Site defaced - what next?

Timothy M. Lyons lyons at digitalvoodoo.org
Sun Aug 8 14:05:01 EDT 2004


----- Original Message ----- 
From: "Greg Rundlett" <greg at freephile.com>
...
> *The tools they used*
> Google -helps script kiddies find my exploitable file phpexplorer.  I
> didn't put this script on my server, and I don't know how Google found
> it.  All I can tell you from my server logs is that people are searching
> for this script and my site comes at the top of the list.
...

FWIW - If any of the little crackers had Google toolbar installed (in Advanced
mode), I have noticed that Google hits the site right behind the user.  It
sorta takes that whole issue about tracking user information to the next
level.

While reviewing logs, I also noticed that Google seems to use the credentials
of the user logged into the website to search more effectively.  I wasn't too
thrilled to see that I had logged in from a Google IP and accessed 250+ page
views on my site -- a large chunk of them meant to be internal or private (and
are secured appropriately). This was happening in almost real-time.

Now this may just be a fluke, possibly a side-effect of having being an
adwords publisher but the spider was definitely not paying any attention to my
robots.txt file.

Here's an example of a new user that hit the site for the first time last
night - I know he uses the Google toobar:(lines will wrap)

h00111a508b2c.ne.client2.attbi.com - - [08/Aug/2004:07:44:59 -0400] "GET
/modules.php?name=Your_Account&op=activate&username=USER&ch
eck_num=35b711e1be9069719048dffa5b3 HTTP/1.1" 200 19012
64.233.173.134 - - [08/Aug/2004:07:45:03 -0400] "GET
/modules.php?name=Your_Account&op=activate&username=USER&check_num=35b711e1be9
0
69719048dffa5b3 HTTP/1.1" 200 19012

h00111a508b2c.ne.client2.attbi.com - - [08/Aug/2004:07:45:35 -0400] "GET
/modules.php?name=Forums&file=viewforum&f= HTTP/1.1" 200 40731
64.233.173.134 - - [08/Aug/2004:07:45:36 -0400] "GET
/modules.php?name=Forums&file=viewforum&f=7 HTTP/1.1" 200 41999

Anyone else see a pattern here?

--Tim










More information about the Discuss mailing list