SolarWinds Blog Contact Us
SYNTHETIC MONITORING
REAL USER MONITORING
INFRASTRUCTURE MONITORING
APPLICATION MONITORING
LOG MANAGEMENT

Get unified visibility and intelligent insights with SolarWinds Observability

LEARN MORE

Synthetic Monitoring

Simulate visitor interaction with your site to monitor the end user experience.

View Product Info

FEATURES

Uptime MonitoringPage SpeedTransaction MonitoringAlerting
Simulate visitor interaction

Identify bottlenecks and speed up your website.

Learn More

Real User Monitoring

Enhance your site performance with data from actual site visitors

View Product Info

FEATURES

Live MapUser Experience MonitoringPage Load PerformanceUser Behavior Metrics
Real user insights in real time

Know how your site or web app is performing with real user insights

Learn More

Infrastructure Monitoring Powered by SolarWinds AppOptics

Instant visibility into servers, virtual hosts, and containerized environments

View Infrastructure Monitoring Info
Comprehensive set of turnkey infrastructure integrations

Including dozens of AWS and Azure services, container orchestrations like Docker and Kubernetes, and more 

Learn More

Application Performance Monitoring Powered by SolarWinds AppOptics

Comprehensive, full-stack visibility, and troubleshooting

View Application Performance Monitoring Info
Complete visibility into application issues

Pinpoint the root cause down to a poor-performing line of code

Learn More

Log Management and Analytics Powered by SolarWinds Loggly

Integrated, cost-effective, hosted, and scalable full-stack, multi-source log management

 View Log Management and Analytics Info
Collect, search, and analyze log data

Quickly jump into the relevant logs to accelerate troubleshooting

Learn More

Use Cases By Industry

Web Development Ecommerce & Retail Media & Entertainment Enterprise

Use Cases by Challenge

Digital Experience Monitoring Marketing Web Performance Optimization

Technical Documentation

Pingdom API Datasheet Getting Started FAQ Pricing and Packaging Knowledge Base Even more Pingdom plugins, apps and add-ons Website Speed Test Webhooks

Educational Resources

Create a Support Ticket Download Extensions On-demand training

APM Integrated Experience

Datasheet Video: Failed Transaction Check Infographic SolarWinds vs Datadog SolarWinds vs AppDynamics SolarWinds vs New Relic SolarWinds vs Dynatrace

Connect

About Us Contact Us Customer Support Customer Stories Pingdom THWACK Forum Pingdom Blog COVID-19 Resource Center

Don’t let Google find your secrets

January 11, 2008

in Tech Musings

Google is one of the best hacking tools out there. It may sound incredible, but relatively simple searches in Google and other search engines can dig out sensitive or even dangerous information about your site, your servers and your company.

You want Google to index your site and make you visible and searchable. That part is good for you. But if you have been careless, Google can also index more sensitive information that was never meant to be public, and can therefore be a useful tool for hackers if they want to probe your site for vulnerabilities. This is often called Google hacking. (To be fair, other search engines can be used as well, so it could just as well be called search engine hacking.)

There is a lot of information that can be found on Google thanks to careless (or clueless) administration of websites:

    • Various usernames and passwords (both encrypted and in plain text)
    • Internal documents
    • Internal site statistics
    • Intranet access
    • Database access
    • Mail server access
    • And much, much more

 

Needless to say, a lot of this information can be used as a starting point for breaking into your systems.

Some examples

There are a huge number of different search strings for sensitive information that have been published around the web. A collection exists at the Google Hacking Database (it currently has 1,423 entries), which is where we found the two following examples.

The image below shows the result of two different searches, one for SQL insert statements that use encryption functions for passwords, and another one for INC files with PHP code in them that contain unencrypted user names, passwords and addresses to the corresponding databases.

Both these searches show a number of results where passwords and usernames have been indexed and cached by Google.

Results of google hacking

Not all of the results will be relevant, but this is just the tip of the iceberg.

How common is it?

We searched for “google hack” in Google Trends, and as you can see in the graph, that search term is becoming increasingly popular.

Google Trends for Google hack

This isn’t all that scientific, but it could give a hint that this kind of information gathering is increasing.

On a small side note, it is also interesting to see that a lot of the searches seem to be coming from Asia, and especially South-East Asia. The top countries for this search term are Indonesia, Vietnam, Malaysia and the Philippines.

Is Google doing anything to prevent this?

Google is not standing idly by. The company seems to proactively try to block some usage of these “hacker searches”, at least via direct search links (which can easily be used by automated applications). Some of the queries we tried gave us this result:

Google 403 forbidden

What can you do to prevent “Google hacks” on your site?

There is no way we can list every single security measure out there, but we hope you will find this to be a useful starting point.

    • First, if at all possible, keep all your sensitive information off the internet. I.e. on storage that isn’t even connected to the internet.
    • Be careful how you write your scripts and access your databases. There are numerous examples where a database access error text shows up on a website and contains way too much information. If you are unlucky and have Google crawl your site at that time, the information is public (and cached by Google).
    • Use robots.txt to let Google know what parts of your website it is ok to index. However, note that even this information can be used by hackers, if you for example specify which parts of the website are “off bounds”, the curious will of course look there to see what is so sensitive if they are targeting your site specifically. And of course, don’t forget that if someone wants to scan your website themselves, without the help of Google, they won’t care about robots.txt and other things that prevent nicely behaved online search robots like Googlebot.
    • Make sure that the directory rights on your web server are in order, i.e. only allow public access to the bare minimum of directories that are necessary for your site to function. This is a precaution that isn’t really specific for Google hacking, but is worth mentioning.
    • Monitor your site for common errors. You can set up monitoring (for example with Pingdom, or another website monitoring service) that checks for text that should not exist on the page, for example part of a php script error message. Then you will know right away if and when your site has “messed up”, and can take the necessary precautions (changing passwords or whatever else may be suitable).
    • “Google hack” your own website. Try out the various searches listed in the Google Hacking Database on your own site.

 

 

Find out more

 

(Google really does have more search tricks than you can throw a stick at.)

Related Posts

RECENT FEATURED POPULAR
Introduction to Observability

These days, systems and applications evolve at a rapid pace. This makes analyzi [...]

Webpages Are Getting Larger Every Year, and Here’s Why it Matters

Last updated: February 29, 2024 Average size of a webpage matters because it [...]

A Beginner’s Guide to Using CDNs

Last updated: February 28, 2024 Websites have become larger and more complex [...]

The Five Most Common HTTP Errors According to Google

Last updated: February 28, 2024 Sometimes when you try to visit a web page, [...]

Page Load Time vs. Response Time – What Is the Difference?

Last updated: February 28, 2024 Page load time and response time are key met [...]

Monitor your website’s uptime and performance

With Pingdom's website monitoring you are always the first to know when your site is in trouble, and as a result you are making the Internet faster and more reliable. Nice, huh?

START YOUR FREE 30-DAY TRIAL
Previous post
PREVIOUS
The worst cable mess ever

MONITOR YOUR WEB APPLICATION PERFORMANCE

Gain availability and performance insights with Pingdom – a comprehensive web application performance and digital experience monitoring tool.

START YOUR FREE 30-DAY TRIAL
Start monitoring for free