Google HackingAs most of you know a few months back my site was hacked. What many people dont know is that was actually the first of 2 times the box was hacked. The first time the box was hacked I had made the mistake of making the web files on the server writeable by the web server. Again being this server (that my blog sits on) is not used for hardly any commercial activity I was a lot less security focus then something I would call “production” ready. I implemented mod_security and some other logging tools aswell as offloaded the server logs to a different server (yea the logs were owned by the apache user also).

So basically when I got owned the person found a file on my server that was web accessible which then he could execute commands on behalf of the web user. Now because the files and log files were owned by this user he could write to them and even delete them. Lucky for me this guy just wanted to put up his Turkish political statement and try to infect his virus to people. So all he did was do a search on the box for any index.* files and copied his index file to over write them. Then he also deleted all files matching *log. So it was pretty obvious how the person did it but I was not sure what file was the hole in my system. This is the point where you have to weigh catching the hacker vs running a box that has been compromised. Since I really only have blogs and a few low traffic forums running on this box I thought it would be a good chance to see what was vulnerable.

So I installed mod_security and ran it pretty hardcore. Over the next couple weeks I learned more about adjusting its rulesets to allow possibly exploitable code but log it. Nothing happened for many weeks then one morning I got a page that my box was not responding. I quickly attached to my remote server via its DRAC card (Dell Remote Access). The DRAC card lets me take control of the server as if I was sitting right infront of it. I could see the box was sitting in a “kernel panic” mode and that it had crashed. I rebooted the box remotely but kept most services down so I could investigate what had happened.

Sure enough I figured out that the hacker had been back and downloaded some files to the /tmp directory (which was world writeable). Only this time I had changed ownership of all index.* files so they could not write to them. I guess they realized that in order to take over my web server he was going to need to be a bit more aggressive so he downloaded a rootkit to my tmp directory then tried to run it but fortunately for me that made the kernel panic and the server was in a frozen crashed state.

I was able to figure this out and also exactly what file they used to execute commands on my box very quickly because it was pretty much the last thing in the weblogs before the box crashed. (yay!)

So now here is where it gets interesting…. Now that I had figured out how the person was hacking into my box I was curious how in the hell the person found the file. It was in a subdirectory that I had not used in YEARS. There was no link to it from anywhere on my site. The directory structure it was in was like … html/oldforums/oldstuff/badfile.php . How in the hell did this person find this file? Well after going through the logs greping for the ip range that hacked my box I found that the person found my site from Google! Specifically using Google code search. Now while this was interesting it still did not explain how the page was even indexed…. ohh wait I use Google Sitemaps and I had it on to index everything (the default setting) OUPS!!

Now to be honest… this is my fault. I in no way blame Google what so ever. I had old exploitable code on my server and I told sitemaps to index it so… my fault.

I have since been working with the sitemaps team and I had some suggestions to leave some files off by default (like .inc .func) or only allow common web files with extensions like .php .html .asp etc… I hope they do this cause as sitemaps gets more popular its only going to expose more idiot webmasters like me that run with the default settings.

Ok so just for shits I thought I would do some querys on Google Code Search to see what kind of exploits I could find. Now keep in mind this probably will not show your site but it will show code and versions that you might be running… so once someone locates a exploitable version of code they then could just search for “Powered By X” or whatever fingerprint you could put on the exploitable program/version.

Hmm I wonder If we could find some xss exploits…

lang:php (ECHO|PRINT) .*\$_(GET|POST|COOKIE|REQUEST|FILES)

100,000+ results

How About some SQL Injection exploits?

lang:php query\(.*\$_(GET|POST|COOKIE|REQUEST|FILES).*\)

3000 results

hrmm I wonder how easy it is to find host,user,pass for mysql databases…. Lets try:

lang:php mysql_connect\((“|’)[a-zA-Z0-9_.]+(“|’),(“|’)[a-zA-Z0-9]+(“|’) -localhost -127.0.0.1 -192.168

100 results found.

This query might be a little puzzling for those that are not Google ninjas like me so.. I will explain. Basically we are checking for anything that ends in .php extension. Then we search the file for mysql_connect. If it contains Mysql we look for the pattern of a connection string. lastly we use the minus sign to get rid of all localhost databases (cause we cant access them).

So did we find anything interesting? Well…

Lets just look at the first 10 results:

www.ubio.org/downloads/XID.TAR.gz – Unknown License – PHP
connect.php

$connection = mysql_connect(“RANSOM”,”GlobalWebUser”,”goober8″) or die(“Couldn’t connect.”);
$db_name = “dwf”;

Now in this case RANSOM is probably a local box…

ohh whats this:

$f = mysql_connect(“zeus.mbl.edu”,”tns”,””);
if (empty($limit)) $limit=50;

hrmm intersting….

more?

$db=mysql_connect(“62.149.150.11″,”Sql43254″,”M9dKTz3M”);
$selezione=mysql_select_db(“Sql43254_4”, $db);

I can post tons of other examples but I think I have made my point. Watch your logs for people coming from google code search and always make sure your running the latest version of your software.

Also keep in mind my searchers were only looking for .php files. This is a small percentage of all the different languages and filetypes out there.

Be scared. Be very scared.

By Jeremy Schoemaker

Jeremy "ShoeMoney" Schoemaker is the founder & CEO of ShoeMoney Media Group, and to date has sold 6 companies and done over 10 million in affiliate revenue. In 2013 Jeremy released his #1 International Best selling Autobiography titled "Nothing's Changed But My Change" - The ShoeMoney Story. You can read more about Jeremy on his wikipedia page here.

307 thoughts on “How Hackers Are Using Google To Pwn Your Site”
  1. Great post man – there’s a group that’s been doin’ somethin’ similar to those queries for quite a while:
    Googledorks

    I often use it as an example of how to craft queries for link development – it’s amazing how creative you can get when you find a specific type of information you are looking for. I am surprised that G doesn’t proactively try to block some of this type of stuff though.

  2. I’m now so very scared…..
    Actually though, how does Google get it’s code in the “code search”? I know it can’t spider running PHP pages (obviously they’ll get parsed by the server before being outputted) so where does the info come from?

  3. Possible fix:

    Google cannot “see” your source code unless your web server spits it back as plain-text instead of executing the code.

    Make sure your Apache file has handlers for all common extensions you use (.php, .inc, .pl, .cgi etc)

    AddHandler cgi-script .cgi

    SetHandler perl-script

    etc.

  4. Great post!
    Does Google code have a separate bot that collects this information and if so, how can we block it with the robots.txt file?

  5. Most of these are open source projects, or open code repositories. Its rarely if ever going to be private site code, unless you have it publicly accessible and non-executable somewhere.

  6. Uh. Thats not a fix. As stated above, these are all open code repositories, not private site’s code being extracted or spidered.

  7. be not scared. if you are dumb enough and have an unsecured open db port, I am sorry, thats all your fault. If I have to open a port from a db server for a web server, then only this web server can access this box.
    furthermore any configuration data should be stored at a place or in a way that, through apache settings, only the box itself can read the file and it gets denied by any outside.
    basic easy rules.

  8. Cool stuff! Don’t feel bad, at least it was old code that got hacked and not new code!

    But anyways, for people wondering how google gets it’s source code, it can unzip ZIP, RAR, and other files that could be packaged on your webserver, and those aren’t parsed by your server because they’re just contents of another file.

    usually you can see were it got the data from, and it will list all the files in the data source.

  9. personally, i dont even understand the point of this post at all, what is the golden rule of security?

    security through obsecurity is no security at all.

    regardless of who linked to your .php file or how they found it, if you have vulnerable code living on a public website accessible to the entire internet, what difference does it make where the vulnerable file is in the tree?

    sooner or later is it going to get found and if you stick vulnerable code on a public website that is by your own admission “YEARS” old, then you deserve to get hacked and you deserve to waste umpteen weeks trying to figure out how they hacked your box.

    here’s an idea, clean up after yourself, dont leave root exploitable code that is “YEARS” old just laying around your website and maybe things like this wouldnt happen?

  10. Well, at least, the damage was not great in your case. May this serves as a reminder to all of us to always backup our files.

  11. Holy cow. Not that I think anything is vulnerable, but this post makes me think I’m going to spend the first part of my day when I get back to work verifying our public machines security.

  12. so basically the point of this post is “i’m stupid, and so are lots of other people.” thanks for that, really.

  13. […] I quote: (Original article) As most of you know a few months back my site was hacked. What many people dont know is that was actually the first of 2 times the box was hacked. The first time the box was hacked I had made the mistake of making the web files on the server writeable by the web server. Again being this server (that my blog sits on) is not used for hardly any commercial activity I was a lot less security focus then something I would call “productionâ€? ready. I implemented mod_security and some other logging tools aswell as offloaded the server logs to a different server (yea the logs were owned by the apache user also). […]

  14. The “hacker search” is nothing new just more advanced with the google code search. People have been doing the “Powered By X” query to many diff. search engines locating old/bad/unsafe versions of files for MANY years.

    This is why people suggest changing .php to .html and to use robots.txt to disallow and why removing the Powered By is a very safe thing to do. These things don’t guarantee an attack they just make it a hell of a lot harder for automated hacker script0rs to take your site down.

    1. Thanks. These ideas are really useful and practical. The Robots.txt exclusions will help a lot. Geoff D.

  15. […] read more | digg story […]

  16. Shoe, when you get a minute of freetime, check out all of the Digg comments on this post. They are absolutely hilarious (and completely focused on the word pwn for the most part)!

  17. How Hackers Are Using Google To Pwn Your Site…

    How Hackers Are Using Google To Pwn Your Site posted at IndianPad.com…

  18. […] Google Code Search helps hackers find vulnerabilities in software platforms, and it helps them exploit PC and servers, according to ShoeMoney.com. Altrough the author doesn’t seem to be willing to blame Google, I will. The article shows some examples on how to find exploits on Google. […]

  19. I reccomend you read over this post and correct the areas you repeat yourself. It will make you seem more professional.

  20. the hacker managed to find an exploit in an old version of some open source software that you were using? Like wordpress’s pre v2 xmlrpc exploit? ok.

  21. […] How Hackers Are Using Google To Pwn Your Site […]

  22. I’m not impressed. Code search is irrelevant. If you do find some passwords that way, you may be sure the box is attacked before…

  23. […] How Hackers Are Using Google To Pwn Your Site […]

  24. […] read more | digg story Filed under: Uncategorized   |   Tags: . […]

  25. Shoe – great post. It’s no surprise that Google Code Search continues to show vulnerabilities. A lot of people responding here with the negative comments come from Digg and think that they aren’t susceptible. I’d laugh in their faces when they, too, are pwn3d. Thanks for the wake-up call.

  26. […] read more | digg story […]

  27. […] From ShoeMoney.com: As most of you know a few months back my site was hacked. What many people dont know is that was actually the first of 2 times the box was hacked. […] Well after going through the logs greping for the ip range that hacked my box I found that the person found my site from Google! Specifically using Google code search. Now while this was interesting it still did not explain how the page was even indexed…. ohh wait I use Google Sitemaps and I had it on to index everything (the default setting) OUPS!! […] […]

  28. […] Additionally this post describes how hackers can use Google code search and a simple sitemap to gain access to your system. […]

  29. […] I came across this article which is interesting stuff for site owners. It shows you how hackers can use Google queries, especially on Google’s code search, to find weaknesses in your code. Check it out and try some of the queries too. You’ll be amazed how easy it is to find security holes! Related articles you might like: Google Website OptimizerGoogle released a tool called Website Optimizer. If website traffic heat maps like CrazyEg…Four advantages of the Google webmaster toolsAre you using the Google Webmaster Tools yet? If you don’t, this articles show you the fou… […]

  30. […] – How Hackers Are Using Google To Pwn Your Site […]

  31. 看黑客如何利用google挖掘您的站点…

    看到一篇分æž?黑客用google挖掘站点关键数æ?®å¹¶æŠŠæ‚¨çš„站点黑掉的问章,写得很ä¸?错,此处引用其观点介ç»?下,呵呵ï¼?说ä¸?定您的站点也正处于这样的å?±é™©ä¹‹ä¸­å“¦ï¼?原文标题 …

  32. I had some suggestions to leave some files off by default (like .inc .func)

    Hmmm, just want to add my thoughts on this… a lot of people used to use included files in PHP have the .inc extension, but when this is found and displayed and no mime type is associated with it, it will display like a text file and actual PHP code can be seen as the PHP source. So if you have mysql_connect details for instance, it can be seen.

    So many people have been using .inc.php as an extension.

    What I have been doing was all my include files are outside the public_html (or www) folder so my include files are not public. I am not sure if this is the best way to do it, but so far everything works for me.

    1. This is definitively the best way. Do not make public anything that doesn’t need to be.

      Obviously, the robot.txt is useless, it will prevent Google from finding your files, but that’s not a problem for many other spiders (heard of Yahoo! crawl?) The best way, if you cannot move the .inc, etc. to the right place is to add a .htaccess file and block anything that you want to keep private.

      The big problem is that systems such as WordPress do not offer the capability to put data in a private folder (at least not out of the box.) From what I understand, it makes the installation much easier (extract all the data under public_html, there, you’re done!)

      But security wise, that’s stupid. 😎

      In most cases, you’d just need index.php in the root folder. Voilà. Everything else should reside in a place where Apache cannot show it to hackers. (and the database access info would not reside in the index.php so if Apache is missconfigured you cannot see that info!)

  33. […] How Hackers Are Using Google To Pwn Your Site : Its wild how easy Google has made it to find hackable code and websites […]

  34. […] Ich bin gerade durch digg über einen Erfahrungsbericht gestolpert, in dem von einem erfolgreichen Hack-Angriff auf die Webseite des Verfassers gesprochen wird. Schließlich hat er nach einem ersten Angriff den Server besser abgesichert, trotzdem kam ein zweiter Angreifer über das “tmp”-Verzeichnis rein, zu seinem Glück stürzte dann der Server ab (warum, steht da alles). […]

  35. […] story No Comments so far Leave a comment RSS feed for comments on this post. TrackBack URI Leave a comment Line and paragraph breaks automatic, e-mail address never displayed, HTMLallowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong> […]

  36. I’m glad that you can solve the problem. My two boxes were hacked by someone and I found that issue by watching my AdSense earnings. It seems the hacker can modify my file on-the-fly and insert his adsense publisher code when I was sleeping and changed it back when I get up. I can still couldn’t find how can he know my password because the logs are gone.

  37. Interesting. I guess searching for known exploits available can be pretty entertaining and efficient, thanks to Google (who continuse to deliver quality to their users). However, does not stopping this is good? I always thought that not doing anything to prevent a crime is a crime.

    But anyway, I don’t think the code search is that popular with the web development community, because few know it exists. And then, what would they search for? Why not just find a piece of code, copy and use it in your own app? Copyrights? Forget it.

    So hoping that code search would be used for ‘educational purposes only’ is a naive idea at best.

  38. […] How Hackers Are Using Google To Pwn Your Site Veröffentlicht von del.icio.us um 06:30 Uhr Abgelegt unter Linksammlung | Trackback […]

  39. […] Yesterday, Shoemoney wrote a post called “How Hackers Are Using Google To Pwn Your Site“. It is an interesting post about some issues he discovered while researching his own hacking experiences. Because it’s a good post and related to technology, it was Dugg and has received over 1550 Diggs, which kept it on the homepage for a good amount of time. […]

  40. Reading through these comments reminds me just how many people in the world are bitter and vindictive about other people succeeding more than themselves.

    I’m sorry you suck so bad, mean little people out on the Intarweb.

    Great article, Shü-$.

  41. OKAY…

    I only tried about 1700 times to get my comment posted on here so I could reply to Hedge’s question. Since that DOESN’T seem to be working, and I’m going to be late for work if I keep trying, I’m going to give it one last go without attempting to employ the HTML “a” tag or BBCode “url” tag- I’m assuming Shü-$ is moderating those kinds of comments because of extensive blog spamming.

    THANKS, blog spammers. You ruined it for the rest of us.

    So, without further ado (assuming that this freakin comment actually POSTS)…

    Sites that have information on messing around with Google:

    http://johnny.ihackstuff.com/index.php?module=prodreviews
    He’s Johnny. He hacks stuff.

    http://douweosinga.com/projects/googlehacks
    DOUWEOSINGA!!! FIVE!

    http://www.oreilly.com/catalog/googlehks/
    RTFM

    http://www.oreilly.com/pub/ht/2
    RTFM for free online

    http://www.googleearthhacks.com/
    Hack the Planet

    http://en.wikipedia.org/wiki/Google_Hacks
    Wikka-what?

    http://www.google.com/help/features.html
    Google Chimes In

    Or, you could…

    http://justfuckinggoogleit.com/

    Seriously.

    http://google.com/search?hl=en&q=google+hacks&btnG=Google+Search

  42. I tried, dude. I think good ol’ Shü-$ is moderating away my comment somehow. For whatever reason, I can’t post a reply containing links here, and I need to get in the shower for my day jaerb.

    I compiled a list of URLs for you. I guess you’ll just have to find ’em on my blog. Click my nickname if you want to see a list of sites offering Google Hacks.

  43. […] I tried to post a reply to the recent Shü-$ blog post about how his site got haxored thanks to Google, but I guess his newly improved security measures won’t allow me to put links in a comment. Despite the fact that his blog specifically states that I can. Maybe it’s always been like that… I don’t know. […]

  44. How hackers are using Google to pwn your site…

    Shoe Money has an interesting post about how his server got hacked via an old file in an unused subdirectory. Naturally he wondered: How in the hell did this person find this file? Well after going through the logs greping……

  45. […] I thought Shoemoney’s post about how his box got hacked was interesting. He basically discovered how the hacker found his site and some vulnerable code on it through Google’s Code Search, however, this was only possible due to site maps *uugh* and a poorly secured server. This method of finding vulnerable sites has been around for a while, and even has its own term. […]

  46. Right. I meant if you have your own Apache server, make sure you configure it to execute .pl, .inc, .php etc files otherwise by default it will serve them back as text files exposing the vulenerability

  47. […] How Hackers Are Using Google To Pwn Your Site (tags: Computers Hacking Software Google Internet) […]

  48. […] How safe is your site? How Hackers Are Using Google To Pwn Your Site Great article by Shoe. I had no idea that Google had a code search and that it could even display server side scripts. Just another reason to use a "config" file and call your DB stuff using variables. __________________ "Great spirits have always found violent opposition from mediocrities. The latter cannot understand it when a man does not thoughtlessly submit to hereditary prejudices but honestly and courageously uses his intelligence." – Albert Einstein Domains Name HQ – domains and hosting WiiPoint.net – Gamer community for Nintendo Wii Don’t click here asshat, unless you want to make money […]

  49. […] How Hackers Are Using Google To Pwn Your Site the person found my site from using Google Code search. While this was interesting it still did not explain how the page was even indexed…. ohh wait I use Google Sitemaps and I had it on to index everything (the default setting) OOPS!! […]

  50. […] xmen tickets free Its wild how easy Google has made it to find hackable code and websites… xmen the tv show characters biosread more | digg story […]

  51. Interesting post…more interesting is the Diggs you got lol and you KNEW it was going to cause problems didn’t ya 😛

  52. WebProBlog - Internet Business and Marketing Trends» Blog Archive » Using Google As A Hacking Tool says:

    […] First off, I’m sure many of you have heard about Shoemoney’s recent hacking incident, something he blogged extensively about. Apparently, some enterprising hackers found vulnerabilities on his server using Google Code Search and exploited them (for more details, Shoemoney’s write-up is quite thorough). […]

  53. I was just doing the usual searching myself not to check on my sites, but to check on people talking about me. Somewhere down page 18 I think, I found this page since I had a comment in it. But interesting is, the URL is not on the shoemoney.com Domain. It is:

    http://securebar.secure-tunnel.com/cgi-bin/nph-freebar.cgi/110110A/http/www.shoemoney.com/2006/12/26/how-hackers-are-using-google-to-pwn-your-site/

    Now looks like one of the free web proxies for anonymous browsing. But having it in the SERPs? Hmmm someone is linking to the proxy address and not to the main URL. I wonder why.

  54. So if I have my current XML file only showing blog entries and none of the includes, etc I am fine?

  55. You lost me right after: “I had made the mistake of making the web files on the server writeable by the web server” If you are going to write for dummies, you must get down, down, down to our level.

  56. WoW nice post. hope this make people more aware and secure!

    I am running checks on my sites right away!

  57. theres a whole site out there called johnny i hack stuff which has some pretty cool stuff using google

  58. […] en aplicaciones opensource, y en cualquier web si el propietario no es muy cuidadoso. Que los hackers utilizan Google CodeSearch no es nada nuevo… pero si no sabes de que va te sorprenderá. Etiquetas en Technorati: […]

  59. Very good post, as above i heard they are many such hacks thru google search , i think configuring apache server and using updated scripts will keep us safe

  60. “I had some suggestions to leave some files off by default (like .inc .func)”

    I disagree with this – some people might want the files indexing. The fact is, you should NEVER EVER have code in extensions that aren’t parsed by the scripting engine – call them .inc.php or .inc.asp. Just because Google doesn’t index them won’t stop people finding them, and since most people have their connection strings (containing usernames and passwords) in /inc/common.inc it’s not hard to see why this is a bad idea 🙂

    Even Microsoft distributed adovbs.inc named that way a few years back. It’s bad, don’t do it. Don’t expect Google to mop up after you – if it’s on your server it’ll be found. Fix it.

  61. Tamar,

    I agree with you. These haters showing up can blow it out their asses with their negativity. I appreciate Shoe highlighting areas of potential security breeches for non-technical folks like myself. Great post, Shoe.

    Anthony

  62. I see this is the same way people are spamming .Edu and Gov sites with sql injections thats what i read on Daven’s blog

  63. I am just glad that your site was able to pull through. Just goes to show what jealous people will do. I agree that hackers are very dangerous nowadays on the internet. Everyone needs to keep a close eye and protect their online real estate.

  64. Would the ‘box’ also be known as the “shoebox”?

    Seriously though, that sucks. Anything you learn about security that you think we’d benefit, keep passing it along. Much appreciated.

  65. Johhny i hackstuff has tons of information about google hacking. I use to refer to his site before, to see what are the latest exploits running around.

  66. This is scary. I got hacked a couple of years ago, and I am quite technically challenged so even though not a lot of damage was done – it still took me a good while to sort it out.

  67. It is pretty scary how people are able to use search technology to bust into somebody’s box, but it just highlights the need to be more careful when coding. Sometimes it’s easy to get a little bit lazy with a piece of code… that’s how you end up getting run. The good news is that most sites aren’t worth hacking. The bad news is you often don’t learn you have a security flaw until your site has hit big and you really can’t afford to be exposed.

  68. I think duplicate content is getting clamped on quite seriously – and with a timestamp Google will be able to tell which content came first . . .

  69. You have made a clear point.
    I would recoment to block googs code crowler from indexing the site, if possible or acceptable !

  70. Is is actually possible to prevent these google hack. My site was once hack and my adwords cost was just wasted.

  71. this kind of problem always make me rethinking how to be really secured from those hackers. They sometime doing it just for unknown purpose, trying some new techniques etc. Also, this kind of problem is common on any opensource script

  72. Old news and old story. A lot of this has like already been done and over with. Nowadays Google can also be used to find out who has been pawned not just who to pawn. Have a browse here http://www.google.com 😛

  73. Its not an art 99% of the population is capable of… but that last 1% can be quite ingenius. It always strikes me that hackers can put in such huge amounts of energy into hacking but many are too lazy to take a shower daily. They always look horrible when they videotape themselves in the act.

  74. Dang, that’s a very scary situation. It seems like it’d be fairly easy for Google to filter out a lot of exposed SQL connections. I wonder if they’re being proactive about this at all. Probably not 🙂

  75. definitely a good read. i also had a blog sitting on my server and since i’m not that techie enough, I opted for blogspot. silly and lazy me!

  76. As an aside, many people that frequent this blog sell information products on their website. If you don’t do this correctly, it is amazingly easy for people to steal your information product using Google.
    Try this search in google:
    site:yoursitename.com
    And make sure that your “Thank you” page isn’t showing up. Or try this search:
    inurl:cbreceipt
    To see all of the people who have their thank you page indexed by google for easy theft.

  77. These hackers also use google dorks

    Dorks means , some kind of commands which can give u results in any way u want

    like intitle , inurl, allinurl, and then they search for the cms systems,or softwares which are vulnerable

    so u must also watch out for these dorks, and see that none of the dorks lead to your sites getting hacked

  78. I had the same problem as yours, the hacker keep using my email to collect my member password, and access to my principle web page to withdraw my money. Of course this idiot hacker failed to withdraw. I had question, im not expert in computer program or any code your wrote above, what should I do now? my URL(actually is blogger from google) is http://www.metaforexcapital.com . Please help me.
    Thanks.
    james

  79. “I’m shitting bricks right now. Big bricks.”
    Yeah I shat myself to. Damn mess.

  80. Steve said:
    “I’m shitting bricks right now. Big bricks.”
    Yeah I shat myself to. Damn Mess.

  81. Google didn’t fix this, you still can search for databases, USER/PASS combination and emails (are the easiest to find – lists of emails)

  82. What an incredible post! Thank you for going indepth cause I am not a Google Nija. WOW that is really all I can say.

  83. Wow Shoe! This post is more than 2 years old but still heavily visited and commented on, probably because it is in the favs list above.

  84. Good article!

    That is definately a scary thought knowing that could happen to your site and even scarier for sites that bring in a nice income. You are quite knowledgable and were able to ferret out what was happening. Others may not be able to find out that their sites have been compromised. It’s articles like these that help people keep an eye out though. Thanks and keep up the great work!
    ~Terry

  85. These articles spread all over the internet make me think “Am I safe. ” I bet I would use blogger.com instead of self hosted wordpress because that way whole security tension rests on shoulders of google.

  86. How can you telll if your site is being hacked? I bet for you it is especially risky since it could kill your business.

  87. This is making me worried.
    How can we know if our site is being hacked? any idea?

    Haji

  88. Sorry to hear about what happened to your site but you have warned a lot of people. Well done! 🙂

  89. Thanks for the heads up, it is quite scary how many ways there are to get into our precious boxes! It is gratifying to have observant people like yourself who’ve actually actually traced the loophole and alerted the rest of us! It makes good sense to be acutely aware where and what the googlebots are indexing, and to make sure they only go where needed!

  90. I just tried the last search that you posted and spotted a couple of interesting things.

    Firstly, all the results show some kind of downloadable file such as a zip or rar, so unless the website owner had zipped a backup copy of the site and then uploaded it, there’s not much of a problem. Most of the results seem to be software projects e.g. results from sourceforge.

    Secondly, in the web results, the passwords are obscured.

    Maybe I’m missing something, but it seems to me that the only way a hacking attack could occur would be if someone zipped and uploaded a copy of their live site.

  91. […] website has in the past been a great aid for the Webmaster community. Then comes the post “How hackers areusing google to ‘pwn’ your site.” Sure, this is not a post telling people to go around and hack their competitors, but what it […]

  92. Very interesting post. Hackers are everywhere seem like. Glad you could catch on to him. This is scary though. Makes me wonder….

  93. I just don’t understand this coding stuff. Can you please explain it in human jargon? No offense meant. I wondered whether you can tell me a simple solution in plain words? 😛

  94. Some people are using the wickness of search engine to exploit people,Thanks for the insight,sorry for the hacking of your blog.

  95. Increasingly worrisome problem this hacking thing
    Seems that there is a wordpress plugin that akes those blogs vulnerable but thee truth is any site is vulnerable
    Vigilance may be recommended if you have one or two sites but what happens when you have a hundred sites?!*

  96. Hmm!! Google Ninja!! Never heard this term before. anyway, those are really great queries. Thanks for posting them.

    1. IMHO google ninja is related with something unique, undisplayable and maybe not a free one when you find the search results

  97. Air travel has become a major part of our society, with industries and individuals depending on air transport for their livelihood. But have you ever wondered what happens to the artifacts of our airborne culture when they’re no longer needed? More..
    xrtst303a

  98. SQl injection is a cool hack you can shutdown the server just by entering ‘shutdown–

    I found this problem at my last job
    hope I don’t shutdown you sql server

  99. […] Jeremy Schoemaker: how Hackers Are Using Google To Pwn Your Site Speichern […]

  100. Cheap celphones in our store, cool price etc., many articles – best price, Samsung, Nokia and Motorola

  101. Sorry to hear, i currently got someone messing with my things and in my opinion these people need a hobby! Be warned, we will find you like Shoe did! Turn the Comp off and go outside once in awhile 🙂

  102. This is very serious article. Hacking is increased these days, can anyone suggest a good plugin to keep your wordpress safe???

  103. give me the tutorial all about web wurnelrable search tips please.!! thanks..!! Gracias.!

    1. are you asking for something like :
      inurl:site.com +”keyword”

      paste it in google, and let the magic flow ha…ha.

  104. It’s a great article. Hacking is being increased these days, can anyone suggest a good WP plugin to keep your WP Blog safe???

  105. i also think hackers use google code search…now here webmaster’s must be very careful !

  106. Being hacked sucks so bad. Was hacked once and the guy deleted my site ;S Wasnt a profit site but one of my first ones and it really sucked. Security is one of the most important things for websites.

  107. I Recently had some of my sites hacked, it wasn’t fun getting them all fixed

  108. Very nice posting about hacking. From this post, I learn it’s so important the security of the website and the hacker have used google.

  109. I never like people who like to abuse other properties. Seems like they don’t have any other jobs to do.
    About sql password shoe, I used login lock down plugin to secure my wordpress admin page, do you think it is worthed?

  110. Automating backups doesn’t hurt either. (Daily, Weekly, Monthly.) Very simple to setup in WHM even for newbies.

  111. I know nothing about hacking but what was seen from the cover it’s totally for dummies. The question is why should we buy that kind of book. I don’t think hacking is a “user friendly” activities

  112. That’s pretty scary thing. I guess these hackers are trying to target those top websites as recently davidairey’s site was hacked through gmail.

  113. We’ve seen an increasing amount of hacker activity lately, especially from Korea.

    If you’re running a dedicated server or VPS with WHM then you should try CSF firewall (free from configserver.com) apart from the firewall functions it also provides login failure detection, and works in conjunction with mod_security to automatically ban anyone attempting XSS and SQL injection exploits.

  114. if you are not really careful with the scripts that you put on your servers, then most likely, hackers can easily exploit your hardware. We cannot prevent google from showing exploitable search results but we can do something to prevent our servers from being exploited.

  115. Man that really sucks that people try and hack sites. I hope you the best and also are there other ways to stop this from happening?

  116. (cleaned a little urlcr@p out of your mysql login codesearch.) i didn’t know any google search used regex. is there much use excluding local hosts? (i think there are a few other common local ip ranges,btw.)
    i recall doing a few goo code searches out of curiosity (open source stuff).
    anyway, goo’s results now “obscure” some of usernames and (appears) all pass. or is that somehow inserted by google sitemap indexing?

  117. Hey Jeremy, I read your whole post and it was an interesting read even if it sounded like chineese to me! One question though: am I safe if I use a blogger hosted blog? thanks!

  118. Thank YOU SHOE! Now I am scared…..but motivated. I was just talking to a buddy about such hacks the other day…I need to do a little house cleaning…

  119. It is very scary to read it. A careful person like you falling easy prey to hackers. Well what this folk was trying to do by hacking your site any way?
    The way he used enter your site is amazing. A small mistake is responsible all this problem..

  120. Are you using the base build of php? Go to fcgi or suphp. 777 is not allowed under those builds period.

  121. These hackers are getting more and more cunning everyday,sorry to hear of your problems we really need an internet police body that has global abilities to level the playing field.As it is no one is really secure ,daily we hear of banks ,even twitter was attacked.Make sure all your software is up to date and stay under the radar…Good Lick

  122. I’m a big fan of Linux and I’m impressed by it’s inherently more secure nature than Windows.

  123. I’ve never heard of this before, and didn’t think of people that have nothing better to do than hacking a website, anyways it is good to know; I’ll be more careful for the future.

  124. Prevention is better than cure.It is always good way to spread the bad ideas that is being followed.People will become alert and chance of notification of this problem will be more.Hats off to this post my friend

  125. holy crap!! that is scary! i have not been hacked as of yet and would totally freak out if i did. this is a wake up call for me. thanks for posting

  126. Its funny what you can actually find with Google.
    There are Googledorks for almost everything!
    Even eBay, Amazon, Paypal account and such.

  127. Let this be a lesson to all of you Windows cult members. Linux – The one word you can’t find beside the word hacked in google results. Go Linux!

  128. This is scary! I don’t have the knowledge about this stuff and I think I should spare time to learn this so I can protect my site. Thanks for sharing this information.

  129. Several months ago I found a system to protect WP blogs. It seemed very secure, but I have no way of knowing for sure since it was way beyond my abilities. But from what I read about it, the method seemed good.

    So why didn’t I follow through with it? Because it was time consuming and technical. So I continue to worry about my blogs being hacked. But if they do get hacked… I have nobody to blame but myself. It’s time for me to take some action.

  130. Well last month my fathers blog was hacked, the hacker just added some unknown code to the blog. I realized it on the day and contacted my web host for help… Just to let you know FileZilla FTP software saves your password in a .txt file which lets hackers get your ftp passwords via a trojan from your computer!

  131. Thanks for this nice post, I wish we can be safe from these hackers and their work

  132. Now I understand why many article directories are hacked. It’s too scary, and I dont see why anyone wants to hack a website without gaining anything. It’s not as if hacking into your website can make him $$$ richer.

  133. Can you suggest me anti hack software for my website? so buy and roll out to my website

  134. Thanks for the warning and your tips on how to fix the hack. I’m sad it happened to you. Great blog here.. Geoff

  135. Great post. I wouldn’t know if my site was hacked or not if there was not visual evidence. I did receive an email that said it was from PayPal. It informed me that my PayPal account had been hacked. It then proceeded to ask for my bank and credit card information, as well as my PayPal password. Of course I called PayPal and was advised that it was a phishing scam…Be careful people.

  136. […] verebiliyor. Hatta bir Türk’ün bu yöntemle kendilerine ciddi zararlar verdiÄŸini söyleyen ÅŸu tür siteler bile mevcut (ÅŸunlar da hack ÅŸeysileri: #1, […]

  137. I for one love shoemoney and the information you guys provide. I want to see a response post to this topic.

  138. Thats some massive work by the hackers. Thanks for providing this useful post. All site should have enough security options to escape from hackers.

  139. thank you for this wonderful post. Actually generally people don’t know much more about hacking and not aware about this. i think there is a need to aware people about hacking through seminars, posters and also through social media.

  140. WOW! What a mess. Fixing a problem like this would be above my pay grade. Interesting read, but honestly, most of the tech stuff was over my head.

    Thanks for sharing though.

  141. Do you know if Google Webmaster Tools has corrected this Sitemaps issue yet? Hopefully they have by now. Good stuff Jeremy.

  142. Thanks for your posting, i am just a newbie in the internet business, need to learn a lot from the gurus

    askdoctorvitamins

  143. This is an industry wide problem. I have had two of my WordPress blogs hacked in the last 12 months (both on the .org self hosted domains) and as I’m not very tech savvy, I had to start again as I just didn’t know what to do to get them back to normal.

    Whoever did it just placed a load of adult content and links in there and completely destroyed both of my sites.

  144. Sorry to hear that happened to you..it’s an unfortunate story i’ve been hearing alot lately

  145. Really i appreciate the effort you made to share the knowledge.The topic here i found was really effective to the topic which i was researching for a long time.

  146. I didn’t know those type of complex queries were possible in the google system. I need to start backing up my WP sites.

  147. Part of the issue here is that many website developers are hobbyists or owner/managers who have no idea what their web design company’s policy is on support of code provided.

    Professional web design companies can use this opportunity to demonstrate the value they DO add for the extra cost involved and clients can then understand the value.

  148. I wouldn’t be surprised if this is how hackers were able to hack our government websites. The lack of security and proper protocol is just a pity.

  149. A friend of mine had her site hacked–twice. She’s an artist and knows nothing about anything technical. The site looked OK, but the hacker injected a lot of ugly links to porn sites. We think it was caused by a virus or something on her developer’s computer. Very ugly and messy to recover.

    Thanks for this information. I never dreamed you could just search for code in internal files. Off to check the site maps.

  150. I heard that by using Google hack somebody can return some exceptionally useful information: full server configurations, database details, also can find any amount of SQL database dumps as well, scary. anyway thanks for the tips will pay more attention on sitemaps.

  151. Shoe!

    Well! Now I’m impressed… So you know freaking Unix and Marketing and how to deal with ~10 staff… Good on you for looking into the issue since some people seem to not even think that would be useful (strange idea).

    Btw, that’s why I’d recommend to most people to look for a company (like mine, ha! ha!) to take care of that part of the job instead of having to do it themselves… (I know, I know… if you’re a programmer, admin, etc. you love to do it yourself too!)

    I hope I’ll soon find a post here which does not amaze me in some way. 😎

  152. Very true. Not just about age. Experience, the ability to teach and get you to understand concepts, motivation, young people have great minds too

  153. D’oh, this explains a lot of what’s been going on with my site. It looks alright on the page, but the search results are full of pharma spam. I think now I know how to get rid of the dirty code, thanks, Jeremy.

  154. I know I’m a little late in contributing my thoughts but this particular article made a lot of sense to me and I enjoyed it. It was an absorbing blog post. I have become a frequent reader of your blog since I found your blog a while back. I can’t say that I agree with everything you stated but it was emphatically engrossing ! I run a small establishment that arranges financing for businesses in the Houston market. You could say I specialize in Houston Commercial Financing and deal with folks that banks don’t lend to anymore. I’m trying to create American jobs so I hope you’ll allow me including my link in this post. I’m always seeking to promote our truly unique service and am the sort who still believes America keeps getting better and better in spite of our current difficulties. I’m not sure if my other post was successful so I’m attempting again. Thank you again for a fascinating blog post. I will return again soon.

  155. Is this possible on any server? I host on Godaddy, I assume they have tactics against this? Or is this if your running your own server?

  156. […] How Hackers Are Using Google To Pwn Your Site 26 Dec 2006. What many people dont know is that was actually the first of 2 times the box was hacked…. A lot of people responding here with the negative comments come from Digg and… inurl:site.com +”keyword”. paste it in google, and let the magic flow ha…ha… It's time for me to take some action. How Hackers Are Using Google To Pwn Your Site […]

  157. Hello, listen, can you be found? I was looking for one on facebook but could not find one.I really want to become a fan!

  158. […] Money has an interesting post about how his server got hacked via an old file in an unused subdirectory. Naturally he […]

  159. Some of our sites have been hacked a few times. I never realised how easy it was; nor how little I know as a webmaster. EEK!

  160. Well, my server was hacked 2 weeks ago and I still cannot figure out how it happened or how to fix it. I’ve tried re-installing everything fresh twice now and the hacker is still able to take my sites down. It is very frustrating, but I’m a noob when it comes to this stuff. Guess, I’ll have to get someone to look at my box that knows what they’re doing ’cause it would seem that my host doesn’t know their ass from a hole in the ground.

  161. I never knew there was such a thing as “Google Code Search” – we have 4 forums and its obvious I must get myself more up to date on this stuff.

    Thanks for the post and the detailed info.

  162. Thank you, that you are not ashamed to tell about it. There is very useful advice with your hand. I think that every entrepreneur must constantly check own computer and network on hacker proof.

  163. I do agree with all the ideas you have presented in your post. They’re very convincing and will definitely work. Still, the posts are very short for beginners. Could you please extend them a little from next time? Thanks for the post.

  164. wow,, first time hearing google code search,,, nice post…. now i see how my friends blog got hacked… thanks for this article, helped me secure my sites…

  165. Interesting post… This finally sheds some light on how a wordpress site can be hacked. I will install the mod security pack myself, since my WP sites have been hacked a couple of times in the last months…

  166. This web site is actually actually fascinating. You provide right up several great points concerning the post. That is my personal first time in this article inside this particular web site so great job.

  167. This website is actually intriguing. You actually carry way up several wonderful ideas about the content. It is actually my own very first time that here within this internet site so high quality career.

  168. Hello
    finaly I found what I was looking for

    how did you guys found this information??thank you for your post I saw it on Google And I saved it . I’ll share. You have my email guys, so can you please send me an email when you post some new blogs on your site!!!

    thank you and have a nice day

  169. I really like and appreciate your site.Nice theme
    thanks very much for publishing such as this topic and waiting for your next update

  170. That is surely a nice post and also sorry to hear that you were hacked in past!

  171. Thanks for sharing the information. One of my sites was hacked / attacked in the past. It takes a lot of work to get the site back to normal.

  172. I’m writing a very similar beginners guide covering how I SEO my own WordPress installation. I would imagine over time it will cover most, if not all, of the areas 642-427you have detailed.

  173. Recently the HK stock exchange site is hacked too.. several major companies are suspected to trade as well.

  174. Wonderful goods from you, man. I have take note your stuff prior to and you’re simply extremely magnificent. I really like what you have obtained here, really like what you are saying and the way wherein you assert it. You’re making it entertaining and you continue to care for to keep it sensible. I cant wait to read much more from you. This is actually a tremendous site.

  175. I have been examinating out a few of your stories and i can state pretty nice stuff. I will make sure to bookmark your site.

  176. Another use for Google is searching out files that are downloadable. Using the same method of searching code, you cn find amazon buckets, membership areas and all kinds of goodies. Gotta love the Big G!

  177. […] Money has an interesting post about how his server got hacked via an old file in an unused subdirectory. After a bit of digging, he discovered how the hacker […]

  178. Attractive section of content. I just stumbled upon your web site and in accession capital to assert that I acquire in fact enjoyed account your blog posts. Anyway I will be subscribing to your feeds and even I achievement you access consistently quickly.

  179. Existing without the presence of answers to the problems you’ve sorted out as a result of this post is a crucial case, as well as the kind which might have in a wrong way affected my career if I hadn’t noticed your blog.

  180. He was right! I got all the questions I had, answered. Didn’t even take long to find it. Love the fact that you made it so easy for people like me. More power

  181. wow its so simple and amazing design i like your all efforts against your this blog page mind blowing excellent work

  182. […] verebiliyor. Hatta bir Türk’ün bu yöntemle kendilerine ciddi zararlar verdiÄŸini söyleyen ÅŸu tür siteler bile mevcut (ÅŸunlar da hack ÅŸeysileri: #1, […]

  183. […] How Hackers Are Using Google To Pwn Your Site […]

  184. […] How Hackers Are Using Google To Pwn Your Site […]

  185. […] How Hackers Are Using Google To Pwn Your Site […]

  186. Excellent site you have here.. It’s difficult to find quality writing like yours these days. I seriously appreciate people like you! Take care!!

  187. A quite great information. I had been searching for it so long.
    Major thanks for the post. Really Cool.

  188. What a stuff of un-ambiguity and preserveness of precious know-how
    regarding unpredicted emotions.

  189. It’s really a nice and helpful piece of information. I am satisfied that you shared this useful information with us. Please stay us informed like this. Thanks for sharing.

  190. Hi there! This is my first visit to your blog!
    We are a group of volunteers and starting a new project in a
    community in the same niche. Your blog provided us useful information to work
    on. You have done a marvellous job!

  191. Excellent blog here! Also your web site loads up fast! What web host are you using?
    Can I get your affiliate link to your host? I wish
    my website loaded up as quickly as yours lol

  192. That is a really good tip particularly to those fresh to the blogosphere.
    Brief but very precise info… Appreciate your sharing this one.
    A must read article!

  193. Well this can be accomplished even without dieting. Green green coffee bean extract for weight loss is a
    good chance that you should be aware of the small health risks that
    may require them to make sacrifices in order to get
    quick weight loss. Even natural herbs such as bitter orange.
    Even if you take green tea as we green coffee bean extract for weight loss formally call it.
    Why do you think that you do will bring you almost complete and maximum benefits.

  194. The article features established helpful to us. It’s really informative and you’re naturally really experienced in this field. You get opened up my personal face for you to different thoughts about this matter with interesting and reliable articles.

  195. This post is really a good one it helps new net users,
    who are wishing in favor of blogging.

  196. Hello, i think that i saw you visited my site so i came to go back the prefer?
    .I’m attempting to find things to enhance my website!I assume its adequate to use a few of your ideas!!

  197. It is really a nice and helpful piece of info. I am satisfied that
    you just shared this helpful info with us.

    Please stay us informed like this. Thanks
    for sharing.

Comments are closed.