Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-07-07 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Defensive Googling

Published: 2007-07-07
Last Updated: 2007-07-08 00:41:45 UTC
by Kevin Liston (Version: 1)
0 comment(s)

As cousin Tom reported yesterday, system compromises can become embarrassingly public via Google searches (or what Johnny Long refers to as Googledorks.)

A reader saw Tom's post and sent in his own Google search command that exposes many .gov sites compromised to host porn.

It's not a bad idea to use Google as an Intrusion Detection System-- it's a bit late-notice, but it's better to find out that way than having guys in suits show up at your office to confiscate systems.

Relying on the "site:" syntax you can scan your organizations' web presence for embarrassing exposures.  For example:

site:myorg.org porn

site:mygov.gov cialis buy

To filter that list down you can add additional qualifiers like Tom's filetype:html (or filetype:htm or filetype:asp if you run a Windows shop.)

These are very simple examples, for additional search terms one could examine what people are looking for on Google using:

http://google.com/trends

http://www.google.com/press/zeitgeist.html

You can also skim through your users' proxy logs to see what they're searching for, with the warning that this might not be legal in your region, and what you find most certainly won't be family-friendly.

----------------------------------------------------------------

Kevin Liston (kliston -at- isc.sans.org)

Keywords:
0 comment(s)
Diary Archives