Slashdot Mirror
Googling Your Way Into Hacking
knifee writes "New scientist is running an article explaining how hackers can use Google's cache to quickly hunt down sensitive pages, for example, by searching the terms "bash history", "temporary" and "password".
Might be worth looking at this tutorial about robots.txt if you think you might be at risk." That's pretty amusing.
For example, one common filename for passwords is "bash history".
/dev/null, just out of habit. The security problem isn't google's fault, it is stupid admin's who don't know what they are doing.
This guy is a security consultant? Come on, what admin in their right mind would enter a password in cleartext on the command line and allow it to be stored in ~/.bash_history? The first thing I do when I log onto a box is link bash_history to
Visualize the world of wine
search for webserver=IIS, proceed to hack
rock on hax0rs.
this is not the first post. continue reading.
g00gl1ng your way into hacking?
google
i DO not Fail It!!!!
GNAA Rulzzz!
Google can be used to illegaly hack into computers (possibly stealing copyrighted information). Google must be shut down and all of its users owe us lots of money.
if(!cool) exit(-1);
A quick search for "Password" doesn't yield any "promising" hacking results. It's too common a word.
Colossians 2:8
Damn script kiddies.
I prefer using google to search for 'valid credit card numbers' or 'long distance phone codes'.
I FART in your general direction!
gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.
Are you GAY ?
Are you a NIGGER ?
Are you a GAY NIGGER ?
If you answered "Yes" to any of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today!
Why not? It's quick and easy - only 3 simple steps!
First, you have to obtain a copy of GAY NIGGERS FROM OUTER SPACE THE MOVIE and watch it.
Second, you need to succeed in posting a GNAA "first post" on slashdot.org, a popular "news for trolls" website
Third, you need to join the official GNAA irc channel #GNAA on EFNet, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today!
If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is EFNet, and you can connect to irc.secsup.org or irc.isprime.com as one of the EFNet servers.
If you do not have an IRC client handy, you are free to use the GNAA Java IRC client by clicking here.
If you have mod points and would like to support GNAA, please moderate this post up.
This post brought to you by Penisbird , a proud member of the GNAA
G_____________________________________naann_______ ________G
N_____________________________nnnaa__nanaaa_______ ________A
A____________________aanana__nannaa_nna_an________ ________Y
A_____________annna_nnnnnan_aan_aa__na__aa________ ________*
G____________nnaana_nnn__nn_aa__nn__na_anaann_MERI CA______N
N___________ana__nn_an___an_aa_anaaannnanaa_______ ________I
A___________aa__ana_nn___nn_nnnnaa___ana__________ ________G
A__________nna__an__na___nn__nnn___SSOCIATION_of__ ________G
G__________ana_naa__an___nnn______________________ ________E
N__________ananan___nn___aan_IGGER________________ ________R
A__________nnna____naa____________________________ ________S
A________nnaa_____anan____________________________ ________*
G________anaannana________________________________ ________A
N________ananaannn_AY_____________________________ ________S
A________ana____nn_________IRC-EFNET-#GNAA________ ________S
A_______nn_____na_________________________________ ________O
*_______aaaan_____________________________________ ________C
Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aliquam mollis, libero non facilisis vehicula, quam sem fermentum urna, at porttitor neque odio nec purus. Morbi felis. Mauris arcu turpis, dignissim sed, tristique sit amet, euismod ac, tellus. Pellentesque sit amet nulla. Vestibulum volutpat. Fusce viverra mattis orci. Phasellus sed ante. Vivamus nu
This is particularly useful for this type of thing since it isn't always obvious what the criteria are for what you want to search for - with WhittleBit you don't need to know, it figures it out for itself.
Will this throw off the index, with such an guaranteed increase in "bash history" queries?
of course i have section on my site for bash scripts... and it has an index page. looks like someone got dissappointed.
2 1337 4 u!
gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.
Are you GAY ?
Are you a NIGGER ?
Are you a GAY NIGGER ?
If you answered "Yes" to any of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today!
Why not? It's quick and easy - only 3 simple steps!
First, you have to obtain a copy of GAY NIGGERS FROM OUTER SPACE THE MOVIE and watch it.
Second, you need to succeed in posting a GNAA "first post" on slashdot.org, a popular "news for trolls" website
Third, you need to join the official GNAA irc channel #GNAA on EFNet, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today!
If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is EFNet, and you can connect to irc.secsup.org or irc.isprime.com as one of the EFNet servers.
If you do not have an IRC client handy, you are free to use the GNAA Java IRC client by clicking here.
If you have mod points and would like to support GNAA, please moderate this post up.
This post brought to you by Penisbird , a proud member of the GNAA
G_____________________________________naann_______ ________G
N_____________________________nnnaa__nanaaa_______ ________A
A____________________aanana__nannaa_nna_an________ ________Y
A_____________annna_nnnnnan_aan_aa__na__aa________ ________*
G____________nnaana_nnn__nn_aa__nn__na_anaann_MERI CA______N
N___________ana__nn_an___an_aa_anaaannnanaa_______ ________I
A___________aa__ana_nn___nn_nnnnaa___ana__________ ________G
A__________nna__an__na___nn__nnn___SSOCIATION_of__ ________G
G__________ana_naa__an___nnn______________________ ________E
N__________ananan___nn___aan_IGGER________________ ________R
A__________nnna____naa____________________________ ________S
A________nnaa_____anan____________________________ ________*
G________anaannana________________________________ ________A
N________ananaannn_AY_____________________________ ________S
A________ana____nn_________IRC-EFNET-#GNAA________ ________S
A_______nn_____na_________________________________ ________O
*_______aaaan_____________________________________ ________C
Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aliquam mollis, libero non facilisis vehicula, quam sem fermentum urna, at porttitor neque odio nec purus. Morbi felis. Mauris arcu turpis, dignissim sed, tristique sit amet, euismod ac, tellus. Pellentesque sit amet nulla. Vestibulum volutpat. Fusce viverra mattis orci. Phasellus sed ante. Vivamus nu
A full grown stallion's cock, when fully erect, will measure some two to
three feet long. It can be three to six inches thick at the base, to about
two inches thick at the head. Horses are somewhat different from other
animals in the way their cock head works. When a horse is fully erect and
excited and ready to mount, his cock head is somewhat pointed and not as
thick as might be normally observed. This is to facillatate an easier
entry into the mare. After the horse has entered and reaches a climax the
head swells (though it is more spongy then hard) into a fist sized mass as
he ejacultates. It is thought that this serves as a plug to force the
semen deep into the mare rather then allowing it to leak out. A full grown
stallion can ejaculate about one cup ( 8 ounces ) of semen. It will take
quite a few spurts to accomplish this. Each time his tail will raise and
lower in a brief flick. The first few jets are of a thin to average
consistency of cum. The final few jets are of a thick gelatinous
substance... it is thought that this serves to "seal" the mares pussy so
that the semen has time to do it's thing before leaking out. Horse semen
is extremely viscous, if you touch your finger to a pool of it you can draw
a thin string of it five to six feet long! Horse cum has a nice flat taste
to it...not at all bitter like man's cum. You can easily drink cups of it
with no discomfort.
The Mare - how to do it.
Mares can be quite satisfactory for the average well endowed male. If you
are somewhat less developed you might find better pleasure with a pony or
Miniature Horse. These are also better as they are lower to the ground. A
pony you can fuck standing up. A miniature horse on your knees or
squatting depending on the size. A mare will require something to stand on
or "platform shoes"...(IE mini stilts to raise you a foot off the ground)
so that you can reach her pussy.
Fucking any horse will depend on the horse. Some will be ready right
away...some will take coaxing. Pet the animal, talk to it softly, spend
time with it gaining it's trust. If something you are doing upsets it then
don't force it. Talk to it and calm it. If you work slowly you can make
an animal accept anything. It is just a question of helping it overcome
it's fears. All animals fear man if raised in the wild. How any animal
reacts will depend on it's own experiences. If you haved raised the animal
yourself in a loving enviroment, then you should have no problem
associating with it, if it is a strange animal that you have met in the
wild then you will have to go through an extended "courtship" to learn how
to respond to the beast.
MARES - TRAINING YOUR OWN
When the filly reaches weaning age, seperate her from her dam. If you have
limited time to spend then she should be put to pasture. If you have
plenty of time then you should keep her in a stall. Spend time with her
during the day petting and grooming her and allow her some time to run
free. Limit her access to other horses though and see that she spends at
least 8-12 hours a day in the stall. (Start with more free time and as she
approaches her first birthday confine her more...she is now at the right
age and her confinement will have made her so bored that she is amenable to
any new experience so long as it is not unpleasant)Young fillys have no
objection to someone playing with their pussy's. I have walked up on a pen
full of strange fillys at night and they came right up to me and I petted
them and felt up their pussys and they just lifted their tales and seemed
to enjoy it. These fillys didn't even know me but they were young,
inexperienced and bored...also since they were penned they were used to the
presence of people and did not fear me. Most horses in a large pasture
will run when they scent a strange human in their pasture at night.
If you sit on the ground and wait patiently, they will get downwind of you
and s
They should mention that disallowing a URI in robots.txt tells crackers which URIs on your site have sensitive information. What I do is create a top-level /unpub/ URI, and everything sensitive goes underneath it with hard-to-guess names. In robots.txt I disallow /unpub only.
You're kidding right? Putting stuff in robots.txt is the best way to *guarantee* that robots will go specifically for the file/directories you choose to deny.
Don't be naive about robots.txt... expect to have to do some relatively fancy hacking to actually enforce it.
(Please browse at -1 to read this comment.)
Sometimes its fun to look for WSFTP.LOG files and see what people have been uploading to website. You might find a file or two that's not linked from the other pages.
Of course, it's not as fun as looking through the open "images" directories on angelfire pages. You always find stuff that's not linked from the main page.
use Google's cache to quickly hunt down sesitive pages,
Try hacking a dictionary.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
More information about this sort of thing can be found here.
Robots.txt only makes well-behaved search engines not index certain portions of your site. You're still going to be vulnerable until you take the sensitive pages off-line completely. But even then, if a passwords list has been indexed by Google, updating your robots.txt file won't remove it from Google's cache until Google spiders your site again. At which time, Google will discover the passwords list doesn't exist and remove it from the cache.
At least that's how it should work. Is anyone aware of Google requesting robots.txt more often than they spider pages? And then proactively removing pages from their cache based on new robots.txt entries?
While the article deals with Google specifically, lots of non-well-behaved spiders go through common locations looking for password files regardless of what you've blocked out with robots.txt. The only way to completely protect your data is to remove it from your site.
my blog
Stuff like this was reported 2 years ago.
It's always great to see US security science catching up with the status quo.
Having a robots.txt is a good idea but it always amuses me when web sites use robots.txt to list all the areas of their site that they don't what people to look at. When robots.txt contains entries like "Disallow: /admin.asp" or "Disallow: /backdoor.asp" it stops being a way of controlling search engines and becomes a site map of all the places hackers might be interested in.
She also has crabs, Taco. Better go back to rimming Cowboi Kneel's blimp-like anus.
Yeah, like I always store my bash history in below my DocumentRoot directory.
Anybody that does this is Running with Scissors.
"Provided by the management for your protection."
...as if anyone on Slashdot uses Google...sheesh.
And google are aware of this, why else would they create this Hacker Version?
- PS. This is what part of the alphabet would look like if Q and R where eliminated.
http://www.mit.edu/afs/net.mit.edu/user/foley/Root /bash_history
I'd post the contents but it is "too few characters per line".
It is always a good iea to kep the robots out of anywhere there is sensitive information. i several methods for added security. robot.txt is a good way, but i also the deflecction technique in apache's mod_rewrite to keep the crawlers out.
Consensus is good, but informed dictatorship is better
YOU FAIL IT!
CLIT > GNAA
She also has crabs, Taco. Better go back to rimming Cowboi Kneel's blimp-like anus. .
This has been around for quite a while..searching for sensitive pages like /etc/passwd used to turn up a lot of very intresting results..but thanks to pagerank (you bastards!) google isn't *as much as* a script kitty tool as it could be..
you'd be surprised how much is in the clear.
PS: I say "kitty" instead of "kiddie" because even my cat could script, if I had one..(hope that made sense..)
"The most looniest, zaniest, spontaneous, sporadic Impulsive thinker, compulsive drinker, addict"
Search for certain phrases and RIAA - FBI will be after you, along with the Department of Homeland Secuirty.
Heyo!
Firstly, introductions all round. My name is [removed to protect dolphinlovers], musician, pre-vet student and Delphinic Zoophile. People are often wondering just what the hell zoophilia is. Zoophilia is best described as a love of animals so intimate that the person (and the animal) involved have no objections to expressing their affection for each other in the sexual fashion. This is not to be confused with bestiality, where a person forcefully mates an animal, without their consent, and with no mutual feelings whatsoever. This is something that I would never do to a dolphin, since I love them dearly, and treat them with the same respect that an honest husband would have for his wife and children.
Dolphins are very intelligent, highly emotional and expressive creatures. They enjoy the company of humans, and if a relationship develops between a human and a dolphin, as has happened with me, they will, on occasion, wish to express their trust and affection for you in the most direct way; through mating, or sex-play. You see, dolphins do not use sex purely for procreative reasons. They use it as a way of strengthening the bonds between pod mates (mothers and calves included), and also for fun. Dolphins and humans share this common trait with very few other animals, so sometimes it makes me wonder when people continue to ask me "How DO you mate with a dolphin?". Easy. Let the dolphin tell you!
Well, here is a selection of questions people have asked me, so I hope this sheds some light on the subject...
Q1) How do I tell a male dolphin from a female one?
A1) Probably the most common question I get asked. There are 2 ways of determining the sex of a dolphin. The most obvious way is to take a peek under the peduncle (the long part of the body connected to the tail flukes). On the dolphin's belly, directly opposite the dorsal fin, will be the umbilicus, or the navel of the dolphin. Looking further down towards the tail, you start to see the differences.
Male dolphins have two separate slits for the penis (the urogenital opening) and the anus. These are separated by a bridge of skin. The male's urogenital opening is generally located further up the belly, towards the navel.
Females, on the other fin, have one continuous larger slit, the anus located at the end of it. On either side of the genital slit, you will find two smaller slits; these are the mammary slits, where the nipples of the dolphin are kept for feeding the calves. The slit is also located closer to the tail stock of the dolphin.
The other way to determine the sex of a dolphin, if you can't reach their belly, is to look at their mellon, or head. The males tend to have a fatter, rounder mellon, while the females are more sleek and streamlined.
Q2) How do I know if a dolphin wants to have sex?
A2) There are various ways a dolphin has of showing that she or he is interested in sex.
Males are probably the easiest to detect. They will swim around, sporting an erection (anywhere between 10 to 14 inches long for a Bottle-nose), and will have no bones about swimming up to you and placing their member within reach of your hand. If you are in the water, they may rub it along any part of your body, or wrap it around your wrist or ankle. (Dolphin males have a prehensile penis. They can wrap it around objects, and carry them as such.) Their belly will also be pinkish in colour, which also denotes sexual excitement.
Females can be a little harder. The most obvious way a female dolphin has of displaying her sexual interest is the pink-belly effect. Their genitals become very pink and swollen, making the genital region very prominent. They may be restless, or they may be acting as normal. If you are out of the water, they may swim up to you and roll belly up, exposing themselves to you, coupled with pelvic thrusts. If you are in the water, they may press their genitals up against yours, nibble your fingers, nuzzle your crotch, or do pelvic thrusts against you.
Each dolphins
A friend of mine actually used this to steal ICQ numbers. He wrote a perl script wich googles from "00000001.idx 00000001.dat" to "99999999.idx 99999999.dat" and spits out the result links to a textfile if it gets a full match.
;)
The ICQ password is stored in one of those two datafiles and there are dozend of free decrypt programms for that out there.
But if you think about it... how or why does someone put his ICQ directory on a webserver?!
On the other hand... some people are hosting pr0n sites and dont even know about it
--
One by one the penguins steal my sanity...
I find it kind of depressing that even in Slashdot abstracts the word hacker isn't translated into the more correct "cracker".
In this case, you could argue that using Google's cache to track down information for the purposes of cracking is very clever and is therefore deserving of being called a "hack", making the cracker a hacker.
The US Army: promoting democracy through unquestioned obedience
So if I forgot my password, google can just tell me what it is? Can it tell me my credit card number too?
- mpg
- mov
- mp3
- secret - doesn't have to be file extensions...
- "My Documents" - yeah, that's secure...
- etc
Anyway, as you can see, it's pretty effective. Sometimes admins wise up, and all you have is the Google cache. But sometimes they don't, and you get to look. Thanks Google!A programmer is a machine for converting coffee into code.
/etc/group AE1/2AaUnB(C)cfEA[ fBOENgS:OC"VF" AB
i n:*:1:1:bin:/bin:m :*:3:4:adm:/var/adm: s hutdown:/sbin:/sbin/shutdowni n:/sbin/halt
"OC"-1/4:pX[h:UID:GID:-{-1/4:z
root:uKonr4RoNwQWs8:0:0:root:/root:/bin/bash
b
daemon:*:2:2:daemon:/sbin:
ad
lp:*:4:7:lp:/var/spool/lpd:
sync:*:5:0:sync:/sbin:/bin/sync
shutdown:*:6:0:
halt:*:7:0:halt:/sb
Searching for post it notes in the sys admins room
Annoying slashdot trolls
Use linux
And ask them what their mothers maiden name is.
If something is meant to be private, then why even temporarily put links to it on your publicly visible pages? Additionally, if something really is private, then lock it down in the httpd.conf so that only certain IP addresses can access it. Then, its basically invisible to the rest of the world.
Of course, if there's a bug in your server software all bets are off. Which is why it's better not to put private stuff where it can be seen on a public network.
I would have thought that was pretty obvious.
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
http://216.239.53.104/search?q=cache:ZXr9CV9oYcsJ: www2.connectnet.com/users/jon/.bash_history+allinu rl:+.bash_history&hl=en&ie=UTF-8
A prime example of this has been demonstrated to us previously...
Sola Scriptura * Sola Gratia * Sola Fide * Solus Christus * Soli Deo Gloria
STOP CHEATING THE SYSTEM SO YOU CAN AVOID METAMOD.
Lameness filter encountered. Post aborted!
Reason: Don't use so many caps. It's like YELLING
Try using WhittleBit - it is good in that type of situation when Google just refuses to give you what you want.
How come there's now News link in the google h4x0r page? not allowed to read the news?
"Time is long and life is short, so begin to live while you still can." -EV
http://slashdot.org/robots.txt
lol
description size modified parent directory index last modified images [extra]
/. users image directory...
will yield open image directories. For extra you can try party, drunk, a female body part, linux, "lan party" etc...
You can tailor the search for some interesting finds.
In fact, I even found a current
I don't think so.
I went through all 6 pages of results and found nothing. Ditto for searches on any of the terms individually. I imagine that searches on individual sites might be what the author is actually talking about, but have no independant means of verifying this. This FUD detected by Entropy248. Wow. I just RTFA and tried it at home...
Webmaster Wanted - Entropic Reactions
This article gives me great ideas for a website:
/dev/tty blog - Everything I typed today /dev/stdout blog - Everything I saw today
* bash.history blog - Everything I ran today
*
*
COMING SOON: Welcome to My Bank Account Details, Favourite Passwords I Enjoy Using
What is google?
I tried searching for "CmdrTaco" and "password", and I discovered that his password for slashdot is "ImGay". Dont tell anyone.
> allows for an admin to see if anyone has compromised security, no?
Only if the compromisors are morons, and have done it "recently".
A non moron would type "HISTFILE=" before exiting a shell he'd been "playing" in.
Do daemons dream of electric sleep()?
We have a situation here, folks. Something must be done!
Well, what do you expect from "new scientist"?
"Reality is that which, when you stop believing in it, it doesn't go away." - Philip K. Dick
She also has crabs, Taco. Better go back to rimming Cowboi Kneel's blimp-like anus.
. .
Shouldn't that be bash_history, passwd and tmp?
Was this written down by a non-techie from an audio interview?
Regards,
--
*Art
I have several methods for password in the other pages. Of course, its content. Now Im really sensitive about it from their cache until Google requesting robots.txt more often than they are dozens of all the deflecction technique in ~/.bash_history? The first thing I disallow /unpub only. That contains su in the
a number of google searches. The only 2 history in apaches
mod_rewrite to my site map of
those two thats how much is a perl script kitty tool as it is a deflecction
technique. The next thing I would imagine is that it should
work. Is anyone aware of my site? Of course I have a box that is a
mistake and wiped it. Everyone must aware of those are who are Unix
stupid, so they dont even know what my cat could script, if I say
kitty instead of kiddie because even then, it's a webserver!
Starting a new career, thinking about changing one? Planning to switch jobs? It's very important that the next choice you make is the right one.
.NET lead from designer to architect level and may run in parallel to your existing skills.
.NET is to understand one's interests and abilities. This insight helps starters and professionals alike to evaluate the wealth of career choices and identify those that match their aptitudes and interests.
.NET Framework fundamentals with a .NET based language that's best for you. Developers with a background in enterprise application development are encouraged to take up C# or upgrade to the .net version of their language* while starters will find visual basic .NET quiet straightforward.
.NET, Web Forms, server controls, DHTML, XML, XSLT,
.NET Passport)
Career paths in
The first step in choosing a career in software development with
Begin with assessing your experience with at least one of these environments.
Rapid Application Development like Microsoft Visual Basic(R), MS Office, MS Access, Sybase PowerBuilder and Delphi.
Web Application Development using ASP, JSP, ColdFusion, FrontPage, DreamWeaver Perl, Delphi, IBM, WebSphere.
Enterprise Application Development with Microsoft Foundation Classes, Enterprise JavaBeans, UNIX C/C++ platforms, distributed computing environments, customer information and control systems.
Systems Development spanning Services and drivers, appliances/embedded systems, UNIX daemons, real-time systems.
Other Language and Script Development APL, Lisp, JScript(R), COBOL, Perl, Scheme/Tcl, Eiffel, other third party language.
Step two involves learning the
The third and final step is choosing the most relevant development scenario and tuning down to the most appropriate job role in its hierarchy below.
The development scenarios broadly divide into four parts, smart client applications, XML web services and server components, data services and solutions design and development.
Smart Clients
Web
Web Interface Developer
Designs and implements user interfaces for Web applications (HTML, CSS, Microsoft FrontPage(R), Microsoft Office, Web forms designer)
Web Application Developer
Develops online applications that communicate with remote components and XML Web services (ASP
Web services, XPath)
Mobile Devices
Mobile Application Developer
Develops applications for mobile platforms that may also communicate with remote components and XML Web services (.NET Compact Framework, Smart Device Extensions, Web services, Microsoft Mobile Information Server, Microsoft SQL Server for Windows CE)
Windows
Windows Application Developer
Develops applications for Windows desktop platforms that may also communicate with remote components and XML Web services (Windows Forms, GDI+, printing, COM/COM+ interoperability, Visual FoxPro(R), ActiveX(R), interoperability, Web services)
Windows Collaboration Developer
Develops workflow and productivity applications, as well as Web parts and services, for the Windows desktop (Microsoft Exchange Server CDO and Web Store, Microsoft FrontPage extensions, Microsoft Visual Studio for Applications)
XML Web Services and Server Components
Business Component Developer
Develops scaleable and secure server components and XML Web services with transaction and messaging capabilities (Security, Serviced components, asynchronous and offline services, interoperability, transactions, pooling, XML,
Portal Component Developer
Develops server components that provide Web parts, Web services, and collaborative workflow capabilities to smart clients and other server components (Web parts, digital dashboards, OWC, Microsoft Exchange Server, Microsoft SharePoint(TM) Portal server, Team Services, Microsof
Somebody please submit a story about Linux video editing software! THIS IS SOMETHING RADICAL AND EARTH SHAKIN'! Superior _professional_ video editing software made by some uberintelligent individual for Linux and it is open source! A truly unbelievable piece of software!
Here's description from the website:
---
Movie studio in a box.
Heroine Virtual Ltd. presents an advanced compositing and editing system for native Linux at no cost to users.
Native Linux: that means no emulation of proprietary operating systems and no additional commercial software required. When you run a native Linux program, it's like you wrote the software yourself and are completely untied from corporate interests.
Of course, Linux isn't the first word that comes to mind when you think of content creation. Neither would you dare say Linux and general purpose computing in the same sentence, unless you were insane. That was before Cinelerra was invented.
For guys like you - Linux gurus who also like general purpose computing - there's eliteness in doing the unusual. You want to create your own niche. You want to try things no-one else will.
Cinelerra is not for consumer use. If ease of use, simplicity, and convenience are your thing, you should use Virtualdub, Kino, MJPEG tools or MainActor instead.
If you want to make movies, you want the compositing and editing that the big boys use, you want the efficiency of an embedded UNIX operating system combined with the power of a general purpose PC, or you just want to defy the establishment, the time has come to download Cinelerra.
Along the way, we discovered video processing takes too long to do on a single computer so we put renderfarm support into Cinelerra. The biggest difference between this renderfarm and normal renderfarms is you don't need to pay for node licenses.
Then of course, you don't want to wait for effects to render before finding the result of your tweeking, so now there's background renderfarm. For now on, no effect is too slow, no resolution too high, to get realtime previews. Keep piling on terrahertz Athlons and terrabit ethernet to background render more. No terrahertz Athlon? Make someone invent it. With background renderfarm, the only limit is the crumbling national economy.
Imagine a laptop which didn't need dongles to run anything. Imagine not having to phone in and wait a week to renew licenses every week.
Now Cinelerra is by no means a lightweight program. You'll need something slightly less sexy than a handheld organizer to run it most effectively.
There is a section in Hacking Exposed about this. Also, you don't just search for the word "password". you search for phrases. eg "Index of "/cgi-bin" to find someone who has improperly chmodded his site etc.
Since robots.txt is an access control mechanism wouldn't bypassing it be a violation of the DMCA?
One would _think_ that admins would protect against this now, but i'm sure many won't.
either way, it's a sweet hack, considering that the admin won't have any logs to show how the information leaked
-t
http://unmoldable.com W:"No one of consequence" I:"I must know" W:"Get used to disappointment"
Hey! Somebody please submit a story of Linux video editing software! THIS IS SOMETHING RADICAL AND EARTH SHAKIN'! Superior _professional_ video editing software made by some uberintelligent individual for Linux and it is open source! A truly unbelievable piece of software!
Here's description from the website:
---
Movie studio in a box.
Heroine Virtual Ltd. presents an advanced compositing and editing system for native Linux at no cost to users.
Native Linux: that means no emulation of proprietary operating systems and no additional commercial software required. When you run a native Linux program, it's like you wrote the software yourself and are completely untied from corporate interests.
Of course, Linux isn't the first word that comes to mind when you think of content creation. Neither would you dare say Linux and general purpose computing in the same sentence, unless you were insane. That was before Cinelerra was invented.
For guys like you - Linux gurus who also like general purpose computing - there's eliteness in doing the unusual. You want to create your own niche. You want to try things no-one else will.
Cinelerra is not for consumer use. If ease of use, simplicity, and convenience are your thing, you should use Virtualdub, Kino, MJPEG tools or MainActor instead.
If you want to make movies, you want the compositing and editing that the big boys use, you want the efficiency of an embedded UNIX operating system combined with the power of a general purpose PC, or you just want to defy the establishment, the time has come to download Cinelerra.
Along the way, we discovered video processing takes too long to do on a single computer so we put renderfarm support into Cinelerra. The biggest difference between this renderfarm and normal renderfarms is you don't need to pay for node licenses.
Then of course, you don't want to wait for effects to render before finding the result of your tweeking, so now there's background renderfarm. For now on, no effect is too slow, no resolution too high, to get realtime previews. Keep piling on terrahertz Athlons and terrabit ethernet to background render more. No terrahertz Athlon? Make someone invent it. With background renderfarm, the only limit is the crumbling national economy.
Imagine a laptop which didn't need dongles to run anything. Imagine not having to phone in and wait a week to renew licenses every week.
Now Cinelerra is by no means a lightweight program. You'll need something slightly less sexy than a handheld organizer to run it most effectively.
It might be worth it NOT to look at robots.txt -- after all, with robots.txt you effectively disclose to anyone who asks what you don't want to be shown.
/secret/passwd
A robots.txt like this would be invaluable to a hacker, even though it would prevent Google from indexing:
User-agent: *
Disallow:
Regards,
--
*Art
You mean this is news? They should call it the Old Scientist.
I learned everything I know about security via search engines and by getting hacked.
l8,
AC
It's supposed to be used to tell bots not to access some parts of your site due to other reasons.
Common reasons would be that you host a site with a forum on a DSL line and don't want google to index all 5000 threads on it. It's also good for dynamic pages, for example it makes no sense to index a generated page that will be out of date tomorrow. It'll be much better to let it index the archive instead.
Using this for security is just stupid though, as it'd contain a list of vulnerable places. Maybe it will make harder for people to find your vulnerabilities from google, but it will help a lot whoever wants to attack you specifically.
Security problems have to be fixed by setting proper permissions and keeping your server up to date, and not by relying on that every spider that comes to your site will be polite enough to follow robots.txt
The result looks like this:
I have seen more phpmyadmin pages wide open on google that anything else.. Not putting things like that under htaccess at least is pure laziness and stupidity.
Also it seems people put mysql dumps on their webservers as well..
search for ' "SELECT * FROM credit" + "###" ' and you will see.
This has been going on since google introduced the site cache.
anime+manga together at last.. in real time.
Long says an obvious combination of search terms would include the terms "bash history", "temporary" and "password".
Hmph. When I searched for those phrases at Google, all I got were a bunch of Linux technical how-tos and code samples. If this guy wants to teach us how to be hackers using Google, he's going to have to be more helpful than that!
Here's an even better article: Neworder
search "index of mp3" ;)
softwar gangsters, etc.
& oe =UTF-8&q=microsoft+%22sanjay+ahuja%22&btnG=Google+ Search
& oe =UTF-8&q=microsoft+%22bill+weisgerber%22&btnG=Goog le+Search
& oe =UTF-8&q=microsoft+attacks+linux+open+source&btnG= Google+Search
a hole bunch of pumping/dumping going on now upon the pacific crest annex of wall street of deceit. so many billyonerrors on felonium.
2003-07-23 GATES, WILLIAM H. III Chairman 206,227 Sale at $26.5812 - $26.634 per share. (Proceeds of about $5,487,000) 2003-07-23 GATES, WILLIAM H. III Chairman 476,123 Sale at $26.5371 - $26.5811 per share. (Proceeds of about $12,645,000) 2003-07-23 GATES, WILLIAM H. III Chairman 948,634 Sale at $26.484 - $26.537 per share. (Proceeds of about $25,149,000) 2003-07-23 GATES, WILLIAM H. III Chairman 1,369,016 Sale at $26.222 - $26.481 per share. (Proceeds of about $36,076,000)
fauxking phonIE billonly FraUDs they are
http://www.google.com/search?hl=en&lr=&ie=UTF-8
http://www.google.com/search?hl=en&lr=&ie=UTF-8
http://www.google.com/search?hl=en&lr=&ie=UTF-8
consult with/trust in yOUR creator. vote with yOUR wallet. the daze of the Godless georgewellian fuddites is WANing into coolapps.
looking further into the billmirror:
2003-05-30 BALLMER, STEVEN A. Chief Executive Officer 4,551,548 Planned Sale (Estimated proceeds of $112,392,285) 2003-05-30 BALLMER, STEVEN A. Chief Executive Officer 152,619 Automatic Sale at $24.83 - $24.9 per share. (Proceeds of about $3,795,000) 2003-05-30 BALLMER, STEVEN A. Chief Executive Officer 3,993,801 Automatic Sale at $24.54 - $24.82 per share. (Proceeds of about $98,567,000) 2003-05-29 RAIKES, JEFFREY S. Vice President 400,000 Sale at $24.542 per share. (Proceeds of $9,816,800) 2003-05-29 BALLMER, STEVEN A. Chief Executive Officer 4,000,000 Automatic Sale at $24.28 - $24.64 per share. (Proceeds of about $97,840,000) 2003-05-29 BALLMER, STEVEN A. Chief Executive Officer 4,000,000 Planned Sale (Estimated proceeds of $97,832,000) 2003-05-28 BALLMER, STEVEN A. Chief Executive Officer 2,000,000 Planned Sale (Estimated proceeds of $49,313,800) 2003-05-28 BALLMER, STEVEN A. Chief Executive Officer 808,518 Automatic Sale at $24.74 - $24.86 per share. (Proceeds of about $20,051,000)
& just whoisit do you think is REALLY paying for all of this FUDgeFest execrable?
more details @ trustworthycomputing.com
At least 5 years ago it was fairly common knowledge that if you found any webserver's access_log you would get some juicy URL's. The method still works...
Anyone familiar with Big Brother knows that it has web access pages that allow you to monitor servers on your network. Of course your suppose to keep these pages private, but lots of people dont. This makes it easy for us to determine what servers are running on a network, and what services are running on each server.
;)
Try searching google for: red Big Brother Status
Enjoy
try searching for _vti_pvt and service.pwd on Google. There are lots of people still using frontpage 4.0 or whatever, with their frontpage password file in plain view. I won't tell you what to do with that file, if you don't know already.
I regarding the ability to use Google as a warez search machine. The article was about Google censorship and the one response to my post pinpointed almost exactly the point that I brought up, which is the point discussed in this article.
Google has a nice long list of directory lists containing warez (remember the days of l33t FTP searching for filenames? Google for something like, in my last article: "xwin32*.exe * * * * *" "listing of"), serial numbers (Oh, I've found XP's serial number several times in Google's cache) and other "sensitive" information. My question is if other commercial sites are being constantly shut down due to these links (intentional or not), why aren't people targeting Google as well?
In fact, if I'm *cough*too cheap to buy software*cough* or just want to evaluate some crippleware or such before I buy it, I often skip astalavista and cracks.am and just Google it up. Saves me the porn and pop ups, and I don't have to cripple my browser for this (yes I know it's possible to do in other ways, yes I enjoy javascript, no thanks, I don't want comments about how I'm retarded because I don't do it the right way).
This is similar for sites such as the Internet Archive's Wayback Machine that contains other sensitive information.
Because of the academic merit of both of these search mechanisms, I doubt either one will be shut down. Indeed, I highly doubt restrictions will be placed. They're valuable tools for finding more valuable tools. For more information about this sort of stuff, I suggest searching on Fravia+'s web-searching lore. Other information on there relates to "reality cracking", reverse engineering, and other taboo topics. Google's got it all cached. Interested? Just search for (insert topic here) site:searchlores.org.
Sometimes I don't think the comparison of Google to God is that far off. Pardon my heresy.
Kind regards, Devon H. O'Dell
look - i like and use google. and, i fully appreciate that a great number of slashdotters here also like google because while it may be a for-profit closed source entity with very little transparency or accountability, at least a) it's not microsoft, and b) it works.
however, i think a few lawsuits of google are in order. google can afford the damages, and the net will be better for it.
as an author of a web page or even a log file, you have the right to publish and de-publish it. just because it's on the net does not give google the right to cache it indefinitely. it is not MY legal responsibility to make sure that I proactively do robots.txt or whatever else the trick of the day is (x-noarchive) - that is the intellectual property equivalent of opt-out.
if google wants to keep an index of web pages for people to search on, that's fine. heck. even if it keeps the full text internally, that's fine too, as long as it gives people reasonable 'fair use' snippets. but if it caches stuff that an author has removed from the web or that an author has written, say, in order to expose people to a nearby advertisement which google's cache doesn't catch, then google shouldb be guilty of copyright violation. automated or not (ie, the 'napster' excuse doesn't wash here, either)
I honestly know of nobody else who uses this technique, I just figured I would try it back when I was hunting down upgrades for old games like Quake 2 while places like FilePlanet were getting hammered:
At google, type "index of", followed by the precise name of the file you are looking for.
I'd say this gives me good results on a fast server 95% of the time.
"Google is not affiliated with the authors of this page nor responsible for its content."
Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
If you like this kind of tricks you can find dozen tricks like those ones and betteron Fravia's web site SearchLores.
-- search the web
if only slashdots search was as good as googles i could point out this is the third time in a year this "story" has been run.
MARIJUANA, SHROOMS, X: ONLINE?! - E
gangsters, appear unable to asphyxiate a handful of selfless hobbyists. not that they're (the gangsters) not trying.
lookout bullow.
pay no heed (or anything else) to va lairIE's pateNTdead PostBlock(tm) devise.
I guess I don't have the patience to be a real hacker.
Computers are useless. They can only give you answers.
-- Pablo Picasso
Google uses operating systems! All your code are belong to us! Google must be shut down and all of its users owe us lots of money.
The first guy in this google list has some funny videos. I wonder if he plays this one on his monitor while entertaining his girlfriend!
A Shaft Universe
"We're sorry, but the website you're trying to reach has been disconnected."
This must be a fileserver.r am%20Files/Ad obe/Illustrator%209.0/
t aine.mpg
http://www.northernairheads.com/Prog
Slap the DMCA on their ass! Funny thing is they are running apache on Solaris!
This one is cute
http://www.online-strip-poker.com/
More cuteness
http://www.fs4a.com/movie/
cute girl peeing!
http://grand.vrac.free.fr/vrac/femme_fon
Not the same kind of "hacks", but more than one might have missed that O'Reilly published recently Google Hacks. Mostly targeted to webmasters or "power users".
This paid my last vacation, it mi
You can probably use this to set up "honeypots" which may be legal in States where traditional fake services would be considered illegal as entrapment.
Simply set up a virtual machine (user-mode linux is a good one for this). Have the root account publicly read/write and somehow "accidently" visible to httpd.
Have the login shell a program which acts as your honeypot, logging activity, tracing back to the user, etc. All the stuff honeypots do so well.
Next is to ensure that the root password is visible, plain-text, and in a file that is visible to search engines. Your average skript kiddie is not going to question the apparent generosity of the admin. To get the engine to find the account, you probably want to have your main web page link into your virtual machine's root account - say via an FTP.
Now, none of this is entrapment, in the sense that the person must pro-actively attempt to present a false identity before the service is accessed. There can be no question that the identity of any user logging in is fake, that the user logging in knows that it is fake, and that there has been a deliberate, pre-meditated attempt to compromise an account.
If you want to go one step further, have the login shell transfer some goodies, such as cpuburn. Now, these have to have a "legit" use by a "legit" user, as anyone who gets burned is likely to complain. You have to be able to stand your ground and say "hey, I use this service as a convenient way to do hardware tests on remote machines - I locked that account against intruders, so if an intruder gets in, it's not my fault if they get burned."
(If you leave something dangerous "just lying around", you could probably be held accountable if someone gets hurt, even if they were stupid or malicious. But if you make a "reasonable" attempt to deny access, then it's not your problem.)
In fact, if you do any freelance tech stuff, you might very well use the service for real as a way of fetching over stress-testing software. It would make it a lot harder for "victims" of your root snare to complain, as you could then prove a legitamate use by legitamate users - the victim not being one of them.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Here is a nice tutorial about the topic.
We do not have a history of profitable operations. Our future SCOsource licensing revenue is uncertain.
Google can be use by terrorism. It can be used to locate source to purchase WMD. We must defend land of the free.
See here. Might help.
"index of" robot.txt
That was my favorite google search back in the good old days....finding the "service.pwd" or "admin.pwd" files, then cracking them with John the Ripper. Too bad that exploit is patched and next to non existant now :(
the "filetype:blah" command's pretty useful aswell, plenty of websites accidentally (or stupidly) put their site's databases in web-accessible dirs. google won't let you search just for a file name tho, so put the filename in as a query aswell.
e.g. search for mdb filetype:mdb
brings up loads of databases, not all of them particularly interesting.
stuff like
passwords filetype:mdb brings up more interesting results, but fewer obviously.
Your Mother Loves You Dearly 534543 \ ^fdfgsdg__^dxgrdgdfg 534534 fgs\ (oo)\_______dfgdfgd 345243 (__)\ gsdf)\/\gdf 5345 dfs g ||--fdgsfdg-sdfgsfd-w |gdfgdf 543543 gsdd ||gs ||fgdf gdftedfg Lameness filter encountered. Post aborted! Reason: Please use fewer 'junk' characters. Important Stuff: Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) Preferences Subscribe Journal Logout Sections Main Apache Apple 5 more Askslashdot 10 more Books BSD Developers 5 more Games 10 more Interviews Science 7 more YRO 1 more Help FAQ Bugs Stories Old Stories Old Polls Topics Hall of Fame Submit Story About Supporters Code Awards Services Jobs Advertising
Er, no. If you have passwords being exposed on the web then you need to make sure they stop being exposed - not just to well-behaved robots but to anybody! .htaccess (if you use Apache) is the file for this.
However, if the web server can read the file then most likely any other user on the same system can read it, since httpd normally runs as an unpriveleged user. So the fix is simple: 'chmod go-rwx file'.
Going a stage further you could say that plaintext passwords should not be stored in files on disk anyway...
-- Ed Avis ed@membled.com
http://www.smart-dev.com/texts/google.txt
Does anybody remember the PHF bug?
Hacker
One who is proficient at using or programming a computer; a computer buff.
One who uses programming skills to gain illegal access to a computer network or file.
While this does include black hats it does not include script kiddies.
Cracker
One who makes unauthorized use of a computer, especially to tamper with data or programs.
This, however, do to the fact that it does not mention programming or skill, would refer to a script kiddie.
As far as the hacker/jedi analogy, to become a jedi you have to start out good. The bad guys are the sith. While good jedi do go bad, the trend in hacking is more for a black hat to go gray than white to go black.
M.D. Inc.
hilarious
Sure, John. I just checked. Your Visa number is 4803 1809 2273 4821, expiration 03/05.
Your Discover card bill is overdue, though. Don't forget, according to this record, you've got 18.5% on overdue, PLUS your $15/mo late fee.
Your 'condition' should have been cleared up by now, so why'd you refill that prescription on Tuesday? Oh, wait, I see here that you deposited three brand new $20's at the US Bank down near Santa Fe. Doing a little insurance fraud, there? :)
Oh, I just googled again...your dog wants back in.
Any sufficiently well-organized Government is indistinguishable from bullshit.
it cracks weak systems with a press of the button.
Is there anything that it can't do?
Uhhhh. Crap. I hope that's not real.
Sorry, whoever you are. I made it up...
Any sufficiently well-organized Government is indistinguishable from bullshit.
Entrapment (in the states at least) is only for law officers not for end users so honeypotting isn't illegal.
Do you work for microsoft by chance?
Have you ever been to a turkish prison?
Muppets Rock!
I am become Troll, destroyer of threads
Here it is
Farking preview... I know.
I am become Troll, destroyer of threads
That's how I used to find MAME ROMs.
I thought that guy had disappeared from the face of the earth. He used to have the world's most thorough description of reverse-engineering techniques until it inexplicably went away.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
...on search engines as a security threat can be found here ("The Problem of Search Engines and 'Sekrit' Data", November 2001).
.htaccess anyone?) one can dig up just by using a search engine is simply astonishing.
Things haven't changed for the better since 2001 - the amount of sensitive data (passwd and
The FOSS community should take note and design their products in a way that makes a default installation as secure as possible, even if some functionality is sacrificed.
We have seen what happens if new features and ease of use have priority of security (no, I'm not naming names). We don't want to repeat that mistake, do we?
"There are already a million monkeys on a million typewriters, and Usenet is NOTHING like Shakespeare." - Blair Houghton
Shouldn't that be cracking?
In that vein, try searching for "Index Of" and "qdf" (Quicken Data File).
I suppose that doing various "Index of" searches might be a way to evaluate web hosting providers. Anyone who exposes their current clients' passwords fails.
They're models. Heres a picture from the same site.
Back in ~1997 there was a know vunerability in one of the apache distribution files that could be used to execute a root command on the server. Beening able to exploit this was dependent upon the server having a particular unmodified file available.
This was pre-google, but by judicious use of alta-vista it was quite easy to bring back a list of vunerable servers.
My one and only hacking (that I'm aware of) took place at the hands of a friendly hacker searching the web for OpenBSD 3.x (can't recall the version). I'd just installed it recently and mentioned it in my blog, but hadn't had time to patch it yet, and was running a vulnerable version of ssh. Thankfully he notified me of the hole and claimed to do nothing malicious.
I like ice cream.
Google Zeitgeist Reports Top Gaining Query for Week Ending August, 2nd is "bash history".
Come play at the only online poker room with a Mac-native client
Have you ever read BUGTRAQ? phpnuke IS a vulnerability. You might want to look into Postnuke, or something completely unrelated.
WMBC freeform/independent online radio.
Come play at the only online poker room with a Mac-native client
" if i write something down on a notepad on my desk, then pin it to a public bullitin board,..."
if you put an article on a bullitin board, any news source can report that, hell I could even have a business that points to certian data on different bulliten boards areound the country.
Once you removed the bullitin, I can still keep my copy in an archive for latter retrieval.
Once you put something on the net, it is there for all to see by default.
The Kruger Dunning explains most post on
access_log search Check out the 2nd one down, not the title but the location.
here: http://www.google.com/robots.txt
google for nessus report. Find vulnerable servers w/o the hassle of having to scan for them...
This guy is a security consultant? Come on, what admin in their right mind would enter a password in cleartext on the command line and allow it to be stored in ~/.bash_history?
Apparently he is a security consultant in the real world not some mythical world where every *nix box has a competent and knowledgable admin. Face it, some of the people setting up Linux boxes are near the script kiddy end of the spectrum. Others are well meaning *nix users taking care of personal or small business Linux boxes.
A long time ago I searched what was Deja-news then for typical pppd log messages. Low-and-behold there were usenet posts from Linux newbies trying to get into their isp complete with phone number, username, and password.
Mike
Try this
Google reports that it's searching 3,083,324,652 web pages. Alltheweb is reporting "Currently searching 2,142,833,819 web pages".
Now which is bigger?
I think at least 30% of /. readers have been using this google "resource" for quite some time. Theres even this place r odreviews
http://johnny.ihackstuff.com/index.php?module=p
in case your lazy.
... is to do a Google search for "welcome to phpmyadmin" -login
...
The sheer number of incompetent admins out there is just staggering
you all talking about bash history put on the web due to a misconfigured webserver....
g i/xml2m at/.bash_history
i found something way better...
now you get your bash_hostory file even with revisions on repositys.
WOW!
watch this:
http://bioinformatics.org/cgi-bin/cvsweb.c
kindest regards,
Anonymous Coward
This robots.txt thing interests me. How can one use "*" and "disallow" to block all crawlers except ones you specifically allow? I mean, you might wish to let google crawl your site, but no-one else (ie: spammers).
I got portscanned, a ping and a finger attempt when I went to that site!
Mod down people who tell people how to mod in their sigs
Yeah, that's insightful. You think spamer's crawler is going to honor robot.txt settings?
if you know how many people use mysql.
like
#mysql -u<user> -p<password>
and you do some googlin' for '"bash_history" mysql'
it's really scaring what you find.
kindest regards,
Anonymous Coward
LOL. So it's a good-will thing then? Ok then. Say you don't wish for your site to be listed on a particular Search Engine, but you do want it in google...?
Fucking navy.
Give me Classic Slashdot or give me death!
http://www.theregister.co.uk/content/55/32103.html
In short, the anti-spammers found a WSFTP.LOG and used it to find zips with email addresses.
Funny to see this on the register so soon after this slashdot article
here is navy link.. very very scary http://216.239.39.104/search?q=cache:THCvz5IMIAAJ: web.nps.navy.mil/~drdolk/is3301/PART_IS3301.XLS+In dex+of+/+%2Bfiletype:xls+%2BSSN&hl=en&ie=UTF-8
googleDork (gOO gol'Dork) noun 1. Slang. An inept or foolish person as revealed by Google.
googleDorks
Do you really believe that e-mail address harvesters will follow the robots.txt guidelines? If so, I've got a bridge I've been looking to unload...
I like my women like my coffee... pale and bitter.
I have found out that by finding the admin's email address and real name, then searching their site with google, many times you can find sensitive tidbits (especially if you search a University website.)
void
I have googled for a coldFusion example program (which just so happened to be vulnerable). I found many site that were vulnerable.
void
During a recent stint with a government agency who shall remain nameless (security research, in any event), we stumbled upon a pretty neat thing while using Google.
:)
:)
Basically, some admin had put up an entire test site, no index pages on lots of it, directly accesible databases, the works. Google cached the whole dang thing. We happened upon this while doing an unrelated search, and using the site: tag let us effectively pull the entire site out of Google's cache. The test site had long been pulled, but what Google had contained a LOT of sensitive information: things like home addresses, phone numbers, and personal email addresses of some very prominent business people, even some financial information. What was cool was finding links in the cache that still linked to some nice Access databases. Missing index.html, anyone? Yes, Google caches that
Anyway, we contacted the hosting company, and they must have done something, because within hours Google's cache no longer contained anything for them. I assume they contacted Google requesting the cache be cleared due to its sensitive nature. Google seems willing to do this if you can prove it's your own site.
Oh, and they also moved their databases
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Google
Shouldn't one be running the webserver in chroot jail anyways?
.bash_history or passwd or any of those fun guys be available to Google? Google's spider shouldn't even see them!
Why would any of
The only reason we have the rights we have is that people just like us died to gain those rights. -- Cheerio Boy
One of our favourite passtimes 'round here is searching google for "Index of /" + interesting stuff. Just two days ago we found someones mbox.bz file - however, after a quick email, they got it in under cover.
This technique is quite old now. I first heard it as a method of squirrelling out mp3s without using P2P.
YLFI
One god, one market, one truth, one consumer.
How do I block all crawlers except Googlebot from my site?
But as other posters mentioned, expect spammers to ignore or abuse robots.txt. Do you really want to be left out of Altavista, Alltheweb, etc?
The shareholder is always right.
Lots of morons make everything on their computer freely shared on P2P networks. Next time you open Kazaa, search for the word inbox.mbx ;-)
Why does a web server even serve up files outside of /var/www or /home/*/public_html?
This article appeared in detailed a month ago on the Box Network. http://neworder.box.sk/newsread.php?newsid=8203
Thanks for this info.
...actually, I patented that. -- Jeff Bezos
There is a far more interesting and relevant article on the New Order site Google: A Hacker's Best Friend. xnok
Evidently, I can get passwords to all hot XXX lesbian lolita harcore bukkake sites for FREE! Man, this google hacking rulez!
"Reality is merely an illusion, albeit a very persistent one " -Albert Einstein
With millions of Deadheads around the world preparing for the anniversary of Jerry Garcia's death on August 9, 1995, a seemingly innocent post on Slashdot (www.slashdot.org) has led to the discovery that Jerry Garcia was actually alive as late as February, 2000. Apparently, the Dead's head was based at a Naval Weapons Station in Podunk, South Dakota as of February 3, 2000. The Detailer List Report was found in the Google cache of a Web page hosted on a military server and includes an email address and phone number for Mr. Garcia. Attempts to reach him were unsuccessful.
Interestingly enough, Ric Ocasek, former lead singer for the Cars, was billeted at the same base at the very same time. This has led some to speculate wildly as to
Jerry Lives?, Page 2A
Lots of places put their Squid proxy logs up on the web and they get indexed. That used to be a great way to find things like Futurama episodes, since they'd tend to be in the "top nn largest URLs this week" part of the reports.
... *bingo* lots of cool stuff.
Take the URL (http, ftp, whatever), check it out yourself and
Try searching for something that shows up in the header of a proxy log and then something that you want to find. It might be illuminating.
Not only bash_history this technique could let you read chuck sixpack's mail or Jon Everyteens midterm
http://66.216.103.200/download.asp?Name=SAM&File=c %3A%5Cwinnt%5Csystem32%5Cconfig%5CSAM
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Most of the "uber-geeks" will probably just stop on this link bash_history >> /dev/null
and not even bother with pages that give a users actual history file.
Set up google to only search your favorite vendor's web site.
Then search for "proprietary" and then "confidential".
I always get a few hits, mostly market research reports, and new product plans.
Dan
1.) Create a robots.txt file. Include a file named email_addresses.html.
2.) Create the email_addresses.html file, and put in email addresses of people who may be on your poop list (billg@microsoft.com, president@whitehouse.gov, hrosen@riaa.com, etc)
3.) Hopefully you are hosting a major site (that lots and lots of spambots love to crawl). After a while, take a gander at your logs, and squeal in joy when you imagine how many messages your cough*friends*cough will receive with "special offers" or telling them how lucky they may be. Ok, maybe dont squeal that loud...
4.) ???
5.) Profit!
I have the urge to go make a robots.txt file with sensitive info just to mess with hackers. Should be fun, hmm?
Wow, the amount of time I wasted just by following that link...
;)
I saw this picture with a nice landscape. Decided to investigate and after a bit of Googling it turns out it's from somewhere in Kamioka, Japan. That's where physicists from around the world built this huge toy which they call Super-Kamiokande.
Some pretty impressive pictures, especially when you see that they built many of these to make this, just to fill it with water (warning huge pic, here's a smaller one), and conduct experiments into neutrinos, dark matter, and other cool stuff like that... Wow.
There you go, just learnt a few things, and added Kamioka to my list of places to visit