Geeks With Blogs
My Place For SQL Lets Talk SQL

Few days back..I read about the Hackers using the Google Services to enter our SQL dbs..Iwas stunned and tried it if that is really working ...As I was stunned it works as a beginner as an administer it opened a new challenge to me find out the ways to block  such attacks...I am putting some extracts from certain articles here in this blog that can be helpful to us DBA

But what is it in my capacity to stop was more or less hacker spiders coming into through the bad code written by programmers that helped them crawl in..

Few articals noteworthy here are

Try it. Type the phrase "access denied for user" and "using password" into Google. I did, and found 103,000 returned Webpages, some volunteering their SQL error messages. And among these were Websites that gave such harmless information as user IDs, SQL server stats and configuration details..

There are certain websites which even are giving KEYWORDS to search and trace paths to follow to enter our DBs.

It will depend on what information you've carelessly exposed -- and what information was trawled. Using Google, hackers have been known to spy on photocopiers, discover passwords, monitor server activities and more.

Gerry Chng, who manages Ernst and Young's technology and risk services suggests that following two ways we are at at risk

The first instance is when one links sensitive documents with URLs, or annotates documents with HTML tags. "Web spiders will only crawl to places where it sees a link," said Gerry. But watch out, however, for the not-so-obvious Web-linkages. developers commenting out test code using the HTML tags. "Once a bot sees this link, it will try crawling into those areas,"

The second instance where sensitive data exposure can happen is when application errors occur during a spider visit. In the case of SQL-driven web applications, one may see SQL error messages as a result. Even transient errors can mean exposure. He said: "If you visit this site later, the error message may be gone, but Google caches the results it sees."

Which means hackers interested in say, SQL injection attacks, can use Google hacking techniques to identify Web sites that are vulnerable because they had error messages cached.

In fact, network admins should probably worry more about having error messages cached by search engines than Web-linked files because the transient, auto-generated and error messages are likely to be unforeseen and can stay in Google's reach for a long time. You can however email Google to remove the links...

So what can one do to foil Google hacks?

Make sure your applications do not generate unhandled error messages. "Having custom error message-handling replies lowers the chance for a generic search," he said. Apply the concept of "don't be a low-hanging fruit."

  • Make sure your directory listing is disabled for all folders. And avoid storing lists of URLs in a folder, where a spider can crawl to.
  • Links to administrative pages should never be placed in a link on a web page. This only encourages the spider to crawl there, and subsequently cache it.

Another tip: organisations should instil proper change controls when it comes to code changing. "I have seen developers commenting out previous codes which could still link to certain directories, or containing information about the changes made," said Gerry. Scary.

So there you have it.

But unfortunately -- or fortunately, for some of us -- Google doesn't stay still. Last month, Google launched its first desktop search engine. So it may not be too long before the perils of online search engine hacking moves into intranets and internal networks.

And don't forget also that there are other search engines that offers search-features that are different -- in some cases better -- than Google...So a big work for network specialist and administrators to secure the environent

 some kwel links to follow

Google protects its search results Hackers use Google to access photocopiers
Google acts to cover up phishing hole Hackers harness Google to hunt for weaknesses

Posted on Sunday, November 14, 2004 8:46 PM | Back to top

Comments on this post: Sql uncesored hacking from google

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Veer Ji Wangoo | Powered by: