Punct of ircsb.com revealed how you can actually find passwords by using Google search engine. Among the files that you can retrieve passwords from are auth_user_file.txt, passlist.txt, config.php, etc. If your web server or your web hosting account is revealing these files, that means you are potentially at risk of security breach.
Modified passwords
intitle:"Index of" passwords modified
auth_user_file.txt
allinurl:auth_user_file.txt
passlist.txt
inurl:passlist.txt
FrontPage files
"# -FrontPage-" inurl:service.pwd
config.php
intitle:"Index of" config.php
inline url passwords
"http://*:*@"
Using the search keywords given by Punct in Google, you are returned a list of urls. Behind these urls are password files, containing username and passwords. I’ve tried and manage to get in one of them, but of course with a little unmentioned process in the middle. So get more alert with what you are revealing on your web account. For starters, make sure you have a index.html on all folders, to avoid all files in the folder getting listed.
Related Contents |
Sponsors |
|
|
|
|
Posted by hongkiat in Web Tricks , at 03.04.08 |
|
Comments
Ashrufzz March 4th, 2008
That’s scary dude!!
ReplySumesh March 4th, 2008
Great – one more publicly exposed hackery. I wonder how much worse security can be.
PS: You’re the top one in Top commentators list. Don’t you think its odd? There’s a way to exclude users in the plugin.
ReplyLouise March 4th, 2008
It’s pretty scary to think that with a simple Google search something as important as passwords could be made public.
That’s why I use a password manager: http://tinyurl.com/38jxny
ReplyLouise
Syahid A. March 5th, 2008
Google is a scary monster too.
ReplyCarbono March 5th, 2008
WOW… i’m afraid. :)
Replyhongkiat March 6th, 2008
Sumesh: Filtered myself out from top commentors name.
Replyviettut March 7th, 2008
Google is pretty much gathering all the information it gets it hands on. Sometimes I get the feeling that the Skynet system in the Terminator is Science Fiction anymore
ReplyJoey March 7th, 2008
Scary to think people leave this kind of stuff freely available on the web and not only them but big companies (or more likely governments) too.
@viettut Google has stated they want to Inex everything, that appears to be exactly what they are doing, they let the ‘don’t be evil’ thing slide though.
Replyfedmich March 10th, 2008
Scary, I think we should be very careful pm the files that we put on our servers.
Also, there’s even a cache of the pages on Google and other websites. So even if you remove the files upon realizing this problems, it still might be late…
ReplyGrant Alan Friedline March 12th, 2008
Of course Google can find password files if they are exposed in the web folder. Google spiders your whole website if it can. Same as other search engines. It is important to note that the search does not even have to be specifically for a password files. Exploited file could just show up in a search for your website because Google has indexed them. Other important files can be found accidentally too (this happens when you are a new web programmer, you google search your own website, and you wonder how the heck did Google find that hahahaa). Use htaccess inside file directories to limit access (Apache Web Server).
Replydanny March 19th, 2008
And stop using gmail, of course!!!!
Replylettercanada May 7th, 2008
then did about to it one night, for the leaves a scientist.
Replymicrosoftuni July 27th, 2008
greed are australia busy boy keyboard this australia
Replyhousehousest September 2nd, 2008
letter tom ibm ugly ibm ibm
Replystudentnoyah October 14th, 2008
this day greed green
Replynositeyescan October 15th, 2008
jhon greed land sea no
Reply