Although stories in the mainstream media about Google hacking just started last year, Google hacks have been around for almost as long as Google itself. The idea behind a Google hack is that the hacker can use the Google search engine in a way that reveals confidential data by exploiting a poorly written Web application. Fortunately, there is a new type of Web application called a Google Hack Honeypot that allows you to monitor Google hack activity directed at your Web site.
The anatomy of a Google hack
Right now you are probably wondering how Google can possibly be used to hack a Web site. The technique behind a Google hack is frighteningly simple. It's so simple, in fact, that it has long been regarded as an urban legend.
A classic example of a Google hack is to use the range tool (a double period) to hunt for credit card numbers. Rumor has it that Google now blocks this particular exploit, but the technique can be applied to other types of hacks.
Hackers look at the first four digits on your credit card. Suppose for instance that the numbers are 4052 (this is a random number, not a number off of my credit card). Hackers know that credit card account numbers are typically 16 digits long. They also know that the first four digits in a card's number tell a lot about the type of card. Therefore, there are lots of cards that share the same first four digits. A hacker can then use the range tool to hunt for other credit card numbers that start with 4052. To do so, a hacker would simply enter 4052000000000000..4052999999999999 into the Google search engine. This tells Google to search for Web sites containing any 16-digit number starting with 4052.
Of course there are lots of Web sites that contain 16-digit numbers other than credit card numbers. Keep in mind, though, that the more numbers in this range that Google finds, the higher the page ranking will be. This means that a page full of credit card numbers containing 4052 would likely be toward the very top of the list.
See how easy that was? Right now you may be wondering who in their right mind would publish a page full of credit card numbers on the Internet? The answer is nobody. Poorly constructed Web applications that sell products on the Internet are the problem. The Google spider can index Web sites by indexing pages that use "invisible links." Some poorly constructed Web sites have invisible links to backend data, such as customer lists. A consumer would never see these links, but a search engine does, and therefore indexes the content.
Google Hack Honeypot to the rescue
This is where the Google Hack Honeypot comes in. The idea behind a Google Hack Honeypot is that it places an invisible link onto your Web site. Just like the case with a poorly constructed application, visitors to your site will never see this link, but Google will. However, instead of providing access to backend data, the link directs would-be hackers to a PHP script that logs their activity. Your site's real backend is never exposed through this link.
The best part is that you can get the Google Hack Honeypot for free. It is available and downloadable through GNU public license.
Protecting your Web server against Google hacks
The Google Hack Honeypot will not stop anyone from performing a Google hack against you. All it does is log potentially malicious activity against the honeypot. You can, however, use the log's contents to protect your server.
For example, since the log contains things like the IP address or the domain name from which the hack originated, you could plug this information into your firewall and block Web traffic from those sources. Likewise, Internet Information Server contains filters that you could use in conjunction with the information from your honeypot to block malicious traffic.
In this article, I have explained that Google can be a dangerous hacking tool. You can use a Google Hack Honeypot to detect malicious activity against your Web server and enter information from your honeypot logs into your firewall to block sources of malicious Web traffic. Remember, though, that a Google Hack Honeypot will only detect malicious Web traffic against the honeypot. It does nothing to detect malicious traffic against your Web site or to protect you from such traffic. It is therefore important to make sure your Web site is securely constructed.
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.
More information from SearchWindowsSecurity.com
This was first published in August 2006