Googling Your Way Into Hacking

knifee writes "New scientist is running an article explaining how hackers can use Google's cache to quickly hunt down sensitive pages, for example, by searching the terms "bash history", "temporary" and "password". Might be worth looking at this tutorial about robots.txt if you think you might be at risk." That's pretty amusing.

This happens because of dumb admins, not google

[mjmalone]

For example, one common filename for passwords is "bash history".

This guy is a security consultant? Come on, what admin in their right mind would enter a password in cleartext on the command line and allow it to be stored in ~/.bash_history? The first thing I do when I log onto a box is link bash_history to /dev/null, just out of habit. The security problem isn't google's fault, it is stupid admin's who don't know what they are doing.

Re:This happens because of dumb admins, not google

[numbski]

Wouldn't it be more fun to ln -s ~/.bash_history /dev/random instead?

Would make for interesting google logs. ;)

Don't have to worry about that particular problem. Both FreeBSD and MacOS X use tcsh by default anyway, and all of my users are Unix stupid, so they never log into shell.

Re:This happens because of dumb admins, not google

[wfberg]

Quite a few, from what google just returned. '.bash_history "parent directory"'

Actually a lot of those are 403 -- permission denied.

Using alltheweb (which has a bigger index anyway) to search only URLs that contain the phrase .bash_history and that contain "su" in the contents turns up only 2 history files. With no passwords.

Re:This happens because of dumb admins, not google

[Bigby]

Even better yet, "rm ~/.bash_history && ln -s /dev/dsp ~/.bash_history". Now everything you type will literally "sound like crap".

Re:This happens because of dumb admins, not google

[gooru]

It's not even just ~/.bash_history but ~/ itself! Who in the world would make that world-readable and published on the web?!?!? This isn't even the default for any configuration I've seen. (Does anyone else know differently?) It's one thing to spider ~/public_html or /var/www or whatever you have set up for your webserver...quite another to have ~/ published on the web. I can't believe this is a security problem for people, though I suppose it is a proven possibility.

Re:This happens because of dumb admins, not google

[dan14807]

> The first thing I do when I log onto a box is link > bash_history to /dev/null

unset HISTFILE

Re:This happens because of dumb admins, not google

[Zigg]

Except that it doesn't work, unless you intended to try to execute /dev/audio.

Re:This happens because of dumb admins, not google

OHMYGOD!! TEH SECURITY RAMIFICATIONS!!1!
http://custom.lab.unb.br/pub/dc e/.bash_history
pwd
ls -l
ls -l
ls -la
whoami

http://www.mhhe.com/socscience/.bash_history
vi test1
ls -l
who am i
touch test2
ls -l
pwd
cd ../business/
ls -l
vi randomfile
ls
ls -l
cd marketing
ls -l
pwd

Re:This happens because of dumb admins, not google

[Surak]

Even better yet, "rm ~/.bash_history && ln -s /dev/dsp ~/.bash_history". Now everything you type will literally "sound like crap".

But uhh...from the tcsh manpage (emphasis mine)

A login shell begins by executing commands from the system files /etc/csh.cshrc and etc/csh.login. It then executes commands from files in the user's home directory: first ~/.tcshrc (+) or, if ~/.tcshrc is not found, ~/.cshrc, then ~/.history (or the value of the histfile shell variable), then ~/.login, and finally ~/.cshdirs (or the value of the dirsfile shell variable) +). The shell may read /etc/csh.login before instead of after /etc/csh.cshrc, and ~/.login before instead of after ~/.tcshrc or ~/.cshrc and ~/.history, if so compiled; see the version shell variable. (+)


Looks like tcsh has a history file as well, "if so compiled"? Just thought I'd point that out something you might wanna check into?

also in your /etc/csh.cshrc or /etc/csh.login you *might* wanna just throw in something like the following shellcode:

# just to make sure the user didn't delete the
# symlink ...
if ( -e ~/.history ) then
rm -f ~/.history
endif
;)

ln -s ~/.bash_history /dev/null

Re:This happens because of dumb admins, not google

[Havokmon]

The security problem isn't google's fault, it is stupid admin's who don't know what they are doing.

More than once, when looking for a specific dll, I've found a whole software install in a directory on somebodys network.

Re:This happens because of dumb admins, not google

[inertia187]

It's happened to me. My .bash_history has contained passwords. Why? Because I'd type too fast and not look at the screen. For example:

bash-2.05a$ ssh inertia@whatevre
ssh: whatevre: no address associated with hostname.
bash-2.05a$ f33lokihum

Oops.

Re:This happens because of dumb admins, not google

[Cramer]

And on Linux, /bin/sh is bash. And you'd be very surprised to see how many "hackers" fail to clear out the history. It has been my experience that most of the nuts breaking into systems are mostly idiots simply running stuff someone else designed.

I've never ran into a real hacker... they know how to cover their tracks so they aren't noticed. And, I don't have any systems containing information of any value from which the real hacker could profit (thus, I'm left alone.)

Re:This happens because of dumb admins, not google

[Bigbutt]

Well, we had a stupid admin who, as a test put the /etc/passwd file into webspace.

We had another admin who tried to su to root and typed in su [root password]. We check the logs searching for someone typing in a non-user account that looks like garbage and we notify the admin to change their password.

Re:This happens because of dumb admins, not google

[SeanAhern]

ln -s ~/.bash_history /dev/random

Whoops!

You meant: ln -s /dev/random ~/.bash_history

Re:This happens because of dumb admins, not google

[jd]

This would be a good way to set up a "slightly more legit" honeypot, in States or countries where "services for the sole purpose of entrapping people" is illegal.

Set up a virtual machine (user-mode linux might be a good choice) and make sure the root password is in a whole bunch of files that skript kiddies are likely to google for, and in which the root account might reasonably be found (if the admin is stupid, that is).

Set the login shell to an application which creates a fake shell, and which uses the opportunity to ID the intruder's computer and download a bunch of stress-testing tools. cpuburn might be a good one for this.

The choice of downloads is important. You've got to be able to show a legit purpose for all of this, and one good purpose is to have a tool you can use to stress-test hardware on a remote machine. If you do freelance tech work, then being able to check the hardware on a machine is self-evidently a legit purpose.

Once you can show a legit purpose (whether you use it or not), and you can show that you've made a reasonable effort to prevent non-legit users from stumbling into the account (ie: by setting a password), then I can't see any way a person can claim they were suckered in and entrapped.

It takes a deliberate, concious act of will to perform a search on Google. It takes another deliberate, concious act of will to use that information to connect onto a remote computer. Since the account is not theirs, and they have no reason to believe otherwise, they are guilty of attempting to defraud the computer through identity theft, at the very least. There's no way it could be passed off as "accidently" stumbling onto a service, which could be a valid defence against traditional honeypots.

Because there's a legit use for the services, and because the attacker has actively carried out an attack on your machine with malicious intent, it would be extremely hard for them to successfully sue you for any damage caused.

It's not like placing a firecracker in a box marked "open this". It would be closer to placing a revolver in a locked cabinet, and a would-be thief accidently shooting themselves in the foot, after breaking into the cabinet.

The first case, there's no obvious risk, so the person can claim they've not assumed responsibility for any such risk. Stupidity is not a crime.

The second case is different. The person is actively performing actions they know to be illegal, and for purposes which can only be malicious. They've passed the point where they can claim they're just an innocent bystander.

Likewise, a traditional honeypot - especially one that causes damage - might well be considered in the first category. A person may well accidently stumble on it, and then any damage is the responsibility of the person setting the trap. (Don't even think of telling me you've never mis-typed an IP address.)

However, a dual-purpose service, behind a password-protected account, where the username of that account makes it self-evident that this is not a public area, cannot even remotely be placed in that category. The intruder cannot claim innocence or lack of awareness. As such, any damage they suffer is their problem. They've assumed the risks involved, knowingly of their own free will. At that point, if your utils turn their machine into scrap metal, it's not your problem.

Note: Law-enforcement types are authorized to break into machines and plant all sorts of sniffers, etc, on them, without approval and without the machine or owner having to have anything to do with any investigation. It is not clear if frying their computers, even if it could be shown that it was self-inflicted and that the software was dual-use, would be considered acceptable.

Because of this, the information above is hereby defined as being for academic interest only. If you choose to use the information, and Joe FBI gets burned, that is beween you and them.

Re:This happens because of dumb admins, not google

[dspeyer]

Google wins again! It has six .bash_historys with su in them, though none show sensitive information and at least one was clearly posted intentionally as an example.

It all comes down to knowing google (the inurl: tag, in this case)

Re:This happens because of dumb admins, not google

[drinkypoo]

You have to have execute permission on each interim directory between / and public_html (or whatever you have it set to on your server.) This is because the directory execute bit is the "change to this directory" bit. A lot of users fuck this up and just make their home directories world readable, or even writable. Just another reason to separate the user from his data whenever possible. The trick is to do it in a way that won't make them feel left out. Obviously some people are more willing to put in the time to learn the intricacies of an obfuscated system like Unix than others.

Re:This happens because of dumb admins, not google

It's not even just ~/.bash_history but ~/ itself!

Do this at a shell;

1. locate .bash_history

Notice anything odd? It's entirely likely that .bash_history may end up outside a user's (or root's) home directory depending on where you are when you login to a new account.

If you want to avoid that, try...

1. su - USERNAME

where USERNAME is the account name (or optionally nothing if root).

The - will make sure that the environment settings will be the current default settings for that account. Login as root, change to another directory, change the environment settings, execute "su -", then check your environment and location. Change directories, and use "su" (no "-"), and see what happens. Exit from the shell a couple times. Nope, that little factoid isn't explicitly in the su man page.

Re:This happens because of dumb admins, not google

[Ascender]

One possibility is that some 'clever' admin has set the 'webmaster' user's home directory to /var/www (or whatever your docroot is) - Then, as well as easy access to the html files, the .bash_* files would be left there too

Re:This happens because of dumb admins, not google

[klui]

By default, your history files are only readable by you and is not group/world readable. Your shell actually sets this up--regardless of your umask--when it first creates the file so only a bozo who manually changes the modes deserves what they get as a consequence.

Re:This happens because of dumb admins, not google

[Leto2]

Actually, I do not link bash_history to /dev/null.

I've been compromised once, and the attacker went through great length to install a rootkit in /tmp/../foo , grep his IP out of the message logs, etc. etc. The only thing that he forgot to do was remove the bash_history file, and I knew _exactly_ what damage he had done to my system.

Re:This happens because of dumb admins, not google

[scottj]

The simpler alternative is to just not produce a history file at all. In the .cshrc, add this line: unset history

Google Cache, in case of slashdotting

google

Re:Google Cache, in case of slashdotting

[vgaphil]

Or go here google

Re:Google Cache, in case of slashdotting

[Scott+Hale]

Google is not affiliated with the authors of this page nor responsible for its content.

Now I'm really confused.

Re:Google Cache, in case of slashdotting

[SlayerofGods]

That is really cool, the whole site is done in it. Someone try to read this and not have your head explode.

Re:Google Cache, in case of slashdotting

[joynt]

The sad thing is I can read it.

Re:Google Cache, in case of slashdotting

[vgaphil]

Trekkies go here

Re:Google Cache, in case of slashdotting

[Daath]

1 d0n'+ und3r5+4nd... 1+ 100k5 pr3++y n0rm41 +0 m3...

RIAA Logic:

[connsmythe96]

Google can be used to illegaly hack into computers (possibly stealing copyrighted information). Google must be shut down and all of its users owe us lots of money.

It's a little harder...

[Tweakmeister]

A quick search for "Password" doesn't yield any "promising" hacking results. It's too common a word.

Re:It's a little harder...

[Elminst]

But the third link down gives us this-
http://216.239.57.104/search?q=cache:p5ouM3 2marEJ: www.necmitsubishi.com/markets-solutions/government /necfiles/Chicago911.doc+%22do+not+distribute%22+p assword&hl=en&ie=UTF-8

Which at the bottom of the document has-

Editors Note:
Product photography is available at http://www.liska.com/necmit.
Username: necmit
Password: monitors

Which seems to prove the point of the search...

Yea

[mao+che+minh]

Must be how that guy found out that my phpnuke code had a mySQL injection flaw in the news module. My article about a Hulk doll with big penis wasn't exactly fine journalism, but I would imagine that it was better then 40 lines of "hacked by Stacey 100% brasil LOL" that it was overwritten with.

Damn script kiddies.

Even better than Google

I tried this a while back - it isn't as easy as it looks with Google. I recently discovered WhittleBit and it is pretty good at narrowing down what you are searching for because it lets you indicate which search results are good and which aren't, and re-search on that basis.

This is particularly useful for this type of thing since it isn't always obvious what the criteria are for what you want to search for - with WhittleBit you don't need to know, it figures it out for itself.

Re:Even better than Google

[lightcycle]

The bottom of the page has a "send feedback to Ian Clarke" mailto link, would that be the Ian Clarke that's behind freenet?

aha!

[Frymaster]

this explains the trememndous number of google searches for "index of /scripts" that come from google to my site...

of course i have section on my site for bash scripts... and it has an index page. looks like someone got dissappointed.

problem with robots.txt tutorial

[brlewis]

They should mention that disallowing a URI in robots.txt tells crackers which URIs on your site have sensitive information. What I do is create a top-level /unpub/ URI, and everything sensitive goes underneath it with hard-to-guess names. In robots.txt I disallow /unpub only.

Re:problem with robots.txt tutorial

[PetoskeyGuy]

I hope you at least have an .htaccess on the files to put a password on that directory. Hard-to-guess names is good, but making them password protected is better.

Of course on some of the cheaper web hosting companies out there you can just search the /home/*/web folders. They have to be public so the web server can read them. Stupid I know, but all to common. Config.php for most apps will have all the users passwords in plaintext.

The HTTPD user should be a member of each users group so you don't have to set world rights to your files. Assuming it's just hosting and no other rights are required.

Re:problem with robots.txt tutorial

[brlewis]

Password-protected directories wouldn't need to be in robots.txt. Using robots.txt + security by obscurity is for things like family photos, where I don't want to maintain usernames and passwords for my entire extended family, but it isn't absolutely critical that no unauthorized person ever see them. I doubt I could trust my entire extended family to keep passwords secure anyway.

Yeah, cheap shared hosting is largely insecure. I wonder how tough it would be to set up shared hosting using squid as an http accelerator, and let users run web servers under their own UID on different ports, while squid forwards from port 80.

Re:problem with robots.txt tutorial

The HTTPD user should be a member of each users group so you don't have to set world rights to your files. Assuming it's just hosting and no other rights are required.

This approach isn't much better. Usually, each user's php scripts run with the permissions of the HTTPD user. Thus, any maliciously minded user who wants to access someone else's private data can just use php scripts. A bit awkward, but certainly not impossible.

Re:problem with robots.txt tutorial

[brooks_talley]

Even more entertaining is to add a disallow: /secret.cgi entry, and then have secret.cgi log the IP address, datetime, etc, of requests.

For bonus points, you can have secret.cgi automatically add requesting IP's to an apache rewrite config file.

Cheers
-b

robots.txt?

[Karma+Sucks]

You're kidding right? Putting stuff in robots.txt is the best way to *guarantee* that robots will go specifically for the file/directories you choose to deny.

Don't be naive about robots.txt... expect to have to do some relatively fancy hacking to actually enforce it.

Re:robots.txt?

[liquidsin]

not all robots download robots.txt. In fact, I'd assume most of the more annoying ones don't, nor do they identify as anything other than MSIE 5.5.

Re:robots.txt?

[rossz]

And that's why I have a disallow for a trap directory. Accessing it gets you added to a mysql database and you are blocked with iptables.

Re:robots.txt?

[pclminion]

And that's why I have a disallow for a trap directory. Accessing it gets you added to a mysql database and you are blocked with iptables.

Awesome! I'll post a link to that location on my web page. Everyone who clicks on it will be banned from your site, even though they aren't a spider!

Oh, the fun I'll have...

Re:robots.txt?

[cpeterso]

http://www.vamos-wentworth.org/robots.txt

http://www.vamos-wentworth.org/no_way

Sesitive?

[GoofyBoy]

use Google's cache to quickly hunt down sesitive pages,

Try hacking a dictionary.

robots.txt

[panaceaa]

Robots.txt only makes well-behaved search engines not index certain portions of your site. You're still going to be vulnerable until you take the sensitive pages off-line completely. But even then, if a passwords list has been indexed by Google, updating your robots.txt file won't remove it from Google's cache until Google spiders your site again. At which time, Google will discover the passwords list doesn't exist and remove it from the cache.

At least that's how it should work. Is anyone aware of Google requesting robots.txt more often than they spider pages? And then proactively removing pages from their cache based on new robots.txt entries?

While the article deals with Google specifically, lots of non-well-behaved spiders go through common locations looking for password files regardless of what you've blocked out with robots.txt. The only way to completely protect your data is to remove it from your site.

Re:robots.txt

[KenSeymour]

I think you have to do more than that to get it out of the cache.

I once had family phone numbers on a web page. Upon reflection, I decided that was no good and deleted the web page.

It remained in the google cache until I replaced the file with a blank one with the same URL.

Re:robots.txt

[Jugalator]

ROFL -- It's also amusing when the admins don't understand what the file is for!

Look at IBM:

http://www.ibm.com/robots.txt

First comment:

Date: 19950130
By: epc
Reason: finally understood what the file was for!

At least the admin was honest, but a bit embarrasing for being on ibm.com. :-P

Re:robots.txt

[innate]

Actually, that's pretty good, since the Standard for Robot Exclusion was proposed in 1994. I'd say IBM "understood" it several years before most people did.

Re:robots.txt

[UncleOlethros]

According to my experience with my webservers, Google will request robots.txt frequently as it spiders a site. And yes, they do remove pages from their cache based not only because of new robots.txt entries but new META tags in individual pages.

If you can't wait until the next time Google crawls your site to have your information removed, you can always use Google's Automatic URL Removal System. Details are available here.

A few months back I updated all of my web pages to include the NOARCHIVE META tag. I then submitted my site to Google's Removal System and within three days Google had crawled everything and updated their database. The result was that my pages were still searchable, they just weren't cached.

As you noted, though, there are plenty of robots that do not obey robots.txt. Google may be conscientious, but others are not.

Re:robots.txt

[frodo+from+middle+ea]

Check out Sun's robots.txt

Part i like best

# If you do actually go to the trouble of figuring out how to download # the files without registering, what you'll end up with is 1 or 2MB of # stuff that is meaningless to you unless you have purchased an # Ultra AX board from Sun. So, please do purchase an Ultra AX board, # but then you might as well use the URL you'll be given along with it.

robots.txt

[zero-one]

Having a robots.txt is a good idea but it always amuses me when web sites use robots.txt to list all the areas of their site that they don't what people to look at. When robots.txt contains entries like "Disallow: /admin.asp" or "Disallow: /backdoor.asp" it stops being a way of controlling search engines and becomes a site map of all the places hackers might be interested in.

use deflection in mod_rewrite to keep crawlers out

[stonebeat.org]

It is always a good iea to kep the robots out of anywhere there is sensitive information. i several methods for added security. robot.txt is a good way, but i also the deflecction technique in apache's mod_rewrite to keep the crawlers out.

ICQ

[bazik]

A friend of mine actually used this to steal ICQ numbers. He wrote a perl script wich googles from "00000001.idx 00000001.dat" to "99999999.idx 99999999.dat" and spits out the result links to a textfile if it gets a full match.

The ICQ password is stored in one of those two datafiles and there are dozend of free decrypt programms for that out there.

But if you think about it... how or why does someone put his ICQ directory on a webserver?!

On the other hand... some people are hosting pr0n sites and dont even know about it ;)

Re:ICQ

[Politburo]

If you're lazy and wanted to transfer ICQ information between sites, you might just toss it up on some webspace you have, download it from where you wanted it, and then forget about it forever.

Forgotten

[orange_6]

So if I forgot my password, google can just tell me what it is? Can it tell me my credit card number too?

My favorite...

[inertia187]

My favorite Google search phrase is:

"Index of" "Name Last modified Size Description"

Then you add file extensions or other things. For example:

• mpg
  
• mov
  
• mp3
  
• secret - doesn't have to be file extensions...
  
• "My Documents" - yeah, that's secure...
  
• etc
  

Anyway, as you can see, it's pretty effective. Sometimes admins wise up, and all you have is the Google cache. But sometimes they don't, and you get to look. Thanks Google!

Re:My favorite...

[cybrthng]

Doncha just love the fact that the first my documents returned is an MIT students lab PC describing security over wireless networks? haha

Re:My favorite...

[barryfandango]

Oooh that's cool! check this link out that it turned up:

http://www.liada.net/~secret/

all in spanish, but the documents are all about toxic substances, i think... and there's one JPEG that appears to be a sketch of a missle! Now that's top secret!

Well, duh!

[panda]

If something is meant to be private, then why even temporarily put links to it on your publicly visible pages? Additionally, if something really is private, then lock it down in the httpd.conf so that only certain IP addresses can access it. Then, its basically invisible to the rest of the world.

Of course, if there's a bug in your server software all bets are off. Which is why it's better not to put private stuff where it can be seen on a public network.

I would have thought that was pretty obvious.

Re:/etc/passwd

[jared_hanson]

You should really use something other than '*' for your password. It is far to easy to guess. Just a suggestion

BZZZZZZZT! Wrong!

[Entropy248]

I don't think so.

I went through all 6 pages of results and found nothing. Ditto for searches on any of the terms individually. I imagine that searches on individual sites might be what the author is actually talking about, but have no independant means of verifying this. This FUD detected by Entropy248. Wow. I just RTFA and tried it at home...

Interesting Website Ideas

[fastdecade]

This article gives me great ideas for a website:

* bash.history blog - Everything I ran today
* /dev/tty blog - Everything I typed today
* /dev/stdout blog - Everything I saw today

COMING SOON: Welcome to My Bank Account Details, Favourite Passwords I Enjoy Using

.bash_history is NOT a security feature!

[multipartmixed]

> allows for an admin to see if anyone has compromised security, no?

Only if the compromisors are morons, and have done it "recently".

A non moron would type "HISTFILE=" before exiting a shell he'd been "playing" in.

Scuse me?

[arth1]

Shouldn't that be bash_history, passwd and tmp?
Was this written down by a non-techie from an audio interview?

Regards,
--
*Art

robots.txt folly

[arth1]

It might be worth it NOT to look at robots.txt -- after all, with robots.txt you effectively disclose to anyone who asks what you don't want to be shown.

A robots.txt like this would be invaluable to a hacker, even though it would prevent Google from indexing:

User-agent: *
Disallow: /secret/passwd

Regards,
--
*Art

Wrong use of robots.txt

[vadim_t]

It's supposed to be used to tell bots not to access some parts of your site due to other reasons.

Common reasons would be that you host a site with a forum on a DSL line and don't want google to index all 5000 threads on it. It's also good for dynamic pages, for example it makes no sense to index a generated page that will be out of date tomorrow. It'll be much better to let it index the archive instead.

Using this for security is just stupid though, as it'd contain a list of vulnerable places. Maybe it will make harder for people to find your vulnerabilities from google, but it will help a lot whoever wants to attack you specifically.

Security problems have to be fixed by setting proper permissions and keeping your server up to date, and not by relying on that every spider that comes to your site will be polite enough to follow robots.txt

One word about the google cache...

[presroi]

Some people think that the google cache does not reveal the host name to the http-server.

The result looks like this:

proxy1.health.magwien.gv.at - - [29/Jul/2003:22:27:14 +0200] "GET /hfaq/icons/linki.png HTTP/1.0" 200 278 "http://www.google.at/search?q=cache:QIq92lU3jkUJ: www.presroi.de/hfaq/+heroin&hl=de&lr=lang_de&ie=UT F-8" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; ENR 2.0 emb)"
proxy1.health.magwien.gv.at - - [29/Jul/2003:22:27:14 +0200] "GET /hfaq/icons/bt3.gif HTTP/1.0" 200 3170 "http://www.google.at/search?q=cache:QIq92lU3jkUJ: www.presroi.de/hfaq/+heroin&hl=de&lr=lang_de&ie=UT F-8" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; ENR 2.0 emb)"
proxy3.health.magwien.gv.at - - [29/Jul/2003:22:27:43 +0200] "GET /hfaq/stats.html HTTP/1.0" 200 5231 "http://www.google.at/search?q=cache:QIq92lU3jkUJ: www.presroi.de/hfaq/+heroin&hl=de&lr=lang_de&ie=UT F-8" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; ENR 2.0 emb)"

phpmyadmin same thing

[joeldg]

I have seen more phpmyadmin pages wide open on google that anything else.. Not putting things like that under htaccess at least is pure laziness and stupidity.

Also it seems people put mysql dumps on their webservers as well..
search for ' "SELECT * FROM credit" + "###" ' and you will see.

This has been going on since google introduced the site cache.

some guide!

[mblase]

Long says an obvious combination of search terms would include the terms "bash history", "temporary" and "password".

Hmph. When I searched for those phrases at Google, all I got were a bunch of Linux technical how-tos and code samples. If this guy wants to teach us how to be hackers using Google, he's going to have to be more helpful than that!

Re:/etc/passwd

[arth1]

BZZT, wrong.
* is a character not allowed in the encrypted 13-character A-Za-z0-9./ password, and as such the account can not be logged in to.
x is used for shadow passwords.

Anyhow, I think the original poster aimed for a +1 Funny, and not +1 Insightful. If there's any justice on /., you'll get neither.

Regards,
--
*Art

Re:Google is good for free money

[anthony_dipierro]

Better to search for the first 8 digits of a known credit card number. Last time slashdot hahd a story about a site which was publishing credit card numbers on the internet, I googled for the first 8 digits of my CCN and found the site.

My favorite: access_log

[shoppa]

At least 5 years ago it was fairly common knowledge that if you found any webserver's access_log you would get some juicy URL's. The method still works...

Big Brother Monitoring software

Anyone familiar with Big Brother knows that it has web access pages that allow you to monitor servers on your network. Of course your suppose to keep these pages private, but lots of people dont. This makes it easy for us to determine what servers are running on a network, and what services are running on each server.

Try searching google for: red Big Brother Status

Enjoy ;)

For more h4x0r fun . .

[scarolan]

try searching for _vti_pvt and service.pwd on Google. There are lots of people still using frontpage 4.0 or whatever, with their frontpage password file in plain view. I won't tell you what to do with that file, if you don't know already.

Google Warez Machine

[dhodell]

I regarding the ability to use Google as a warez search machine. The article was about Google censorship and the one response to my post pinpointed almost exactly the point that I brought up, which is the point discussed in this article.

Google has a nice long list of directory lists containing warez (remember the days of l33t FTP searching for filenames? Google for something like, in my last article: "xwin32*.exe * * * * *" "listing of"), serial numbers (Oh, I've found XP's serial number several times in Google's cache) and other "sensitive" information. My question is if other commercial sites are being constantly shut down due to these links (intentional or not), why aren't people targeting Google as well?

In fact, if I'm *cough*too cheap to buy software*cough* or just want to evaluate some crippleware or such before I buy it, I often skip astalavista and cracks.am and just Google it up. Saves me the porn and pop ups, and I don't have to cripple my browser for this (yes I know it's possible to do in other ways, yes I enjoy javascript, no thanks, I don't want comments about how I'm retarded because I don't do it the right way).

This is similar for sites such as the Internet Archive's Wayback Machine that contains other sensitive information.

Because of the academic merit of both of these search mechanisms, I doubt either one will be shut down. Indeed, I highly doubt restrictions will be placed. They're valuable tools for finding more valuable tools. For more information about this sort of stuff, I suggest searching on Fravia+'s web-searching lore. Other information on there relates to "reality cracking", reverse engineering, and other taboo topics. Google's got it all cached. Interested? Just search for (insert topic here) site:searchlores.org.

Sometimes I don't think the comparison of Google to God is that far off. Pardon my heresy.

Re:Google Warez Machine

[geekoid]

it is not googles responcibility to monitor what other people on the net are doing.

Besides, that sword as 2 sides, if someone intending malace uses google then a law enforcement agency can also use it.

Google file searching....

[Rahga]

I honestly know of nobody else who uses this technique, I just figured I would try it back when I was hunting down upgrades for old games like Quake 2 while places like FilePlanet were getting hammered:

At google, type "index of", followed by the precise name of the file you are looking for.

I'd say this gives me good results on a fast server 95% of the time.

Re:Google file searching....

[darth_silliarse]

I've also been searching Google this way for years, it's a good way of getting what you need without having your browser cache clogged with cookies...

Re:My favorite... Searchlores

[sICE]

If you like this kind of tricks you can find dozen tricks like those ones and betteron Fravia's web site SearchLores.

damn it...

[edrugtrader]

if only slashdots search was as good as googles i could point out this is the third time in a year this "story" has been run.

Doesn't work

[lawpoop]

I tried "bash history", "password", and "temporary", hit "I feel lucky" and I didn't get to hack anything.

I guess I don't have the patience to be a real hacker.

SCO Logic:

[KillerHamster]

Google uses operating systems! All your code are belong to us! Google must be shut down and all of its users owe us lots of money.

publishing analogy

[muppet]

as an author of a web page or even a log file, you have the right to publish and de-publish it. just because it's on the net does not give google the right to cache it indefinitely.

by the publishing analogy, doesn't this mean that libraries don't have the right to lend books that are no longer in print? in that respect i see google's cache as a library's copy of a book; they let you look at it, and you can see when it was published. they don't claim it's the most up-to-date, and at any time you can go to the source and see for yourself (e.g. go to a bookstore and buy a new copy).

A little bit OT

[edmz]

Not the same kind of "hacks", but more than one might have missed that O'Reilly published recently Google Hacks. Mostly targeted to webmasters or "power users".

Not always dumb... depends on what's there

[jd]

#include "IANAL.h"

You can probably use this to set up "honeypots" which may be legal in States where traditional fake services would be considered illegal as entrapment.

Simply set up a virtual machine (user-mode linux is a good one for this). Have the root account publicly read/write and somehow "accidently" visible to httpd.

Have the login shell a program which acts as your honeypot, logging activity, tracing back to the user, etc. All the stuff honeypots do so well.

Next is to ensure that the root password is visible, plain-text, and in a file that is visible to search engines. Your average skript kiddie is not going to question the apparent generosity of the admin. To get the engine to find the account, you probably want to have your main web page link into your virtual machine's root account - say via an FTP.

Now, none of this is entrapment, in the sense that the person must pro-actively attempt to present a false identity before the service is accessed. There can be no question that the identity of any user logging in is fake, that the user logging in knows that it is fake, and that there has been a deliberate, pre-meditated attempt to compromise an account.

If you want to go one step further, have the login shell transfer some goodies, such as cpuburn. Now, these have to have a "legit" use by a "legit" user, as anyone who gets burned is likely to complain. You have to be able to stand your ground and say "hey, I use this service as a convenient way to do hardware tests on remote machines - I locked that account against intruders, so if an intruder gets in, it's not my fault if they get burned."

(If you leave something dangerous "just lying around", you could probably be held accountable if someone gets hurt, even if they were stupid or malicious. But if you make a "reasonable" attempt to deny access, then it's not your problem.)

In fact, if you do any freelance tech stuff, you might very well use the service for real as a way of fetching over stress-testing software. It would make it a lot harder for "victims" of your root snare to complain, as you could then prove a legitamate use by legitamate users - the victim not being one of them.

Re:wrong wrong wrong.

[nolife]

If you want to control the distribution of your work, don't publish it for free in a public place. That is your choice.
Your reference to usenet is laughable but common. Who should determine how long your posts should stay on a news server? Why does it have to stay on a news server? What if I save all messages I read for ever? What if one news server has a 3 year retention but another only has 3 hours? If you don't want your comments to become publicly availalble then don't post them publically. It is really that easy. You don't have to use x-no-archive, but you don't have to post either.

Hacking with Google 101

[Shivaji+Maharaj]

Here is a nice tutorial about the topic.

Google Hacking Tutorial

[hohokus]

while randomly googling for "index of" and ".bash_history", i found this, which may be amusing:

http://www.smart-dev.com/texts/google.txt

All present and accounted for...

[medscaper]

Can it tell me my credit card number too?

Sure, John. I just checked. Your Visa number is 4803 1809 2273 4821, expiration 03/05.

Your Discover card bill is overdue, though. Don't forget, according to this record, you've got 18.5% on overdue, PLUS your $15/mo late fee.

Your 'condition' should have been cleared up by now, so why'd you refill that prescription on Tuesday? Oh, wait, I see here that you deposited three brand new $20's at the US Bank down near Santa Fe. Doing a little insurance fraud, there? :)

Oh, I just googled again...your dog wants back in.

Re:This is news?

[karlandtanya]

Hmmmm... reply seems to have failed earlier...

This situation is a consequence of living an open society that information which "should not" be available is available.

This has nothing to do with google and cracking.

Exactly the same situation was demonstrated in the '70's by Princeton student "John Artistole Phillips", better known as "The A-Bomb Kid". For him, it was the telephone, university and public libraries, and fission weapons instead of google and cracking.

Again, news it ain't.

Re:Oops

[clary]

Nope...doesn't pass the LUHN check. See LUHN Check.

Re:Entrapment

[fizbin]

Probably not, but his statement of the situation squares with my experience when I talked to an FBI agent after having discovered (and logged) some IRC kiddies who were constructing a DDOS network out of sub7-infected machines.

I'd created a sub7 honeypot on my linux box with a little perl script; after that collected the IRC server ip and channel name, I connected with a random username (pretending to be a bot) and just logged the conversation.

The FBI agent interviewed me very carefully to make certain that my setting up monitoring, etc., was not in any way instigated by a law enforcement officer. (No, I'd just gotten annoyed at random SYN packets) Then, he had no trouble with it. I don't know if this makes the evidence I provided useable legally, but it never came to that. As he explained it, the question was whether I was acting as an agent of the state when setting up the honeypot. Committing entrapment is not anything that non-state actors ever need worry about.

Not that this lets you off the hook entirely - there may be charges of wiretapping involved; monitoring your own machine should be safe legal ground, but connecting to the IRC network (as I did) is a slight bit more dicey legally, and shouldn't be done if you have any reason to believe that the relevant prosecutor would like to hang something on you as well.

Re:Entrapment

[PenguiN42]

Also, entrapment is only illegal if the law officers used fraud or undue persuasion to cause someone to commit a crime -- so much so, that an ordinarily law-abiding person would be compelled to commit the crime.

Cops can tempt criminals to commit crimes, and even initiate or plan out the criminal act (ie, buying or selling drugs, offering or buying prostitution, planning a bank robbery heist). None of this is entrapment, unless their actions would have cause a normally law-abiding person to commit the crime.

If a cop tricks someone into unintenionally breaking the law, or harasses them so much that they eventually cave in and break the law, or threaten them, etc, it may be entrapment. It's actually pretty subjective and up to the jury, usually.

But a lot of misconceptions of entrapment abount -- ie the ever-popular, "if you ask them if they're a cop, and they say no, then it's entrapment." And also the misconception that entrapment is a crime and can apply to non-law-enforcement. It's not a crime, it's a defense against being charged with a crime. (Well, unless you perform a crime while trying to get someone to perform a crime -- that's still a crime)

For a somewhat inflammatory discussion, see this: http://www.libertyhaven.com/politicsandcurrenteven ts/nationalbudgetsdefecitsorspending/lawdeceit.htm l

I had a more objective look at it, written by a lawyer, but I can't find it.

sorry if this is off-topic.

Re:wow

[sICE]

Hehe, no he didnt disapeared at all. And i can tell you he's alive and kicking. Yet you may find his old data here on the AntiCrack website.

One question: does WoW stands for Warriors of Wasteland?

Scary, very scary

[Hatta]

Fucking navy.

Not just crackers, Anti-Spammers use this too

[zgornz]

http://www.theregister.co.uk/content/55/32103.html

In short, the anti-spammers found a WSFTP.LOG and used it to find zips with email addresses.

Funny to see this on the register so soon after this slashdot article