containing usernames and passwords) in /inc/common.inc it’s not hard to see why this is a bad idea :-)

    Even Microsoft distributed adovbs.inc named that way a few years back. It’s bad, don’t do it. Don’t expect Google to mop up after you – if it’s on your server it’ll be found. Fix it.

  91. Seo Next

    Very good post, as above i heard they are many such hacks thru google search , i think configuring apache server and using updated scripts will keep us safe

  92. Nick Sullivan

    Class post. This has definitely woke me up on being more secure.

  93. coop

    theres a whole site out there called johnny i hack stuff which has some pretty cool stuff using google

  94. RapidWeb

    WoW nice post. hope this make people more aware and secure!

    I am running checks on my sites right away!

  95. Wally Bootsma

    You lost me right after: “I had made the mistake of making the web files on the server writeable by the web server” If you are going to write for dummies, you must get down, down, down to our level.

  96. Andrew

    So if I have my current XML file only showing blog entries and none of the includes, etc I am fine?

  97. Benj Arriola

    I was just doing the usual searching myself not to check on my sites, but to check on people talking about me. Somewhere down page 18 I think, I found this page since I had a comment in it. But interesting is, the URL is not on the shoemoney.com Domain. It is:

    http://securebar.secure-tunnel.com/cgi-bin/nph-freebar.cgi/110110A/http/www.shoemoney.com/2006/12/26/how-hackers-are-using-google-to-pwn-your-site/

    Now looks like one of the free web proxies for anonymous browsing. But having it in the SERPs? Hmmm someone is linking to the proxy address and not to the main URL. I wonder why.

  98. Clint Lenard

    Interesting post…more interesting is the Diggs you got lol and you KNEW it was going to cause problems didn’t ya :-P

  99. Clint Lenard

    That’s DIGGers for ya :-D

  100. Clint Lenard

    But it’s always great to see stupid replies that make no sense. ;-)

  101. Justin Cook

    Thank goodness I have none of the popularity that seems to get you hacked!

  102. Mike Peters

    Right. I meant if you have your own Apache server, make sure you configure it to execute .pl, .inc, .php etc files otherwise by default it will serve them back as text files exposing the vulenerability

  103. lobas

    Why is everyone shocked, this is really old news, and has been going on for ages

  104. Mike McD

    I tried, dude. I think good ol’ Shü-$ is moderating away my comment somehow. For whatever reason, I can’t post a reply containing links here, and I need to get in the shower for my day jaerb.

    I compiled a list of URLs for you. I guess you’ll just have to find ‘em on my blog. Click my nickname if you want to see a list of sites offering Google Hacks.

  105. Mike McD

    OKAY…

    I only tried about 1700 times to get my comment posted on here so I could reply to Hedge’s question. Since that DOESN’T seem to be working, and I’m going to be late for work if I keep trying, I’m going to give it one last go without attempting to employ the HTML “a” tag or BBCode “url” tag- I’m assuming Shü-$ is moderating those kinds of comments because of extensive blog spamming.

    THANKS, blog spammers. You ruined it for the rest of us.

    So, without further ado (assuming that this freakin comment actually POSTS)…

    Sites that have information on messing around with Google:

    http://johnny.ihackstuff.com/index.php?module=prodreviews
    He’s Johnny. He hacks stuff.

    http://douweosinga.com/projects/googlehacks
    DOUWEOSINGA!!! FIVE!

    http://www.oreilly.com/catalog/googlehks/
    RTFM

    http://www.oreilly.com/pub/ht/2
    RTFM for free online

    http://www.googleearthhacks.com/
    Hack the Planet

    http://en.wikipedia.org/wiki/Google_Hacks
    Wikka-what?

    http://www.google.com/help/features.html
    Google Chimes In

    Or, you could…

    http://justfuckinggoogleit.com/

    Seriously.

    http://google.com/search?hl=en&q=google+hacks&btnG=Google+Search

  106. Mike McD

    Reading through these comments reminds me just how many people in the world are bitter and vindictive about other people succeeding more than themselves.

    I’m sorry you suck so bad, mean little people out on the Intarweb.

    Great article, Shü-$.

  107. Yuri

    Interesting. I guess searching for known exploits available can be pretty entertaining and efficient, thanks to Google (who continuse to deliver quality to their users). However, does not stopping this is good? I always thought that not doing anything to prevent a crime is a crime.

    But anyway, I don’t think the code search is that popular with the web development community, because few know it exists. And then, what would they search for? Why not just find a piece of code, copy and use it in your own app? Copyrights? Forget it.

    So hoping that code search would be used for ‘educational purposes only’ is a naive idea at best.

  108. W

    I’m glad that you can solve the problem. My two boxes were hacked by someone and I found that issue by watching my AdSense earnings. It seems the hacker can modify my file on-the-fly and insert his adsense publisher code when I was sleeping and changed it back when I get up. I can still couldn’t find how can he know my password because the logs are gone.

  109. pennyideas

    hmm..thanks for the info! glad u got back up and running.

  110. Wild Girl

    at least you didn’t get your pants taken by the hax0r

  111. Benj Arriola

    I had some suggestions to leave some files off by default (like .inc .func)

    Hmmm, just want to add my thoughts on this… a lot of people used to use included files in PHP have the .inc extension, but when this is found and displayed and no mime type is associated with it, it will display like a text file and actual PHP code can be seen as the PHP source. So if you have mysql_connect details for instance, it can be seen.

    So many people have been using .inc.php as an extension.

    What I have been doing was all my include files are outside the public_html (or www) folder so my include files are not public. I am not sure if this is the best way to do it, but so far everything works for me.

  112. SonicReducer

    Damn Shoe, another front page Digg! Nice work.

  113. Alexey Busygin

    Great post! Very interesting!

  114. Tamar Weinberg

    Shoe – great post. It’s no surprise that Google Code Search continues to show vulnerabilities. A lot of people responding here with the negative comments come from Digg and think that they aren’t susceptible. I’d laugh in their faces when they, too, are pwn3d. Thanks for the wake-up call.

  115. Dude

    I’m not impressed. Code search is irrelevant. If you do find some passwords that way, you may be sure the box is attacked before…

  116. Steve

    the hacker managed to find an exploit in an old version of some open source software that you were using? Like wordpress’s pre v2 xmlrpc exploit? ok.

  117. RandomInsano

    I reccomend you read over this post and correct the areas you repeat yourself. It will make you seem more professional.

  118. tom ferris

    thats what happens when you host your sites on a windows server.. ;)

  119. Tyler Banfield

    Shoe, when you get a minute of freetime, check out all of the Digg comments on this post. They are absolutely hilarious (and completely focused on the word pwn for the most part)!

  120. Hedge

    Can you please post some links or websites that talk about more google searching techinques.

    Danke

  121. ToddW

    The “hacker search” is nothing new just more advanced with the google code search. People have been doing the “Powered By X” query to many diff. search engines locating old/bad/unsafe versions of files for MANY years.

    This is why people suggest changing .php to .html and to use robots.txt to disallow and why removing the Powered By is a very safe thing to do. These things don’t guarantee an attack they just make it a hell of a lot harder for automated hacker script0rs to take your site down.

  122. james

    so basically the point of this post is “i’m stupid, and so are lots of other people.” thanks for that, really.

  123. Robert

    Holy cow. Not that I think anything is vulnerable, but this post makes me think I’m going to spend the first part of my day when I get back to work verifying our public machines security.

  124. Freelance Programmer

    Well, at least, the damage was not great in your case. May this serves as a reminder to all of us to always backup our files.

  125. matt

    personally, i dont even understand the point of this post at all, what is the golden rule of security?

    security through obsecurity is no security at all.

    regardless of who linked to your .php file or how they found it, if you have vulnerable code living on a public website accessible to the entire internet, what difference does it make where the vulnerable file is in the tree?

    sooner or later is it going to get found and if you stick vulnerable code on a public website that is by your own admission “YEARS” old, then you deserve to get hacked and you deserve to waste umpteen weeks trying to figure out how they hacked your box.

    here’s an idea, clean up after yourself, dont leave root exploitable code that is “YEARS” old just laying around your website and maybe things like this wouldnt happen?

  126. JBlanch

    Cool stuff! Don’t feel bad, at least it was old code that got hacked and not new code!

    But anyways, for people wondering how google gets it’s source code, it can unzip ZIP, RAR, and other files that could be packaged on your webserver, and those aren’t parsed by your server because they’re just contents of another file.

    usually you can see were it got the data from, and it will list all the files in the data source.

  127. gullevek

    be not scared. if you are dumb enough and have an unsecured open db port, I am sorry, thats all your fault. If I have to open a port from a db server for a web server, then only this web server can access this box.
    furthermore any configuration data should be stored at a place or in a way that, through apache settings, only the box itself can read the file and it gets denied by any outside.
    basic easy rules.

  128. dillsmack

    Uh. Thats not a fix. As stated above, these are all open code repositories, not private site’s code being extracted or spidered.

  129. dillsmack

    Most of these are open source projects, or open code repositories. Its rarely if ever going to be private site code, unless you have it publicly accessible and non-executable somewhere.

  130. Shocker

    Great post!
    Does Google code have a separate bot that collects this information and if so, how can we block it with the robots.txt file?

  131. Mike Peters - SoftwareProjects

    Possible fix:

    Google cannot “see” your source code unless your web server spits it back as plain-text instead of executing the code.

    Make sure your Apache file has handlers for all common extensions you use (.php, .inc, .pl, .cgi etc)

    AddHandler cgi-script .cgi

    SetHandler perl-script

    etc.

  132. Matt

    I’m now so very scared…..
    Actually though, how does Google get it’s code in the “code search”? I know it can’t spider running PHP pages (obviously they’ll get parsed by the server before being outputted) so where does the info come from?

  133. Todd

    Great post man – there’s a group that’s been doin’ somethin’ similar to those queries for quite a while:
    Googledorks

    I often use it as an example of how to craft queries for link development – it’s amazing how creative you can get when you find a specific type of information you are looking for. I am surprised that G doesn’t proactively try to block some of this type of stuff though.

  134. Glen

    Great information. Sorry to hear about what happened

  135. ray

    Wow shoe those are some serious google querys. Great post!

    • Michael Henry

      Thats amazing! Two years later and google search still returns exploits!

Trackbacks url:

By commenting on this post you agree to the comment policy

Leave a Comment...