Punct of ircsb.com revealed how you can actually find passwords by using Google search engine. Among the files that you can retrieve passwords from are auth_user_file.txt, passlist.txt, config.php, etc. If your web server or your web hosting account is revealing these files, that means you are potentially at risk of security breach.
Modified passwords
intitle:"Index of" passwords modified
auth_user_file.txt
allinurl:auth_user_file.txt
passlist.txt
inurl:passlist.txt
FrontPage files
"# -FrontPage-" inurl:service.pwd
config.php
intitle:"Index of" config.php
inline url passwords
"http://*:*@"
Using the search keywords given by Punct in Google, you are returned a list of urls. Behind these urls are password files, containing username and passwords. I’ve tried and manage to get in one of them, but of course with a little unmentioned process in the middle. So get more alert with what you are revealing on your web account. For starters, make sure you have a index.html on all folders, to avoid all files in the folder getting listed.
Related Contents |
Sponsors |
|
|
|
|
Posted by hongkiat in Web Tricks , at 03.04.08 |
|
Comments
Ashrufzz March 4th, 2008
That’s scary dude!!
ReplySumesh March 4th, 2008
Great – one more publicly exposed hackery. I wonder how much worse security can be.
PS: You’re the top one in Top commentators list. Don’t you think its odd? There’s a way to exclude users in the plugin.
ReplyLouise March 4th, 2008
It’s pretty scary to think that with a simple Google search something as important as passwords could be made public.
That’s why I use a password manager: http://tinyurl.com/38jxny
ReplyLouise
Syahid A. March 5th, 2008
Google is a scary monster too.
ReplyCarbono March 5th, 2008
WOW… i’m afraid. :)
Replyhongkiat March 6th, 2008
Sumesh: Filtered myself out from top commentors name.
Replyviettut March 7th, 2008
Google is pretty much gathering all the information it gets it hands on. Sometimes I get the feeling that the Skynet system in the Terminator is Science Fiction anymore
ReplyJoey March 7th, 2008
Scary to think people leave this kind of stuff freely available on the web and not only them but big companies (or more likely governments) too.
@viettut Google has stated they want to Inex everything, that appears to be exactly what they are doing, they let the ‘don’t be evil’ thing slide though.
Replyfedmich March 10th, 2008
Scary, I think we should be very careful pm the files that we put on our servers.
Also, there’s even a cache of the pages on Google and other websites. So even if you remove the files upon realizing this problems, it still might be late…
ReplyGrant Alan Friedline March 12th, 2008
Of course Google can find password files if they are exposed in the web folder. Google spiders your whole website if it can. Same as other search engines. It is important to note that the search does not even have to be specifically for a password files. Exploited file could just show up in a search for your website because Google has indexed them. Other important files can be found accidentally too (this happens when you are a new web programmer, you google search your own website, and you wonder how the heck did Google find that hahahaa). Use htaccess inside file directories to limit access (Apache Web Server).
Replydanny March 19th, 2008
And stop using gmail, of course!!!!
Replylettercanada May 7th, 2008
then did about to it one night, for the leaves a scientist.
Replymicrosoftuni July 27th, 2008
greed are australia busy boy keyboard this australia
Replyhousehousest September 2nd, 2008
letter tom ibm ugly ibm ibm
Replystudentnoyah October 14th, 2008
this day greed green
Replynositeyescan October 15th, 2008
jhon greed land sea no
Reply人妻と遊ぶ June 17th, 2009
即ハメセレブ今話題の逆援コミュニティサイトの決定版!オトコがオンナを選ぶ時代は終わりました!!出会いを求めたセレブ達との癒しあるセックス、大人の関係をお楽しみください。出会い掲示板逆援助Station – 逆援助ポータルサイト出会い系エッチサイト宅急便!!-エロカワ系のお色気ムンムン続出!メル友の木実際に会う事に成功した出会い系サイトの紹介。最近はサクラがいるサイトが数多く存在します。管理人自ら使用し、出会えた経験をもとに問題なく成功したサイトを紹介します。 管理人のオススメ出会いオススメは男性専用です。女性はサイト下部の出会い検索を利用下さい
Reply