Hi all,

I found this line in a client's web log files the other day: - - [11/Sep/2012:17:14:36 -0400] "GET /cgi-bin/sw.pl?read=%7Ccat%20/etc/passwd%7C HTTP/1.1" 200 139952 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

As you can see, the GET string contains "cat /etc/passwd" which is a command in unix to grab the list of users on the server. Definitely a no-no, and something only a hacker / bad bot would do.

I checked the IP and it is from Google, as the agent string suggests.

So my question is, where did google pick this up? I suppose maybe a hacker site out there could have that link listed, but otherwise I'm stumped. Frankly I'm surprised google wouldn't "weed out" links that are hack attempts.

has anyone else seen this kind of hit from google?