Google Bombing
A Google bomb or Google wash is an
attempt to influence the ranking of a given
site in results returned by the Google
search engine. Due to the way that
Google's Page Rank algorithm works, a
website will be ranked higher if the sites
that link to that page all use consistent
anchor text.
4
So What Determines Page
Relevance and Rating?
• Exact Phrase: are your keywords found as
an exact phrase in any pages?
• Adjacency: how close are your keywords
to each other?
• Weighting: how many times do the
keywords appear in the page?
• PageRank/Links: How many links point to
the page? How many links are actually in
the page? Equation: (Exact Phrase Hit)+(AdjacencyFactor)+(Weight) *
(PageRank/Links)
From: Google 201, Advanced Googology - Patrick Crispen, CSU
5
Simply Put
• “Google allows for a great deal of target
reconnaissance that results in little or no
exposure for the attacker.” – Johnny Long
• Using Google as a “mirror” searches find:
– Google searches for Credit Card and SS #s
– Google searches for passwords
– CGI (active content) scanning
How Google Finds Pages
• Are only connected web pages indexed?
• NO!
– Opera submits every URL viewed to Google
for later indexing….
8
Johnny.ihackstuff.com
• Johnny Long
– Wrote Google Hacking for Penetration
Testers; ISBN 1931836361
– Many free online articles.
• Two PDFs cached at MattPayne.org/talks/gh
• See the references slide
• Or just use Google
9
Google and Zero Day Attacks
• Slashdot Headline: Net Worm Uses Google to Spread:
– Posted by michael on Tue Dec 21, '04 06:15 PM
from the web-service-takes-on-new-meaning dept.
troop23 writes "A web worm that
identifies potential victims by searching Google is spreading
among online bulletin boards using a vulnerable version of the
program phpBB, security professionals said on Tuesday. Almost
40,000 sites may have already been infected. In an odd twist if
you use Microsoft's Search engine to scan for the phrase
'NeverEverNoSanity'-- part of the defacement text that the Santy
worm uses to replace files on infected Web sites--returns nearly
39,000 hits." Reader pmf sent in a few more information links:
F-Secure weblog and Bugtraq posting. Update: 12/22 03:34
GMT by T: ZephyrXero links to this news.com article that says
Google is now squashing requests generated by the worm.
10
Local Example
• Monday 14 February, 2005
@10:11am
Update: Now it sounds like everyone was hit with an exploit on awstats
which took out quite a few bloggers and other sites. ==> Actually, phorum
got hit with it too!
After running my server something.net for quite awhile on 'borrowed time', it
eventually got hacked into - just this weekend. The "Simiens Crew" took
credit to a webpage defacement, and by doing some googling... they've hit
quite a few websites even just this last weekend! My best guess so far was
an attack on one of my many 3rd-party PHP-run services that I have not
taken the time to watch and patch for security announcements. Could have
been gallery, phorum, webcalendar, icalendar, etc... I'll do some
investigating and hopefully find out. I may have been lucky though, it sounds
like these were just defacements and not all-out attacks, other victims have
not reported any data loss at least. I can respect that. What I can't respect
though is the many defacements they've put up with "FrontPage" as the
HTML generator!
11
Enough BS, How Do I Get Results?
• Pick your keywords carefully & be specific
• Do NOT exceed 10 keywords
• Use Boolean modifiers
• Use advanced operators
• Google ignores some words*:
attempt to influence the ranking of a given
site in results returned by the Google
search engine. Due to the way that
Google's Page Rank algorithm works, a
website will be ranked higher if the sites
that link to that page all use consistent
anchor text.
4
So What Determines Page
Relevance and Rating?
• Exact Phrase: are your keywords found as
an exact phrase in any pages?
• Adjacency: how close are your keywords
to each other?
• Weighting: how many times do the
keywords appear in the page?
• PageRank/Links: How many links point to
the page? How many links are actually in
the page? Equation: (Exact Phrase Hit)+(AdjacencyFactor)+(Weight) *
(PageRank/Links)
From: Google 201, Advanced Googology - Patrick Crispen, CSU
5
Simply Put
• “Google allows for a great deal of target
reconnaissance that results in little or no
exposure for the attacker.” – Johnny Long
• Using Google as a “mirror” searches find:
– Google searches for Credit Card and SS #s
– Google searches for passwords
– CGI (active content) scanning
How Google Finds Pages
• Are only connected web pages indexed?
• NO!
– Opera submits every URL viewed to Google
for later indexing….
8
Johnny.ihackstuff.com
• Johnny Long
– Wrote Google Hacking for Penetration
Testers; ISBN 1931836361
– Many free online articles.
• Two PDFs cached at MattPayne.org/talks/gh
• See the references slide
• Or just use Google
9
Google and Zero Day Attacks
• Slashdot Headline: Net Worm Uses Google to Spread:
– Posted by michael on Tue Dec 21, '04 06:15 PM
from the web-service-takes-on-new-meaning dept.
troop23 writes "A web worm that
identifies potential victims by searching Google is spreading
among online bulletin boards using a vulnerable version of the
program phpBB, security professionals said on Tuesday. Almost
40,000 sites may have already been infected. In an odd twist if
you use Microsoft's Search engine to scan for the phrase
'NeverEverNoSanity'-- part of the defacement text that the Santy
worm uses to replace files on infected Web sites--returns nearly
39,000 hits." Reader pmf sent in a few more information links:
F-Secure weblog and Bugtraq posting. Update: 12/22 03:34
GMT by T: ZephyrXero links to this news.com article that says
Google is now squashing requests generated by the worm.
10
Local Example
• Monday 14 February, 2005
@10:11am
Update: Now it sounds like everyone was hit with an exploit on awstats
which took out quite a few bloggers and other sites. ==> Actually, phorum
got hit with it too!
After running my server something.net for quite awhile on 'borrowed time', it
eventually got hacked into - just this weekend. The "Simiens Crew" took
credit to a webpage defacement, and by doing some googling... they've hit
quite a few websites even just this last weekend! My best guess so far was
an attack on one of my many 3rd-party PHP-run services that I have not
taken the time to watch and patch for security announcements. Could have
been gallery, phorum, webcalendar, icalendar, etc... I'll do some
investigating and hopefully find out. I may have been lucky though, it sounds
like these were just defacements and not all-out attacks, other victims have
not reported any data loss at least. I can respect that. What I can't respect
though is the many defacements they've put up with "FrontPage" as the
HTML generator!
11
Enough BS, How Do I Get Results?
• Pick your keywords carefully & be specific
• Do NOT exceed 10 keywords
• Use Boolean modifiers
• Use advanced operators
• Google ignores some words*:
0 comments:
Post a Comment