AntiOnline Spotlight: Google Hack Honeypot
By Enterprise IT Planet Staff
February 16, 2005
No one will ever accuse Google's crawler of not being thorough.
|Gather some insight into how attackers are using Web searches as a prelude to an attack.
Google and other search engines have exposed Web servers that were foolishly left to operate in their default configurations and unearthed publicly shared documents containing some very private details. At this very moment, some "eyes only" webcam feeds are being spied upon the world over.
For all the help Google provides in finding one's way online, it's turning out to be a hinderance for careless or simply overburdened server admins.
So what can you do about it? Sure you can delve into Google's advanced search options and plug away until you uncover something, or you can take a more direct approach.
Being the take-charge types that they are, AO members aren't waiting around to get hacked. This week, as a Valentine's Day gift to secadmins everywhere, Soda_Popinsky posted a handy tutorial on rolling your own custom Web-based Google Hack Honeypot.
Note: The opinions expressed below are solely those of the individual posters on the AntiOnline forums.
This Week's Spotlight Thread:
Google Hack Honeypot
First things first...
What is GHH?
GHH is the reaction to a new type of malicious web traffic: search engine hackers. GHH is a "Google Hack" honeypot. It is designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources. GHH implements honeypot theory to provide additional security to your web presence.
What is a honeypot?
A honeypot is, to quote Lance Spitzner founder of the Honeynet Project:
"An information system resource whose value lies in unauthorized or illicit use of that resource."
Simply put a honeypot is something that appears to be vulnerable, but in reality is recording illicit use by malicious attackers.
GHH allows administrators to track malicious hosts, observe who is perpetrating the attack and how it is being executed via the log. The data generated by this, or any other honeypot can be used to deny future access to attackers, notify service providers of attacks originating from their networks or act as an input for statistical analysis.
All well and good, but why lure search engine hackers? It helps if you understand what they do and what they are capable of.
What are search engine hackers and why should I care?
Google has developed a powerful tool. The search engine that Google has implemented allows for searching on an immense amount of information. The Google index has swelled past 8 billion pages [February 2005] and continues to grow daily. Mirroring the growth of the Google index, the spread of web-based applications such as message boards and remote administrative tools has resulted in an increase in the number of misconfigured and vulnerable web apps available on the Internet.
These insecure tools, when combined with the power of a search engine and index, which Google provides, results in a convenient attack vector for malicious users. It is in your best interest to be knowledgeable of, and protect yourself from this threat.
This threat is amplified by tools like Foundstone's Sitedigger, and Wikto, which automate this technique.
Now it's time to roll up your sleeves, set up GHH by grabbing the relevant files and documentation at SourceForge
, and see how attackers are attempting break into your network. Click this link