Web Hosting Talk : Web Hosting Main Forums : Web Hosting : Hacking with Google

[dftchris]

Hi. I just read this document that was about different ways people hack using Google. After reading this document I really see how powerful Google is. It is actually kind of scary how powerful it is. I don't think I can use much of the tips in it since I am on a shared server, but I was wondering how many of you who run servers know of the different vulnerabilities that could be accessed with Google? Most of them seem like common sense things that people shouldn't have access to, but I searched for some of the examples it gives and was amazed by how many sites actually are vulnerable. I am not comfortable giving a link to the document here because I think it is geared more toward the actual hacker than to people trying to prevent hackers, I don't want to help any hackers out.

I just want to know how many people are aware of these hacking methods by using Google, and are they really a big threat or am I just being paranoid?

[cywkevin]

Technology is a blessing and a curse. We just have to learn to live and adjust to the problems it causes while still enjoying the many benefits it provides.

[mp3sattack]

would like to know more to what you refer

[dftchris]

Well, I'll try to give some examples without being too specific.

Basically the document explains Google's various advanced syntaxes and ways you can use them to get access to thing you really shouldn't have access to. These are all things that are just unsecured and are accessible anyway, it just helps you find them. It surprised me how many people had these types of things exposed with no type of security.

A few examples:

There is a certain syntax and query you can use to find exposed bash_history files, which, according to the article sometimes have encrypted unix passwords hashes in them and also tells you how to crack them.

Most of them are just ways to search for open indexes and certain files in them. There is also certain syntaxes to use to find vulnerable windows servers that have, for example, the system32 open to the public. I tried this syntax and the first result actually had that folder unsecured and also the cmd.exe unsecured.

I could send this document to a moderator and have them check it over to see if it is postable, or maybe takes some parts out of it. I really don't think it would be approved though because it is VERY specific about these hacking methods.

Edit: I tried clicking on the cmd.exe because I know that I couldn't really do any damage just clciking it in IE, it would just try to download it. Well I got a 403 error so maybe it's not as unsecure as I thought. It is still alarming to find that directory has index enabled though.

[Imago]

Google is a great exposer. After 5 years peaceful co-existence, I am more than sure that the first thing Google will index on my site are all my errors and omissions, not my new pages. And what is more interesting, Google is giving those erratic pages a higher PR, so they appear on the first results page.

[dftchris]

After trying some more examples I have found that that syntaxes given don't really work very well, they may be outdated. One synyax is for only searching in the url of the website, well it was returning the search term anywhere in the site. I went into advanced search and selected the search only in url option and it still found things in other parts of the site. It still does find the vulnerable files, but you have to go through more results.