### GHDB.TXT ### 22/06/2006 [[start][1] [[title]Squid cache server reports[[title]] [[descr]These are squid server cache reports. Fairly benign, really except when you consider using them for evil purposes. For example, an institution stands up a proxy server for their internal users to get to the outside world. Then, the internal user surf all over to their hearts content (including intranet pages cuz well, the admins are stupid) Voila, intranet links show up in the external cache report. Want to make matters worse for yourself as an admin? OK, configure your external proxy server as a trusted internal host. Load up your web browser, set your proxy as their proxy and surf your way into their intranet. Not that I've noticed any examples of this in this google list. *COUGH* *COUGH* *COUGH* unresolved DNS lookups give clues *COUGH* *COUGH* ('scuse me. must be a furball) OK, lets say BEST CASE scenario. Let's say there's not security problems revealed in these logs. Best case scenario is that outsiders can see what your company/agency/workers are surfing. [descr]] [[url]http://www.google.com/search?q=%22cacheserverreport+for%22+%22This+analysis+was+produced+by+calamaris%22[url]] [[dork]"cacheserverreport for" "This analysis was produced by calamaris"[dork]] [end][1]] [[start][2] [[title]Ganglia Cluster Reports[[title]] [[descr]These are server cluster reports, great for info gathering. Lesse, what were those server names again?[descr]] [[url]http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=intitle%3A%22Ganglia%22+%22Cluster+Report+for%22[url]] [[dork]intitle:"Ganglia" "Cluster Report for"[dork]] [end][2]] [[start][3] [[title]ICQ chat logs, please...[[title]] [[descr]ICQ (http://www.icq.com) allows you to store the contents of your online chats into a file. These folks have their entire ICQ directories online. On purpose?[descr]] [[url]http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=intitle%3A%22Index+of%22+dbconvert%2Eexe+chats[url]] [[dork]intitle:"Index of" dbconvert.exe chats[dork]] [end][3]] [[start][4] [[title]Apache online documentation[[title]] [[descr]When you install the Apache web server, you get a nice set of online documentation. When you learn how to use Apache, your supposed to delete these online Apache manuals. These sites didn't. If they're in such a hurry with Apache installs, I wonder what else they rushed through?[descr]] [[url]http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=intitle%3A%22Apache+HTTP+Server%22+intitle%3A%22documentation%22[url]] [[dork]intitle:"Apache HTTP Server" intitle:"documentation"[dork]] [end][4]] [[start][5] [[title]Coldfusion Error Pages[[title]] [[descr]

These aren't too horribly bad, but there are SO MANY of them. These sites got googlebotted while the site was having "technical difficulties." The resulting cached error message gives lots of juicy tidbits about the target site.[descr]] [[url]http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=%22Error+Diagnostic+Information%22+intitle%3A%22Error+Occurred+While%22+[url]] [[dork]"Error Diagnostic Information" intitle:"Error Occurred While" [dork]] [end][5]] [[start][6] [[title]Financial spreadsheets: finance.xls[[title]] [[descr]"Hey! I have a great idea! Let's put our finances on our website in a secret directory so we can get to it whenever we need to!"descr]] [[url]http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=intitle%3A%22Index+of%22+finance.xls[url]] [[dork]intitle:"Index of" finance.xls[dork]] [end][6]] [[start][7] [[title]Financial spreadsheets: finances.xls[[title]] [[descr]"Hey! I have a great idea! Let's put our finances on our website in a secret directory so we can get to it whenever we need to!"descr]] [[url]http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=intitle%3A%22Index+of%22+finances.xls[url]] [[dork]intitle:"Index of" finances.xls[dork]] [end][7]] [[start][8] [[title]SQL data dumps[[title]] [[descr]SQL database dumps. LOTS of data in these. So much data, infact, I'm pressed to think of what else an ev1l hax0r would like to know about a target database.. What's that? Usernames and passwords you say? Patience, grasshopper.....[descr]] [[url]http://www.google.com/search?num=100&hl=en&lr=&ie=UTF-8&oe=UTF-8&q=%22%23+Dumping+data+for+table%22[url]] [[dork]"# Dumping data for table"[dork]] [end][8]] [[start][9] [[title]bash_history files[[title]] [[descr]Ok, this file contains what a user typed at a shell command prompt. You shouldn't advertise this file. You shouldn't flash it to a web crawler. It contains COMMANDS and USERNAMES and stuff... *sigh* Sometimes there aren't words to describe how lame people can be. This particular theme can be carried further to find all sorts of things along these lines like .profile, .login, .logout files, etc. I just got bored with all the combinations...[descr]] [[url]http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=intitle%3A%22Index+of%22+%2Ebash%5Fhistory[url]] [[dork]intitle:"Index of" .bash_history[dork]] [end][9]] [[start][10] [[title]sh_history files[[title]] [[descr]Ok, this file contains what a user typed at a shell command prompt. You shouldn't advertise this file. You shouldn't flash it to a web crawler. It contains COMMANDS and USERNAMES and stuff... *sigh* Sometimes there aren't words to describe how lame people can be. This particular theme can be carried further to find all sorts of things along these lines like .profile, .login, .logout files, etc. I just got bored with all the combinations...[descr]] [[url]http://www.google.com/search?num=100&hl=en&lr=&ie=UTF-8&oe=UTF-8&q=intitle%3A%22Index+of%22+.sh_history[url]] [[dork]intitle:"Index of" .sh_history[dork]] [end][10]] [[start][11] [[title]mysql history files[[title]] [[descr]The .mysql_history file contains commands that were performed against a mysql database. A "history" of said commands. First, you shouldn't show this file to anyone, especially not a MAJOR SEARCH ENGINE! Secondly, I sure hope you wouldn't type anything sensitive while interacting with your databases, like oh say USERNAMES AND PASSWORDS...[descr]] [[url]http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=intitle%3A%22Index+of%22+%2Emysql%5Fhistory[url]] [[dork]intitle:"Index of" .mysql_history[dork]] [end][11]] [[start][12] [[title]mt-db-pass.cgi files[[title]] [[descr]These folks had the technical prowess to unpack the movable type files, but couldn't manage to set up their web servers properly. Check the mt.cfg files for interesting stuffs...[descr]] [[url]http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=intitle%3A%22Index+of%22+mt%2Ddb%2Dpass%2Ecgi[url]] [[dork]intitle:"Index of" mt-db-pass.cgi[dork]] [end][12]] [[start][13] [[title]Windows 2000 Internet Services[[title]] [[descr]At first glance, this search reveals even more examples of operating system users enabling the operating system default web server software. This is generally accepted to be a Bad Idea(TM) as mentioned in the previous example. However, the googleDork index on this particular category gets quite a boost from the fact that this particular screen should NEVER be seen by the general public. To quote the default index screen: "Any users attempting to connect to this site are currently receiving an 'Under Construction page'" THIS is not the 'Under Construction page.' I was only able to generate this screen while sitting at the console of the server. The fact that this screen is revealed to the general public may indicate a misconfiguration of a much more insidious nature...[descr]] [[url]http://www.google.com/search?q=intitle:%22Welcome+to+Windows+2000+Internet+Services%22&num=100&hl=en&lr=&ie=UTF-8&filter=0[url]] [[dork]intitle:"Welcome to Windows 2000 Internet Services"[dork]] [end][13]] [[start][14] [[title]IIS 4.0[[title]] [[descr]Moving from personal, lightweight web servers into more production-ready software, we find that even administrators of Microsoft's Internet Information Server (IIS) sometimes don't have a clue what they're doing. By searching on web pages with titles of "Welcome to IIS 4.0" we find that even if they've taken the time to change their main page, some dorks forget to change the titles of their default-installed web pages. This is an indicator that their web server is most likely running, or was upgraded from, the now considered OLD IIS 4.0 and that at least portions of their main pages are still exactly the same as they were out of the box. Conclusion? The rest of the factory-installed stuff is most likely lingering around on these servers as well.

Old code: FREE with operating system.
Poor content management: an average of $40/hour.
Factory-installed default scripts: FREE with operating system.
Getting hacked by a script kiddie that found you on Google: PRICELESS.

For all the things money can't buy, there's a googleDork award.[descr]] [[url]http://www.google.com/search?q=intitle:%22Welcome+to+IIS+4.0%22&num=100&hl=en&lr=&ie=UTF-8&filter=0[url]] [[dork]intitle:"Welcome to IIS 4.0"[dork]] [end][14]] [[start][15] [[title]Look in my backup directories! Please?[[title]] [[descr]Backup directories are often very interesting places to explore. More than one server has been compromised by a hacker's discovery of sensitive information contained in backup files or directories. Some of the sites in this search meant to reveal the contents of their backup directories, others did not. Think about it. What.s in YOUR backup directories? Would you care to share the contents with the whole of the online world? Probably not. Whether intentional or not, bsp.gsa.gov reveals backup directory through Google. Is this simply yet another misconfigured .gov site? You decide. BSP stands for "best security practices," winning this site the Top GoogleDork award for this category.[descr]] [[url]http://www.google.com/search?q=%22Index+of+/backup%22&num=100&hl=en&lr=&ie=UTF-8&filter=0[url]] [[dork]"Index of /backup"[dork]] [end][15]] [[start][16] [[title]OpenBSD running Apache[[title]] [[descr]I like the OpenBSD operating system. I really do. And I like the Apache web server software. Honestly. I admire the mettle of administrators who take the time to run quality, secure software. The problem is that you never know when security problems will pop up. A BIG security problem popped up within the OpenBSD/Apache combo. Now, every administrator that advertised this particular combo with cute little banners has a problem. Hackers can find them with Google. I go easy on these folks since the odds are they.ve patched their sites already. Then again, they may just show up on zone-h..[descr]] [[url]http://www.google.com/search?sourceid=navclient&q=%22powered+by+openbsd%22+%2B%22powered+by+apache%22[url]] [[dork]"powered by openbsd" +"powered by apache"[dork]] [end][16]] [[start][17] [[title]intitle:index.of intext:"secring.skr"|"secring.pgp"|"secring.bak"[title]] [[descr]PGP is a great encryption technology. It keeps secrets safe. Everyone from drug lords to the head of the DEA can download PGP to encrypt their sensitive documents. Everyone, that is except googleDorks. GoogleDorks, it seems, don't understand that anyone in possession of your private keyring (secring) can get to your secret stuff. It should noever be given out, and should certainly not be posted on the Internet. The highest ranking is awarded for this surprising level of ineptitude.[descr]] [[url]http://www.google.com/search?q=intitle:index.of+intext:%22secring.skr%22%7C%22secring.pgp%22%7C%22secring.bak%22[url]] [[dork]intitle:index.of intext:"secring.skr"|"secring.pgp"|"secring.bak"[dork]] [end][17]] [[start][20] [[title]master.passwd[[title]] [[descr]There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. The hits in this search show "master.passwd" files which contain encrypted passwords which may look like this: "guest MMCHhvZ6ODgFo" A password cracker can eat cheesy hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show!

For master.passwd, be sure to check other files in the same directory...[descr]] [[url]http://www.google.com/search?sourceid=navclient&q=intitle%3A%22Index+of%22+master%2Epasswd[url]] [[dork]intitle:"Index of" master.passwd[dork]] [end][20]] [[start][21] [[title]pwd.db[[title]] [[descr]There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. The his in this search show "pwd.db" files which contain encrypted passwords which may look like this: "guest MMCHhvZ6ODgFo" A password cracker can eat cheesy hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show![descr]] [[url]http://www.google.com/search?sourceid=navclient&q=intitle%3A%22Index+of%22+pwd%2Edb[url]] [[dork]intitle:"Index of" pwd.db[dork]] [end][21]] [[start][22] [[title]htpasswd / htpasswd.bak[[title]] [[descr]There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. And what if the passwords are hashed? A password cracker can eat cheesy password hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show![descr]] [[url]http://www.google.com/search?hl=en&lr=&ie=ISO-8859-1&safe=off&q=intitle%3A%22Index+of%22+%22.htpasswd%22+htpasswd.bak[url]] [[dork]intitle:"Index of" ".htpasswd" htpasswd.bak[dork]] [end][22]] [[start][23] [[title]htpasswd / htgroup[[title]] [[descr]There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. And what if the passwords are hashed? A password cracker can eat cheesy password hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show!

You'll need to sift through these results a bit...[descr]] [[url]http://www.google.com/search?q=intitle:%22Index+of%22+%22.htpasswd%22+%22htgroup%22++-intitle:%22dist%22+-apache+-htpasswd.c&hl=en&lr=&ie=UTF-8&safe=off&start=10&sa=N[url]] [[dork]intitle:"Index of" ".htpasswd" "htgroup" -intitle:"dist" -apache -htpasswd.c[dork]] [end][23]] [[start][24] [[title]spwd.db / passwd[[title]] [[descr]There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. And what if the passwords are hashed? A password cracker can eat cheesy password hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show![descr]] [[url]http://www.google.com/search?q=intitle:%22Index+of%22+spwd.db+passwd+-pam.conf&hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&start=10&sa=N[url]] [[dork]intitle:"Index of" spwd.db passwd -pam.conf[dork]] [end][24]] [[start][25] [[title]passwd / etc (reliable)[[title]] [[descr]There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. And what if the passwords are hashed? A password cracker can eat cheesy password hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show![descr]] [[url]http://www.google.com/search?hl=en&lr=&ie=ISO-8859-1&safe=off&q=intitle%3A%22Index+of..etc%22+passwd[url]] [[dork]intitle:"Index of..etc" passwd[dork]] [end][25]] [[start][26] [[title]AIM buddy lists[[title]] [[descr]These searches bring up common names for AOL Instant Messenger "buddylists". These lists contain screen names of your "online buddies" in Instant Messenger. Not that's not too terribly exciting or stupid unless you want to mess with someone's mind, and besides, some people make these public on purpose. The thing that's interesting are the files that get stored ALONG WITH buddylists. Often this stuff includes downloaded pictures, resumes, all sorts of things. This is really for the peepers out there, and it' possible to spend countless hours rifling through people's personal crap.

A few methods:
1. buddylist.blt
2. buddy.blt
3. buddies.blt[descr]] [[url]http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=buddylist%2Eblt[url]] [[dork]buddylist.blt[dork]] [end][26]] [[start][27] [[title]config.php[[title]] [[descr]This search brings up sites with "config.php" files. To skip the technical discussion, this configuration file contains both a username and a password for an SQL database. Most sites with forums run a PHP message base. This file gives you the keys to that forum, including FULL ADMIN access to the database. Way to go, googleDorks!![descr]] [[url]http://www.google.com/search?sourceid=navclient&q=intitle%3A%22Index+of%22+config%2Ephp[url]] [[dork]intitle:"Index of" config.php[dork]] [end][27]] [[start][28] [[title]phpinfo()[[title]] [[descr]this brings up sites with phpinfo(). There is SO much cool stuff in here that you just have to check one out for yourself! I mean full blown system versioning, SSL version, sendmail version and path, ftp, LDAP, SQL info, Apache mods, Apache env vars, *sigh* the list goes on and on! Thanks "joe!" =)[descr]] [[url]http://www.google.com/search?hl=en&lr=&c2coff=1&q=intitle%3Aphpinfo+%22PHP+Version%22&btnG=Search[url]] [[dork]intitle:phpinfo "PHP Version"[dork]] [end][28]] [[start][29] [[title]MYSQL error message: supplied argument....[[title]] [[descr]