Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google To Send Detailed Info About Hacked Web Sites

Posted by kdawson on from the see-yourself-as-others-see-you dept.

alphadogg writes "In an effort to promote the 'general health of the Web,' Google will send Webmasters snippets of malicious code in the hopes of getting infected Web sites cleaned up faster. The new information will appear as part of Google's Webmaster Tools, a suite of tools that provide data about a Web site, such as site visits. 'We understand the frustration of Webmasters whose sites have been compromised without their knowledge and who discover that their site has been flagged,' wrote Lucas Ballard on Google's online security blog. To Webmasters who are registered with Google, the company will send them an email notifying them of suspicious content along with a list of the affected pages. They'll also be able to see part of the malicious code." Another of the new Webmaster Tools is Fetch as Googlebot, which shows you a page as Google's crawler sees it. This should allow Webmasters to see malicious code that bad guys have hidden on their sites via "cloaking," among other benefits.

58 comments

  1. Gentlemen, check your Webmaster tools by symbolset · · Score: 4, Interesting

    This is a great service. Google should set up an opt-in email notification as well.

    It helps the webmasters build better sites and teaches them to check the Google website tools that allow them to groom their site for best indexing on Google. That's great.

    --
    Help stamp out iliturcy.
    1. Re:Gentlemen, check your Webmaster tools by madhurms · · Score: 2, Informative

      I dont know why the summary did not link to the official google blog. Here is the link: http:http://googlewebmastercentral.blogspot.com/2009/10/fetch-as-googlebot-and-malware-details.html/

    2. Re:Gentlemen, check your Webmaster tools by Pieroxy · · Score: 3, Informative

      Did you mean http://googlewebmastercentral.blogspot.com/2009/10/fetch-as-googlebot-and-malware-details.html ? Your link got garbled by some evil force...

      --
      Write boring code, not shiny code!
    3. Re:Gentlemen, check your Webmaster tools by Lord+Bitman · · Score: 1

      They do. It's the thing you said.

      --
      -- 'The' Lord and Master Bitman On High, Master Of All
    4. Re:Gentlemen, check your Webmaster tools by sahala · · Score: 1

      This is a great service. Google should set up an opt-in email notification as well.

      It helps the webmasters build better sites and teaches them to check the Google website tools that allow them to groom their site for best indexing on Google. That's great.

      Webmaster Tools has opt-in email notification. Here are details: http://googlewebmastercentral.blogspot.com/2009/06/to-make-webmaster-tools-message-center.html

      The "Malware details" feature (mentioned in the article), however, doesn't send you any notifications just yet.

  2. Google needs to clean up their own act first, by Animats · · Score: 4, Informative

    Google has a malware hosting problem of their own.

    Google Spreadsheets can be abused to create phony login pages. Here's one for "Free Habbo credits", designed to collect Habbo logins. It's been reported via the usual "Google abuse" mechanism, repeatedly, and it's still up. It's been up since October 28, 2008.

    We track major domains being exploited by active phishing scams. ("Major" here means only that it's in Open Directory, with about 1.5 million domains.) There are 39 exploited domains today. Only 7 have been on that list since 2008. The most abused site is Piczo.com, which is a hosting service/social network/shopping site for teenagers.

    Just about everybody else has cleaned up their act. 18 months ago, that list had 174 entries, including Yahoo, eBay, Microsoft Live, and TinyURL. All those companies have become more aggressive about checking for phishing scams that were injected into their domain. Google's cluelessness in this area ought to be embarrassing to someone.

    1. Re:Google needs to clean up their own act first, by Anonymous Coward · · Score: 0

      Well... they did kill Google Pages... come on, you can't fault them there, that whole thing was just a nuclear bomb waiting to happen...

      Still despise Google Sites though. It is almost embarrassing compared to the flexibility of Pages.

    2. Re:Google needs to clean up their own act first, by aj50 · · Score: 3, Insightful

      An ordinary scam (like the Habbo one listed above) is different from a phishing attack (which requires that the attacker impersonates another entity).

      You have absolutely no hard evidence (other than your own experience and cynicism) that the site collecting Habbo logins isn't doing so for purely honest reasons and will only use them to deposit 500 credits in each account submitted.

      This comes down to a matter of trust. If you trust random people on the Internet, you're going to get screwed over.

      --
      I wish to remain anomalous
    3. Re:Google needs to clean up their own act first, by Anonymous Coward · · Score: 0

      um, so I just reported that page as phishing to Google(bottom of the page, report as phishing), do these sites do that or just expect Google to find their hideous website and then fix the problem?

    4. Re:Google needs to clean up their own act first, by tlhIngan · · Score: 2, Interesting

      Google has a malware hosting problem of their own.

      Google Spreadsheets can be abused to create phony login pages. Here's one for "Free Habbo credits", designed to collect Habbo logins. It's been reported via the usual "Google abuse" mechanism, repeatedly, and it's still up. It's been up since October 28, 2008.

      We track major domains being exploited by active phishing scams. ("Major" here means only that it's in Open Directory, with about 1.5 million domains.) There are 39 exploited domains today. Only 7 have been on that list since 2008. The most abused site is Piczo.com, which is a hosting service/social network/shopping site for teenagers.

      Just about everybody else has cleaned up their act. 18 months ago, that list had 174 entries, including Yahoo, eBay, Microsoft Live, and TinyURL. All those companies have become more aggressive about checking for phishing scams that were injected into their domain. Google's cluelessness in this area ought to be embarrassing to someone.

      Let me guess - you want Google to remove people's documents arbitrarily? That's what you're saying.

      Right now, Google's right to not do anything - how would you feel if someone just took down one of your documents arbitrarily? Not even a DMCA notice, just a vague "this is a hacker tool" thing? And how do you differentiate between "fake login page" and "log in page mockup"? After all, when designing a UI, you can do it in any medium you feel comfortable in.

      So yeah, Google is clueless. They're so clueless, they'd rather not remove someone's document because there can be many legitimate reasons for it to be there. And I suppose, as much as Google would like to remove it, doing so sets a bad precedent. Your Google Doc annoys someone? Click "report abuse" and Google will take it down. Better than DMCA notice.

      At best, Google can remove it from the index. But allowing Google to arbitrarily remove any document by an anonymous person invites a whole new can of worms. Might as well ban bullets, they've been used to harm people.

    5. Re:Google needs to clean up their own act first, by AmberBlackCat · · Score: 1

      It is my opinion that (Google is no more "secure" than any other website or corporation. Google is doing the same thing Sony does; they're just slapping their name on their new product and letting a bunch of people assume it's good because their name is on it. The only interesting thing mentioned in the article synopsis is the "Fetch as Googlebot" feature, because now when you search for a picture and Google lists some 4000x3000 photo that matches what you want and it turns out that was just bait which doesn't exist when you go to the actual site, you can "Fetch as Googlebot" and get the same result they fed to the search engine.)

    6. Re:Google needs to clean up their own act first, by Animats · · Score: 1

      An ordinary scam (like the Habbo one listed above) is different from a phishing attack (which requires that the attacker impersonates another entity).

      PhishTank calls it a phishing scam. We follow their data.

    7. Re:Google needs to clean up their own act first, by Anonymous Coward · · Score: 0

      We follow their data.

      Which is wrong. Phishing involves impersonating a trusted party. This site definitely wants your Habbo credentials, and very likely not to give you free credits, but they don't claim to be Habbo.

    8. Re:Google needs to clean up their own act first, by aj50 · · Score: 1

      PhishTank is a crowd sourcing site which merely samples the opinions of their users which makes it accountable to... no-one?

      Netcraft does not consider it a phish (although you have to use their toolbar to check that.)

      Incidentally, the spreadsheet is suddenly gone so I suspect someone at Google is reading Slashdot.

      --
      I wish to remain anomalous
  3. Good idea, but... by PrimaryConsult · · Score: 4, Interesting

    If Google's determination on whether a site has malicious content is based solely on crawling it, wouldn't a hacker be able to manipulate robots.txt to ignore the file with the malware? These tools would allow a hacker to test that theory out, by trying different things on his own sites and seeing what generates an email, instead of waiting around for Google to re-crawl them and having to check each one to see if it is filtered...

    1. Re:Good idea, but... by EvilIdler · · Score: 1

      I'm pretty sure Google checks to see what's reachable through links on the site. Just look at the dead link checker in the Webmaster Tools ;)

    2. Re:Good idea, but... by dave420 · · Score: 1

      It's even simpler than that - as the Googlebot identifies itself, it's trivial to have special content served up if Googlebot requests a page. You don't have to use robots.txt to hide anything.

    3. Re:Good idea, but... by GameboyRMH · · Score: 1

      I imagine they could have a different bot that doesn't do any kind of search indexing, but checks for malware/security issues and can't be blocked with robots.txt

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    4. Re:Good idea, but... by lonecrow · · Score: 1

      I think you are correct but it might be counter productive. GoogleBot obeys robots.txt so if the hacker listed the infected page in robots.txt google shouldn't ever request it. However, if you are a hacker and you have infected a page then I assume they want people to view it. Hiding the page from google probably lowers the number of visitors to an unacceptable low number.

      Also, I think allot of infected pages are a result of SQL injection or simply dropping some cross-site scripting code into form field of completely insecure website. This is a lot more trivial than gaining enough access to the machine to modify the robots.txt file. If they had that kind of access they are probably already hosting a dozen of their own sites on your server and sending spam from it :)

      However, I think your idea is sound in the context you presented it.

      Now please excuse me, I have to scurry off and make sure my robots.txt file is set to deny-writes.

  4. Poor Google IT webmasters! by snikulin · · Score: 2, Funny

    Default Apache e-mail is webmaster@localhost

    1. Re:Poor Google IT webmasters! by tepples · · Score: 1

      Default Apache e-mail is webmaster@localhost

      Google would probably first try sending mail to the Google account that confirmed its control of the site.

      If not, Google would just assume "localhost" is an error for whatever domain the site actually uses. For example, given webmaster@localhost at www.example.com, Google might look up the MX for www.example.com, not see it, look up the MX for example.com, and send mail.

      If the site doesn't list such an address at all, there's an RFC that strongly recommends webmaster@example.com as the WWW technical contact for example.com.

  5. Re:web health should be a communal effort (and fre by lewko · · Score: 0, Redundant

    Oh please.

    Doctors do things for the common good as well. That doesn't mean they don't have bills to pay.

    --
    Do you or your partner snore? - Visit www.snoring.com.au
  6. Re:Typical by Anonymous Coward · · Score: 0

    Just for info: M$ was something started my Microsoft themselves in MS BASIC.

    Also, fail.

  7. Helping the hackers? by NewsWatcher · · Score: 1

    If you wanted to test out malicious code to see whether it was likely to be discovered, wouldn't this be a great tool to have?

    --
    If the pattern goes 9am, 10am, 11am, why isn't noon 12am?
  8. Re:web health should be a communal effort (and fre by DrEldarion · · Score: 2, Informative

    Registered webmasters (registration is free) of infected sites do not need to specially enable the feature -- they will find links to it on the Webmaster Tools dashboard.

    Google does not charge for Webmaster Tools.

  9. Re:Who requests by mftb · · Score: 3, Informative

    It's an opt-in notification system - nobody's forcing you to do anything. Also, robots.txt has been around since long before google.

  10. Happened over here by orta · · Score: 3, Interesting

    This happened to my site and the google webmaster tools were helpful but frustrating, it took 2 weeks of my site being banned in all major browsers before they officially sanctioned it OK. It did give me a list of all the URLS where there was problems, so it wasn't too hard to debug.

    --
    my band is more brutal techno punk than yours
    1. Re:Happened over here by johndoejersey · · Score: 2, Interesting

      My experience was less than 8 hours. A day or two later I realised I missed my .htaccess file had been gazumped as well. Though google seemed to miss that one....

  11. From the awesome-for-pr0n dept. by Jugalator · · Score: 1

    Another of the new Webmaster Tools is Fetch as Googlebot, which shows you a page as Google's crawler sees it.

    Heh, could find some use outside of the designed purpose then... A number of pay-to-view web forums allow the Googlebot to freely navigate it, but requires payment from users. Among other boards, those involving erotica. :p

    --
    Beware: In C++, your friends can see your privates!
    1. Re:From the awesome-for-pr0n dept. by dazjorz · · Score: 1

      Alas, I think you can only view your own sites with the Googlebot... So unless you can sneak in the "yes, this domain is mine" HTML file or DNS entry, in which case you probably don't need to worry about this anyway, probably not a chance... ;)

  12. Re:Who requests by mftb · · Score: 1

    The notifications are opt-in. That's what I meant.
    And it's not like it's hard to set up. You should be thankful robots.txt is obeyed by most robots.

  13. WOW sites by BrookHarty · · Score: 1

    So many wow accounts are hacked from keyloggers that are installed just by visiting wow sites. Gold vendors, wow auction houses, and simple forums can cause you to lose your wow accounts...

    What would be nice if google could make these sites it detects with googlebot available so developers could patch the holes in firefox.

    1. Re:WOW sites by Anonymous Coward · · Score: 0

      Haha, 2 of my friends who play WoW have been screwed over by viruses, stolen e-mail and accounts...

      God, and both of them used to be quite in to computing as well, one who knew more than i did at one point.
      Now? They barely know how to Control Panel for ANYTHING... quite sad indeed that WoW has rotted their brain.
      Well, that's what happens when both of them dropped out of college because work piled up due to them playing WoW to 5 in the morning... so much for not being addicted to the game.

  14. Re:Who requests by Ant+P. · · Score: 1

    Hi Mr. Murdoch!

  15. S-S-s-s-s- by Anonymous Coward · · Score: 0

    $-$-$-$hillll.....

    1. Re:S-S-s-s-s- by buchner.johannes · · Score: 1

      Where is this $$$-hill and does it have trees? I'd prefer a €€€-hill though.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    2. Re:S-S-s-s-s- by ion.simon.c · · Score: 1

      Heck. Money-hills of any sort are appreciated.

  16. Re:Who requests by HNS-I · · Score: 1

    Google is not playing police, they merely tell searchers it's a bad idea to go there. If you don't want others to link to you, don't go on the intarwebs. Also getting indexed by google is only possible if you sign up.

    Yes it's terrible, you have to type in "User-agent: *\n Disallow / " I can feel you pain.

  17. Re:Who requests by tokul · · Score: 1

    If you are that paranoid, cut your network cable. It will ensure that those pesky googlebots stay away from your precious data.

    If you put your data on public website, others are free to read that data.

  18. Re:Who requests by complete+loony · · Score: 2, Interesting

    Company? what the...

    You obviously have no idea about the early days of the internet and HTTP. The whole point of HTTP was to publish documents, if you host something you are implicitly allowing other people to fetch a copy of it.

    robots.txt came about in the very early days of HTTP. An enterprising hacker wrote a crawler to index the whole internet (which wasn't that big at the time). But his crawler got stuck fetching pages from one machine with dynamically generated pages. This obviously tied up the bandwidth, CPU and disk IO of the server which annoyed it's owner. So the 2 people had a polite conversation via email and the opt-out robots.txt was invented.

    --
    09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
  19. Academic cloaking by tepples · · Score: 2, Informative

    A number of pay-to-view web forums allow the Googlebot to freely navigate it, but requires payment from users. Among other boards, those involving erotica.

    This sort of cloaking is frustrating even for people who aren't porn fans. A lot of scholarly journals spam search engine result pages with their cloaked, noarchived pages <cough>elsevier and springerlink</cough>. Even more frustrating is that Google provides no way for users 1. to exclude noarchived pages from its results or 2. to report sites that violate Google's stated cloaking policy.

    1. Re:Academic cloaking by skeeto · · Score: 2, Interesting

      You can report sites that use cloaking here: http://www.google.com/contact/spamreport.html . I don't know what good it does since the sites I have reported have never been acted upon.

  20. Re:Who requests by Anonymous Coward · · Score: 0

    Who wants this service from Google? Any company starting to act like an internet police is a huge risk in future if not now, and it should be preemtively rejected by users. If people rely on this kind of services in future Google will list its do-s and don't-s. I didn't ask about their service, nor I would like to be informed by their *unknown* ways of analyzing my pages. And no I don't want to host a useless piece of text called robots.txt to get rid of google crawlers. Why in the hell I should say get away, while if I don't it means I welcome them.

    Take your shitty attitude and get the hell out of my internets.

  21. Re:Who requests by L4t3r4lu5 · · Score: 1

    You put it on the internet.

    If it's on the internet, it's public. Don't put anything private on the internet. Don't expect anything private put on the internet to remain private.

    Information wants to be free. If you don't want your information to be free, keep it to your god damn self!

    --
    Finally had enough. Come see us over at https://soylentnews.org/
  22. tit for tat by happy_place · · Score: 1

    A friend of mine works at Bluecoat ( http://www.bluecoat.com/ if you care...) (they do internet security and filtering services). He says they regularly send reports to Google when they find that Google is compromised with malicious code... so its good to know Google's taking part in helping fix a problem they certainly deal with.

    --
    http://www.beanleafpress.com
  23. Re:Who requests by Anonymous Coward · · Score: 0

    Normally I would agree, but a lot of websites are run without the advanced knowledge for finding these "broken" pages.

    This is basically a free antivirus for your website that is less annoying because you do not even have to run it on your server. I am not a fan of Google, as a company, but they have the information to track and protect users (such as with the Malicious website warning in Firefox), so why not go the extra step and inform the most likely ignorant (of the issue) webmaster of the injected malware.

    If it was an opt-in service, then most people would remain ignorant to the problems on their site, and the problems for web users would still persist. I prefer someone else was doing this, or that it was a separate service, but I am not going to complain about getting it as it could do a lot for helping to clean up the internet.

  24. I've tried this before, and failed by hansamurai · · Score: 1

    My site was once getting hit really hard from some other web site with a hole on their feedback page. I tried to email their webmaster but my message got flagged as spam. I guess including IP addresses, multiple links, phrases like "spam", "execute script", "spambot", and "exploit" aren't looked kindly upon by the internet powers that be. I just blocked any connections coming from their IP, but I wish I could have gotten through to shut down the security exploit.

    --
    Reviewing just the first hour of video games.
  25. "Google" to send this info or Google pretenders? by azdio · · Score: 1

    Phishing types are already preparing false communications and false sites with such warnings "from google". There are certainly many mechanisms in existence to help authenticate that a communication is actually from google. Hopefully the use of such mechanisms is clever enough to avoid more contamination.

  26. Re:"Google" to send this info or Google pretenders by sahala · · Score: 1

    All the diagnosis information and messages are presented through the Google Webmaster Tools UI, not through email. There is an option in Webmaster Tools to forward messages to email, but this is opt-in.

    You have a point though...there are lots of "from google" false emails floating around. As you know it's a tough problem to solve :/

  27. Google cleans up their act. by Animats · · Score: 1

    Google finally fixed this. The offending page now reads "We're sorry. You can't access this spreadsheet because it is in violation of our Terms of service. If you feel this is in error, please contact us."

    Sometimes you just have to use a big clue stick to get their attention. It took some help from The Register to get Yahoo, Microsoft, and eBay to clean up their acts.

    Five more long-term exploited sites remain. A bit more nagging, and we'll have this cleaned up.

    Once this is cleaned up, phishing blacklists that blacklist entire second-level domains will be effective. No more just blacklisting the URL.