Google is a very very very powerful tool! If you know how the Internet worksand you know how Google works, you can find out some “very secret information” from the dark corners of the Internet.
You see, Google tries to “index” everything that is on the Internet. What does “index” mean? Basically, “index” means, read and remember!You see, Google is reading websites on the Internet 24 hours a day. It is looking at new websites and new web pages. It looks at each web page and finds out what the web page is about. It decides how good the web page is and also decides many other things about the web page…
Google does all this so that when you search for something using Google, it can give you the most relevant results from among the web pages it has visited. This is what we mean when we say that Google tries to index everything on the Internet.
Hackers use botnet to scrape Google for vulnerable sites
Some 35,000 sites that use vBulletin, a popular website forum package, were hacked recently by taking advantage of the presence of files left over from the program's installation process, according to security researcher Brian Krebs.
The hack by itself is fairly standard, but the way in which it was carried out shows how search engines like Google can unwittingly become a party to such hacking.
Krebs' findings were unearthed in conjunction with work done by security research firm Imperva, members of which believe the hacks are being executed by way of a botnet. The botnet not only injects the malicious code into the target sites, but also scrapes Google in a massively parallel fashion looking for vBulletin-powered sites that might make good targets.
Why scrape Google in parallel? As a workaround for Google's defense mechanisms against automated searches.
Such defenses work well against a single user scraping Google, since after a certain number of such searches from a single host, the user is presented with a CAPTCHA. This typically stops most bot-driven scrapes. But if a great many such searches are performed in parallel, it doesn't matter if each one of them eventually runs afoul of a CAPTCHA. Together, in parallel, they can still scrape far more than any one system alone can. (Krebs did not describe the size of the botnet used, however.)
The hacks themselves, of which Krebs has identified two, are fortunately rather easy to detect. One involves adding surreptitious admin accounts to the vulnerable vBulletin installations. The other hack, "apparently used in a mass website defacement campaign," adds an admin account named "Th3H4ck".
Now the good news: The very thing that made it possible to find those vulnerable vBulletin sites -- a properly crafted Google search -- can also be used to identify any existing hacked vBulletin installs. If you see a site you know on that list, tell the administrator. There's a good chance he doesn't know he's been hacked.
Scanning for vulnerabilities with Google isn't by itself new; Bruce Schneier pointed out in 2008 how this process was not only possible but could be automated. But deploying such Google scanning via a botnet for the sake of seeking out vulnerable sites in a massive parallel operation is a relatively new wrinkle -- at least until Google finds a way to block such things en masse without impacting regular search services.
Krebs points out it's difficult to place the blame exclusively on vBulletin. The makers of the software point out that its installation instructions ask that users remove the "/install" and "/core/install" directories after setting up the program.
In that sense, this issue is akin to the ways ColdFusion projects have been plagued by break-ins -- in part because many outfits are running older, unpatched versions of the software, but mainly because many firms don't follow Adobe's own instructions for hardening ColdFusion setups.
The oft-targeted WordPress has the same issue: It's easy to set up, but securing it requires that the end-user take a number of steps that often aren't followed.
Make sure you are comfortable with sharing everything in your public Web folder with the whole world, because Google will share it, whether you like it or not. Also, in order to prevent attackers from easily figuring out what server software you are running, change the default error messages and other identifiers. Often, when a "404 Not Found" error is detected, servers will return a page like that says something like:
Not Found
The requested URL /cgi-bin/xxxxxx was not found on this server.
Apache/1.3.27 Server at your web site Port 80
Apache/1.3.27 Server at your web site Port 80
The only information that the legitimate user really needs is a message that says "Page Not found." Restricting the other information will prevent your page from turning up in an attacker's search for a specific flavor of server.
Google periodically purges it's cache, but until then your sensitive files are still being offered to the public. If you realize that the search engine has cached files that you want to be unavailable to be viewed you can go to ( http://www.google.com/remove.html ) and follow the instructions on how to remove your page, or parts of your page, from their database.
0 comments :
Post a Comment