Punct of ircsb.com revealed how you can actually find passwords by using Google search engine. Among the files that you can retrieve passwords from are auth_user_file.txt, passlist.txt, config.php, etc. If your web server or your web hosting account is revealing these files, that means you are potentially at risk of security breach.
Modified passwords
intitle:"Index of" passwords modified
auth_user_file.txt
allinurl:auth_user_file.txt
passlist.txt
inurl:passlist.txt
FrontPage files
"# -FrontPage-" inurl:service.pwd
config.php
intitle:"Index of" config.php
inline url passwords
"http://*:*@"
Using the search keywords given by Punct in Google, you are returned a list of urls. Behind these urls are password files, containing username and passwords. I’ve tried and manage to get in one of them, but of course with a little unmentioned process in the middle. So get more alert with what you are revealing on your web account. For starters, make sure you have a index.html on all folders, to avoid all files in the folder getting listed.
|
Posted by hongkiat in Web Tricks, at 03.04.08 |
 |
Comments
March 4th, 2008 at 2:28 pm
That’s scary dude!!
comment
March 4th, 2008 at 7:02 pm
Great - one more publicly exposed hackery. I wonder how much worse security can be.
PS: You’re the top one in Top commentators list. Don’t you think its odd? There’s a way to exclude users in the plugin.
comment
March 4th, 2008 at 8:27 pm
It’s pretty scary to think that with a simple Google search something as important as passwords could be made public.
That’s why I use a password manager: http://tinyurl.com/38jxny
Louise
comment
March 5th, 2008 at 2:47 am
Google is a scary monster too.
comment
March 5th, 2008 at 10:59 pm
WOW… i’m afraid. :)
comment
March 6th, 2008 at 10:54 pm
Sumesh: Filtered myself out from top commentors name.
comment
March 7th, 2008 at 7:13 pm
Google is pretty much gathering all the information it gets it hands on. Sometimes I get the feeling that the Skynet system in the Terminator is Science Fiction anymore
comment
March 7th, 2008 at 8:17 pm
Scary to think people leave this kind of stuff freely available on the web and not only them but big companies (or more likely governments) too.
@viettut Google has stated they want to Inex everything, that appears to be exactly what they are doing, they let the ‘don’t be evil’ thing slide though.
comment
March 10th, 2008 at 12:19 am
Scary, I think we should be very careful pm the files that we put on our servers.
Also, there’s even a cache of the pages on Google and other websites. So even if you remove the files upon realizing this problems, it still might be late…
comment
March 12th, 2008 at 1:38 am
Of course Google can find password files if they are exposed in the web folder. Google spiders your whole website if it can. Same as other search engines. It is important to note that the search does not even have to be specifically for a password files. Exploited file could just show up in a search for your website because Google has indexed them. Other important files can be found accidentally too (this happens when you are a new web programmer, you google search your own website, and you wonder how the heck did Google find that hahahaa). Use htaccess inside file directories to limit access (Apache Web Server).
comment
March 19th, 2008 at 4:57 pm
And stop using gmail, of course!!!!
comment
May 7th, 2008 at 10:13 pm
then did about to it one night, for the leaves a scientist.
comment
Leave a reply