Slashdot Mirror

← Back to Stories (view on slashdot.org)

Googling Your Way Into Hacking

Posted by CmdrTaco on from the don't-be-stupid-here-people dept.

knifee writes "New scientist is running an article explaining how hackers can use Google's cache to quickly hunt down sensitive pages, for example, by searching the terms "bash history", "temporary" and "password". Might be worth looking at this tutorial about robots.txt if you think you might be at risk." That's pretty amusing.

23 of 431 comments (clear)

  1. This happens because of dumb admins, not google by mjmalone · · Score: 5, Insightful

    For example, one common filename for passwords is "bash history".

    This guy is a security consultant? Come on, what admin in their right mind would enter a password in cleartext on the command line and allow it to be stored in ~/.bash_history? The first thing I do when I log onto a box is link bash_history to /dev/null, just out of habit. The security problem isn't google's fault, it is stupid admin's who don't know what they are doing.

    --
    Visualize the world of wine
    1. Re:This happens because of dumb admins, not google by wfberg · · Score: 2, Insightful

      Quite a few, from what google just returned. '.bash_history "parent directory"'

      Actually a lot of those are 403 -- permission denied.

      Using alltheweb (which has a bigger index anyway) to search only URLs that contain the phrase .bash_history and that contain "su" in the contents turns up only 2 history files. With no passwords.

      --
      SCO employee? Check out the bounty
    2. Re:This happens because of dumb admins, not google by gooru · · Score: 5, Insightful

      It's not even just ~/.bash_history but ~/ itself! Who in the world would make that world-readable and published on the web?!?!? This isn't even the default for any configuration I've seen. (Does anyone else know differently?) It's one thing to spider ~/public_html or /var/www or whatever you have set up for your webserver...quite another to have ~/ published on the web. I can't believe this is a security problem for people, though I suppose it is a proven possibility.

    3. Re:This happens because of dumb admins, not google by Anonymous Coward · · Score: 1, Insightful

      So right after you do that you type unset HISTFILE

    4. Re:This happens because of dumb admins, not google by dspeyer · · Score: 2, Insightful
      Google wins again! It has six .bash_historys with su in them, though none show sensitive information and at least one was clearly posted intentionally as an example.

      It all comes down to knowing google (the inurl: tag, in this case)

      --

      Sig:Why copyright isn't a fundamental human right

    5. Re:This happens because of dumb admins, not google by Ascender · · Score: 3, Insightful

      One possibility is that some 'clever' admin has set the 'webmaster' user's home directory to /var/www (or whatever your docroot is) - Then, as well as easy access to the html files, the .bash_* files would be left there too

  2. It's a little harder... by Tweakmeister · · Score: 3, Insightful

    A quick search for "Password" doesn't yield any "promising" hacking results. It's too common a word.

    --

    Colossians 2:8

    1. Re:It's a little harder... by Elminst · · Score: 4, Insightful

      But the third link down gives us this-
      http://216.239.57.104/search?q=cache:p5ouM3 2marEJ: www.necmitsubishi.com/markets-solutions/government /necfiles/Chicago911.doc+%22do+not+distribute%22+p assword&hl=en&ie=UTF-8

      Which at the bottom of the document has-

      Editors Note:
      Product photography is available at http://www.liska.com/necmit.
      Username: necmit
      Password: monitors

      Which seems to prove the point of the search...

      --
      No unauthorized use. Trespassers will be shot. Survivors will be shot again.
  3. Well, duh! by panda · · Score: 3, Insightful

    If something is meant to be private, then why even temporarily put links to it on your publicly visible pages? Additionally, if something really is private, then lock it down in the httpd.conf so that only certain IP addresses can access it. Then, its basically invisible to the rest of the world.

    Of course, if there's a bug in your server software all bets are off. Which is why it's better not to put private stuff where it can be seen on a public network.

    I would have thought that was pretty obvious.

    --
    Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
  4. .bash_history is NOT a security feature! by multipartmixed · · Score: 2, Insightful

    > allows for an admin to see if anyone has compromised security, no?

    Only if the compromisors are morons, and have done it "recently".

    A non moron would type "HISTFILE=" before exiting a shell he'd been "playing" in.

    --

    Do daemons dream of electric sleep()?
  5. Scuse me? by arth1 · · Score: 5, Insightful

    Shouldn't that be bash_history, passwd and tmp?
    Was this written down by a non-techie from an audio interview?

    Regards,
    --
    *Art

  6. robots.txt folly by arth1 · · Score: 2, Insightful

    It might be worth it NOT to look at robots.txt -- after all, with robots.txt you effectively disclose to anyone who asks what you don't want to be shown.

    A robots.txt like this would be invaluable to a hacker, even though it would prevent Google from indexing:

    User-agent: *
    Disallow: /secret/passwd

    Regards,
    --
    *Art

  7. Wrong use of robots.txt by vadim_t · · Score: 5, Insightful

    It's supposed to be used to tell bots not to access some parts of your site due to other reasons.

    Common reasons would be that you host a site with a forum on a DSL line and don't want google to index all 5000 threads on it. It's also good for dynamic pages, for example it makes no sense to index a generated page that will be out of date tomorrow. It'll be much better to let it index the archive instead.

    Using this for security is just stupid though, as it'd contain a list of vulnerable places. Maybe it will make harder for people to find your vulnerabilities from google, but it will help a lot whoever wants to attack you specifically.

    Security problems have to be fixed by setting proper permissions and keeping your server up to date, and not by relying on that every spider that comes to your site will be polite enough to follow robots.txt

  8. Re:robots.txt? by liquidsin · · Score: 2, Insightful

    not all robots download robots.txt. In fact, I'd assume most of the more annoying ones don't, nor do they identify as anything other than MSIE 5.5.

    --
    do not read this line twice.
  9. Re:problem with robots.txt tutorial by PetoskeyGuy · · Score: 4, Insightful

    I hope you at least have an .htaccess on the files to put a password on that directory. Hard-to-guess names is good, but making them password protected is better.

    Of course on some of the cheaper web hosting companies out there you can just search the /home/*/web folders. They have to be public so the web server can read them. Stupid I know, but all to common. Config.php for most apps will have all the users passwords in plaintext.

    The HTTPD user should be a member of each users group so you don't have to set world rights to your files. Assuming it's just hosting and no other rights are required.

  10. publishing analogy by muppet · · Score: 3, Insightful
    as an author of a web page or even a log file, you have the right to publish and de-publish it. just because it's on the net does not give google the right to cache it indefinitely.
    by the publishing analogy, doesn't this mean that libraries don't have the right to lend books that are no longer in print? in that respect i see google's cache as a library's copy of a book; they let you look at it, and you can see when it was published. they don't claim it's the most up-to-date, and at any time you can go to the source and see for yourself (e.g. go to a bookstore and buy a new copy).
  11. Re:wrong wrong wrong. by nolife · · Score: 2, Insightful

    If you want to control the distribution of your work, don't publish it for free in a public place. That is your choice.
    Your reference to usenet is laughable but common. Who should determine how long your posts should stay on a news server? Why does it have to stay on a news server? What if I save all messages I read for ever? What if one news server has a 3 year retention but another only has 3 hours? If you don't want your comments to become publicly availalble then don't post them publically. It is really that easy. You don't have to use x-no-archive, but you don't have to post either.

    --
    Bad boys rape our young girls but Violet gives willingly.
  12. Re:robots.txt by innate · · Score: 2, Insightful

    Actually, that's pretty good, since the Standard for Robot Exclusion was proposed in 1994. I'd say IBM "understood" it several years before most people did.

    --
    No, I don't want to explore the Recycle Bin.
  13. Re:problem with robots.txt tutorial by Anonymous Coward · · Score: 2, Insightful
    The HTTPD user should be a member of each users group so you don't have to set world rights to your files. Assuming it's just hosting and no other rights are required.
    This approach isn't much better. Usually, each user's php scripts run with the permissions of the HTTPD user. Thus, any maliciously minded user who wants to access someone else's private data can just use php scripts. A bit awkward, but certainly not impossible.
  14. Re:robots.txt? by rossz · · Score: 3, Insightful

    And that's why I have a disallow for a trap directory. Accessing it gets you added to a mysql database and you are blocked with iptables.

    --
    -- Will program for bandwidth
  15. Re:wrong wrong wrong. by Anonymous Coward · · Score: 1, Insightful

    How long have you been using the Internet, dude? If you put it out there, you should have the reasonable expectation that it's going to stay out there. You can't "unsay" things, even if you change your mind and start to say the opposite. For your own sake, learn this now.

  16. Re:RIAA Logic: by r_j_prahad · · Score: 1, Insightful

    And long before Google, there was Melvil Dewey. So how come this country didn't jail his treasonous copyrighted cataloguing ass back in 1876?

    http://www.oclc.org/dewey/

  17. Re:Google Warez Machine by geekoid · · Score: 2, Insightful

    it is not googles responcibility to monitor what other people on the net are doing.

    Besides, that sword as 2 sides, if someone intending malace uses google then a law enforcement agency can also use it.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect