deathbycomet.com— You can easily find Wordpress db passwords using the new Google Code search. Are there other vulnerable pieces of code just setting on your server waiting to be indexed?
Oct 5, 2006View in Crawl 4
The thing that I think a lot of people are unaware of is that these config files aren't sitting out in the open, generally; rather, they're being pulled out of a zip file somewhere on the domain. Some user at some point decided to backup the code, so he zipped it up and stuck "sourcefile.zip" (or whatever) onto the website. Stupid move.Left to their own devices, php files and web-config files etc ARE secure. Unfortunately the end-user just wasn't thinking when he decided to archive the code.
None of you people are reading much. I quote:"Google Code Search respects robots.txt, so there are a couple ways you can block us from crawling your code: If you have access to the robots file for your web server, you can add the your code's path to the Disallow: line. Learn more. Alternatively, you can simply put a robots file in the root directory of your code package. This will work for both archives and source control repositories like CVS and Subversion. For example, to indicate you want none of your code crawled, you could add a file called robots.txt in the root directory with the following: User-agent: * Disallow: / "
Lessons learned, any of these solutions would prevent google from indexing your database passwords. 1) Backups shouldn't be stored under web root directory if possible2) If backups will be stored temporarly somewhere than keep them somewhere with a index.php file so that spiders can index files listed in the directory3) Turn off directory listing for the entire website
Closed AccountOct 6, 2006
Wow...searching for C# and config and password:Config.cs 318: Username = "root"; Password = "dbox2"; Timeouts = 3;xxxx.xxxx/.../xxxxxxxxx-src.zip - Unknown License - C#
whisperedlieOct 6, 2006
who cares? these are source files, not production .config files.
cthalupaOct 6, 2006
Edit: Whoops, wrong thread. Dig this down
donquixote235Oct 6, 2006
The thing that I think a lot of people are unaware of is that these config files aren't sitting out in the open, generally; rather, they're being pulled out of a zip file somewhere on the domain. Some user at some point decided to backup the code, so he zipped it up and stuck "sourcefile.zip" (or whatever) onto the website. Stupid move.Left to their own devices, php files and web-config files etc ARE secure. Unfortunately the end-user just wasn't thinking when he decided to archive the code.
dotnetskyOct 6, 2006
None of you people are reading much. I quote:"Google Code Search respects robots.txt, so there are a couple ways you can block us from crawling your code: If you have access to the robots file for your web server, you can add the your code's path to the Disallow: line. Learn more. Alternatively, you can simply put a robots file in the root directory of your code package. This will work for both archives and source control repositories like CVS and Subversion. For example, to indicate you want none of your code crawled, you could add a file called robots.txt in the root directory with the following: User-agent: * Disallow: / "
llbblOct 6, 2006
Lessons learned, any of these solutions would prevent google from indexing your database passwords. 1) Backups shouldn't be stored under web root directory if possible2) If backups will be stored temporarly somewhere than keep them somewhere with a index.php file so that spiders can index files listed in the directory3) Turn off directory listing for the entire website
insomniak29Oct 6, 2006Submitter
A piece of code cannot "sit."
wiggieOct 7, 2006
Search for the basic mysql_connect and you'll get thousands and thousands of db passwords.<a class="user" href="http://www.google.com/codesearch?hl=en&lr=&q=mysql_connect%5C%28%5C%22%5Cw%2B%5C%22%2C+%5C%22%5Cw%2B%5C%22%2C+%5C%22%5Cw%2B%5C%22%5C%29">http://www.google.com/codesearch?hl=en&lr=&q=mysql_connect%5C%28%5C%22%5Cw%2B%5C%22%2C+%5C%22%5Cw%2B%5C%22%2C+%5C%22%5Cw%2B%5C%22%5C%29</a>
misspxp1Nov 28, 2007
I want to know the code
quetivityAug 30, 2008
for some reason I have a hard time believing this crap
wulanshoutNov 8, 2008
<a class="user" href="http://www.wulanshout.com/seo/busby-seo-test-seo-contest/">http://www.wulanshout.com/seo/busby-seo-test-seo-c ...</a>Busby SEO Test has been released! The next Busby Web Solutions Search Engine Optimisation Challenge, start on October 1st, and Finish on January 31st,2009. Get join and wind $ 5000 grand prize