SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Member
    Join Date
    Sep 2012
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Google bot sending malicious GET requests?

    Hi all,

    I found this line in a client's web log files the other day:

    66.249.71.143 - - [11/Sep/2012:17:14:36 -0400] "GET /cgi-bin/sw.pl?read=%7Ccat%20/etc/passwd%7C HTTP/1.1" 200 139952 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"


    As you can see, the GET string contains "cat /etc/passwd" which is a command in unix to grab the list of users on the server. Definitely a no-no, and something only a hacker / bad bot would do.

    I checked the IP and it is from Google, as the agent string suggests.

    So my question is, where did google pick this up? I suppose maybe a hacker site out there could have that link listed, but otherwise I'm stumped. Frankly I'm surprised google wouldn't "weed out" links that are hack attempts.

    has anyone else seen this kind of hit from google?

    -Jim

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,595
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    How is Google supposed to distinguish links that are malicious from other links? The only way Google has any reason for making that call is if there is a link somewhere on your site that contains that in the address or another site that links to yours that has that as the page on your site that it is supposedly linking to. Unless someone has also managed to install sw.pl into the cgi-bin folder on your server the link will of course simply return a 404 rather than a 200.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,514
    Mentioned
    37 Post(s)
    Tagged
    1 Thread(s)
    If you have a public web stats directory, then links such as this will turn up there due to random malicious bot scans looking for common web app vulnerabilities

  4. #4
    SitePoint Member
    Join Date
    Sep 2012
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, that script is on the site, but that "GET" string (after the read=) is not linked anywhere, that I can see. I suppose Google could distinguish it as malicious the same way I parsed it out of the log file - a simple regex looking for /etc/passwd. So if someone crafted a link that would perform a SQL injection to another site, could they get google to spider it and do the dirty work? I suppose so.

    We do have analytics on the site, so I suppose is another robot hit the site with that query, and google was able to grab it from the resulting page, google could have stored that and decided to try and spider it.

  5. #5
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,514
    Mentioned
    37 Post(s)
    Tagged
    1 Thread(s)
    Should the script be there? Does it serve a purpose you are aware of, and is the file modified time stamp of it recent?

  6. #6
    SitePoint Member
    Join Date
    Sep 2012
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, it's a real script. As with other hack attempts, carefully crafted get/post parameters are sent in, to probe the script code. The script in this case ignores the bad request and returns a list of threads (it's a forum script). So from google's perspective, I guess it's a url that works, so it's checking it out.

  7. #7
    SitePoint Zealot 2ndmouse's Avatar
    Join Date
    Jan 2007
    Location
    West London
    Posts
    196
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by jimr451 View Post
    Yes, it's a real script. As with other hack attempts, carefully crafted get/post parameters are sent in, to probe the script code. The script in this case ignores the bad request and returns a list of threads (it's a forum script). So from google's perspective, I guess it's a url that works, so it's checking it out.
    Maybe you should download the script file and check it out with your antivirus software, it might have been tampered with.
    Detect file changes remotely. SimpleSiteAudit is an early
    warning anti-hacker system which sends an alert on detection.

    PHP Find Orphan Files - Finds all the unreferenced files on your site.

  8. #8
    SitePoint Zealot Sogo7's Avatar
    Join Date
    May 2011
    Posts
    129
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Just out of curiosity does the page make this GET request using jQuery/Ajax when it loads up?
    Lovelogic.net Personal Projects Pit - Spammers welcome


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •