Defensive Googling
As cousin Tom reported yesterday, system compromises can become embarrassingly public via Google searches (or what Johnny Long refers to as Googledorks.)
A reader saw Tom's post and sent in his own Google search command that exposes many .gov sites compromised to host porn.
It's not a bad idea to use Google as an Intrusion Detection System-- it's a bit late-notice, but it's better to find out that way than having guys in suits show up at your office to confiscate systems.
Relying on the "site:" syntax you can scan your organizations' web presence for embarrassing exposures. For example:
site:myorg.org porn
site:mygov.gov cialis buy
To filter that list down you can add additional qualifiers like Tom's filetype:html (or filetype:htm or filetype:asp if you run a Windows shop.)
These are very simple examples, for additional search terms one could examine what people are looking for on Google using:
http://google.com/trends
http://www.google.com/press/zeitgeist.html
You can also skim through your users' proxy logs to see what they're searching for, with the warning that this might not be legal in your region, and what you find most certainly won't be family-friendly.
----------------------------------------------------------------
Kevin Liston (kliston -at- isc.sans.org)
Comments