22 T1 TECHNOLOGY PROFILE DON intitle:"Index of" secring.bak Locates secret PGP key's. PGP is a public key / private key encryption technology. Your public key is given out to people while your secret key (secring) is kept private. Encrypted communications can be decrypted by attackers who have your public key, secret key, and passphrase. This is why its extremely important to keep your secret key safe. 1000 http://www.1000.com 23 T2 TECHNOLOGY PROFILE DON intitle:index.of master.passwd Gives "passwd" file This directory listing might contain a potential password file. 1000 http://www.1000.com 24 T3 TECHNOLOGY PROFILE DONT intitle:"Index of" ".htpasswd" htpasswd.bak Gives file with Hashed Passwords This directory listing might contain a potential password file. 1002 http://www.1000.com 13 RA1 REMOTE ADMIN INTERFACE DONT intitle:"Index of" upload.asp Possible upload capabilities. Looking for upload.asp. Upload.asp, if not protected might allow an attacker to upload malicious content to the server that might allow them to execute code. 1002 http://www.1000.com 14 RA2 REMOTE ADMIN INTERFACE DONT intitle:"Index of" AT-admin.cgi Administer CGI server Looks for at-admin.cgi. Used to administer a cgi server 1002 http://www.1000.com 15 RA3 REMOTE ADMIN INTERFACE DONT intitle:"Index of" global.inc Remote Administration Informaion Looks for global.inc. This file often contains remote administration information 1002 http://www.1000.com 4 C1 CONFIG MANAGEMENT DONT intitle:"Index of" guestbook.cgi Key to guestbook.cgi vulnerabilities Looking for guestbook.cgi. There are a number of vulnerabilities associated with this various freeware guestbook's. 1002 http://www.1000.com 5 C2 CONFIG MANAGEMENT DONT intitle:"Index of" fpcount.exe Frontpage extentions may be installed. Looking for frontpage extensions. There are a number of vulnerabilities associated with frontpage extensions. CAN-1999-1376 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1376 6 C3 CONFIG MANAGEMENT DONT intitle:"Index of" msadcs.dll checks IIS MDAC Vulnerability This check looks for the Microsoft Data Access Components DLL. (msadcs.dll). the MDAC DLL has had multiple vulnerabilities associated with it. CAN-2003-0903 http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=MDAC 19 S1 BACKUP FILES DONT intitle:index.of .bash_history Log of user's command line history. This file contains a command history and would be particularly helpful to an attacker who is doing information gathering. 1002 http://www.1000.com 20 S2 BACKUP FILES DONT intitle:index.of .sh_history Log of user's command line history. This file contains a command history and would be particularly helpful to an attacker who is doing information gathering. 1002 http://www.1000.com 21 S3 CONFIG MANAGEMENT DONT intitle:index.of trillian.ini Encoded usernames, passwords, and buddylist for Trillian users. Trillian is a multi-messaging client that supports AIM, MSN, Yahoo, IRC, and ICQ. The trillian.ini file contain's encoded passwords, usernames, buddy lists. 1002 http://www.1000.com 16 RV1 REPORTED VULNS DONT "Select a database to view" intitle:"filemaker pro" Server providing access to Filemaker pro This search locates servers which provides access to Filemaker pro databases via the web. The severity of this search varies wildly depending on the security of the database itself GENERIC-MAP-NOMATCH http://www.securityfocus.com/bid/1159/discussion/ 17 RV2 REPORTED VULNS DONT intitle:"osCommerce" inurl:admin filetype:php Web facing admin interface to osCommerce. Explore the admin interface of osCommerce e-commerce sites. Depending on how bad the setup of the web store is, web surfers can even Google their way into customer details and order status, all from the Google cache. CVE-MAP-NOMATCH http://www.securityfocus.com/bid/10235 18 RV3 REPORTED VULNS DONT "phpMyAdmin" "running on" inurl:"main.php" checks for accessible phpMyAdmin tool From phpmyadmin.net : "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the WWW." Great, easy to use, but lock it down! Things you can do include viewing MySQL runtime information and system variables, show processes, reloading MySQL, changing privileges, and modifying or exporting databases. Hacker-fodder for sure! CVE-MAP-NOMATCH http://www.securityfocus.com/bid/7965 7 E1 ERROR MESSAGES DONT intitle:"the page cannot be found" inetmgr checks for IIS 4.0 servers IIS 4.0 servers. Old web hack. 1002 http://www.1000.com 8 E2 ERROR MESSAGES DONT "supplied argument is not a valid MySQL result resource" Reveals real path names in webserver Reveals real path names in webserver 1002 http://www.1000.com 9 E3 ERROR MESSAGES DONT "access denied for user" "using password" SQL error that displays useful information This SQL error message can display the username, database, path names and partial SQL statements. 1002 http://www.1000.com 1 B1 BACKUP FILES DONT intitle:"Index of" index.html.bak HTML files with .bak extension HTML files with .bak extension can be viewed as plain text. 1002 http://www.1000.com 2 B2 BACKUP FILES DONT intitle:"Index of" index.php.bak PHP files with .bak extension's can be viewed as plain text. PHP files with .bak extension's can be viewed as plain text. 1002 http://www.1000.com 3 B3 BACKUP FILES DONT intitle:"Index of" index.jsp.bak JSP files with .bak extension's can be viewed as plain text. JSP files with .bak extension's can be viewed as plain text. 1002 http://www.1000.com 10 P1 PRIVACY RELATED DONT intitle:"Index of" access_log HTTP log's may reveal user names, IP addresses, and other data. HTTP log's may reveal user names, IP addresses, and other data. 1002 http://www.1000.com 11 P2 PRIVACY RELATED DONT intitle:"Index of" WSFTP.LOG WS_FTP log files Access to WS_FTP log files. WS_FTP log files may reveal hidden directories or files. 1002 http://www.1000.com 12 P3 PRIVACY RELATED DONT intitle:"Index of" service.pwd Access to service.pwd.file Access to services.pwd file. The file often contains username and passwords 1002 http://www.1000.com 25 C4 CONFIG MANAGEMENT DONT allinurl:auth_user_file.txt Access to DCForum's password file This file contains a list of passwords, usernames and email addresses for shopping cart application and form DCForum and for DCShop. CAN-2001-0821 http://www.securityfocus.com/bid/2889 26 C5 CONFIG MANAGEMENT DONT intitle:"index.of" config.php" Access to config.php file config.php can sometimes be a configuration file containing both a username and a password information for a SQL database. 1002 http://www.1000.com 27 C6 CONFIG MANAGEMENT DONT intitle:index.of.etc Acess to etc directory that has password files This search looks for indexed /etc directories, where many many many types of password files and other config files can be found. 1002 http://www.1000.com 28 C7 CONFIG MANAGEMENT DONT filetype:xls username password email Excel files with keywords username, password, and email This search looks for Microsoft Excel spreadsheets containing the words username, password and email. There may be a high number of flase positives for this one. 1002 http://www.1000.com 29 C8 CONFIG MANAGEMENT DONT filetype:htpasswd htpasswd Searches for htpasswd files. .htpasswd is the default file name for Apache basic authentication files. Htpasswd files contain usernames and crackable passwords for web pages and directories. 1002 http://www.1000.com 30 C9 CONFIG MANAGEMENT DONT intitle:"Index of" ".htpasswd" "htgroup" -intitle:"dist" -apache -htpasswd.c Shows the password files .htpasswd is the default file name for Apache basic authentication files. Htpasswd files contain usernames and crackable passwords for sites using basic authentication. 1002 http://www.1000.com 31 B4 BACKUP FILES DONT intitle:"Index of" ".htpasswd" htpasswd.bak Looks for backup copies of the htpasswd file. Looks for backup copies of the htpasswd file. 1002 http://www.1000.com 32 C10 CONFIG MANAGEMENT DONT intitle:index.of administrators.pwd Frontpage username and encoded passwords. This file contains administrative user names and (weakly) encrypted password for Microsoft Front Page. The file should not be readble to the general public 1002 http://www.1000.com 33 C11 CONFIG MANAGEMENT DONT intitle:Index.of etc shadow Searches for indexed /etc/shadow file. This file contains usernames and encrypted passwords. Using John the ripper, an attacker can crack passwords and log into the system. 1002 http://www.1000.com 34 C12 CONFIG MANAGEMENT DONT intitle:index.of secring.pgp Secret keyring file for PGP This file is the secret keyring for PGP encryption. With this file and the passphrase an attacker could decrypt communications. 1002 http://www.1000.com 35 C13 CONFIG MANAGEMENT DONT inurl:config.php dbuname dbpass Access to cleartext usernames and password's. The config.php script can contain usernames and passwords. 1002 http://www.1000.com 36 C14 CONFIG MANAGEMENT DONT intitle:"Index of" master.passwd Access to master.passwd file "master.passwd" files which contain encrypted passwords which may look like this: "guest MMCHhvZ6ODgFo" Using the base64 decoder in Cain and Able (www.oxid.it) an attacker can easily decode this. 1002 http://www.1000.com 37 C15 CONFIG MANAGEMENT DONT intitle:"Index of" .mysql_history Log of previously typed commands in mysql The .mysql_history file contains commands that were performed against a mysql database. 1002 http://www.1000.com 38 C16 CONFIG MANAGEMENT DONT intitle:index.of passlist This file sometimes contains usernames and passwords. This file sometimes contains usernames and passwords. 1002 http://www.1000.com 39 C17 CONFIG MANAGEMENT DONT inurl:passlist.txt This file sometimes contains usernames and passwords. This file sometimes contains usernames and passwords. 1002 http://www.1000.com 40 C18 CONFIG MANAGEMENT DONT intitle:"Index of" passwd passwd.bak This file sometimes contains usernames and passwords. This file sometimes contains usernames and passwords. 1002 http://www.1000.com 41 C19 CONFIG MANAGEMENT DONT intitle:"Index of..etc" passwd This file sometimes contains usernames and passwords. This file sometimes contains usernames and passwords. 1002 http://www.1000.com 42 P4 PRIVACY RELATED DONT intitle:"Index of" "people.lst" Lists the users Lists the users 1002 http://www.1000.com 43 P5 PRIVACY RELATED DONT intitle:"Index of" pwd.db This file sometimes contains usernames and passwords. This file sometimes contains usernames and passwords. 1002 http://www.1000.com 44 C20 CONFIG MANAGEMENT DONT intitle:"Index of" spwd.db passwd -pam.conf This file sometimes contains usernames and passwords. This file sometimes contains usernames and passwords. 1002 http://www.1000.com 46 RV4 REPORTED VULNS DONT inurl:Custva.asp Multiple vulnerabilities in Earlyimpact Productcart The EarlyImpact Productcart contains multiple vulnerabilites, which could exploited to allow an attacker to steal user credentials or mount other attacks. See http://www.securityfocus.com/bid/9669 for more informationfor more information. Also see http://www.securityfocus.com/bid/9677 CVE-MAP-NOMATCH http://www.securityfocus.com/bid/9677 47 RV5 REPORTED VULNS DONT "Powered by mnoGoSearch - free web search engine software" Buffer Overflows in some mnGoSearch According to http://www.securityfocus.com/bid/9667, certain versions of mnGoSearch contain a buffer overflow vulnerability which allow an attacker to execute commands on the server. CVE-MAP-NOMATCH http://www.securityfocus.com/bid/9667 48 T4 TECHNOLOGY PROFILE DONT "#mysql dump" filetype:sql Reveals mySQL database dumps This reveals mySQL database dumps. These database dumps list the structure and content of databases, which can reveal many different types of sensitive information. 1002 http://www.1000.com 49 T5 TECHNOLOGY PROFILE DONT "This summary was generated by wwwstat" www statistics may contain email address of intranet users. More www statistics on the web. This one is very nice.. Lots of directory info, and client access statistics, email addresses.. lots os good stuff. You know, these are SOOO dangerous, especially if INTRANET users get logged... talk about mapping out an intranet quickly... thanks, sac =) 1002 http://www.1000.com 50 T6 TECHNOLOGY PROFILE DONT "Host Vulnerability Summary Report" Reveals host vulnerability scanner reports This search yeids host vulnerability scanner reports, revealing potential vulnerabilities on hosts and networks. Even if some of the vulnerabilities have been fixed, information about the network/hosts can still be gleaned. 1002 http://www.1000.com 51 T7 TECHNOLOGY PROFILE DONT "Index of" / "chat/logs" Reveals chat logs This search reveals chat logs. Depending on the contents of the logs, these files could contain just about anything! 1002 http://www.1000.com 52 T8 TECHNOLOGY PROFILE DONT "Most Submitted Forms and Scripts" "this section" www statistics, may contain email address of intranet loggers www statistics publicly indexed on the web. This man contain directory info, client access statistics, and email addresses. 1002 http://www.1000.com 53 T9 TECHNOLOGY PROFILE DONT "Network Host Assessment Report" "Internet Scanner" Reveals ISS scan reports This search yeids ISS scan reports, revealing potential vulnerabilities on hosts and networks. Even if some of the vulnerabilities have been fixed, information about the network/hosts can still be gleaned. 1002 http://www.1000.com 54 T10 TECHNOLOGY PROFILE DONT "Network Vulnerability Assessment Report" Reveals host vulnerabilites report This search yeids vulnerability scanner reports, revealing potential vulnerabilities on hosts and networks. Even if some of the vulnerabilities have been fixed, information about the network/hosts can still be gleaned. 1002 http://www.1000.com 55 T11 PRIVACY RELATED DONT "not for distribution" confidential May reveal some sensitive information The terms "not for distribution" and confidential indicate a sensitive document. Results vary wildly, but web-based documents are for public viewing, and should neither be considered confidential or private. 1002 http://www.1000.com 57 T13 TECHNOLOGY PROFILE DONT "These statistics were produced by getstats" Web based statistics Website statistics may allow an an attacker to find hidden pages or directories. 1002 http://www.1000.com 58 T14 TECHNOLOGY PROFILE DONT "robots.txt" + "Disallow:" filetype:txt Searches for disallow tags meant for web crawlers The robots.txt file serves as a set of instructions for web crawlers. The "disallow" tag tells a web crawler where not to look. 1002 http://www.1000.com 60 T16 TECHNOLOGY PROFILE DONT "Thank you for your order" +receipt Provides insight into web-based shop After placing an order via the web, many sites provide a page containing the phrase "Thank you for your order" and provide a receipt for future reference. At the very least, these pages can provide insight into the structure of a web-based shop. 1002 http://www.1000.com 61 T17 TECHNOLOGY PROFILE DONT "This file was generated by Nessus" Reveals nessus scan reports for vulnerabilities This search yeids nessus scan reports. Even if some of the vulnerabilities have been fixed, we can still gather valuable information about the network/hosts. This also works with ISS and any other vulnerability scanner which produces reports in html or text format. 1002 http://www.1000.com 62 T18 TECHNOLOGY PROFILE DONT "This report lists" "identified by Internet Scanner" Reveals ISS scan reports for vulnerabilities This search yeids ISS scan reports, revealing potential vulnerabilities on hosts and networks. Even if some of the vulnerabilities have been fixed, information about the network/hosts can still be gleaned. 1002 http://www.1000.com 63 T19 TECHNOLOGY PROFILE DONT "This report was generated by WebLog" Weblog-generated statistics for websites These are weblog generated statistics for web sites which may contain hidden directories and pages. 1002 http://www.1000.com 64 T20 TECHNOLOGY PROFILE DONT intitle:index.of cgiirc.config' cgiirc.config files man contain information useful to an attacker. cgiirc.config files man contain information useful to an attacker. 1002 http://www.1000.com 65 T21 TECHNOLOGY PROFILE DONT inurl:'cgiirc.config' cgiirc.config files man contain information useful to an attacker. This is another less reliable way of finding the cgiirc.config file. cgiirc.config files man contain information useful to an attacker. 1002 http://www.1000.com 66 P7 PRIVACY RELATED DONT intitle:"Index of" finance.xls Excel sheet showing the finance information Excel sheet showing the finance information 1002 http://www.1000.com 67 P8 PRIVACY RELATED DONT intitle:"Index of" finances.xls Excel sheet showing the finance information Excel sheet showing the finance information 1002 http://www.1000.com 68 T22 TECHNOLOGY PROFILE DONT intitle:"Ganglia" "Cluster Report for" Reveals cluster reports, useful for fingerprinting These are server cluster reports, great for info gathering. 1002 http://www.1000.com 69 T23 TECHNOLOGY PROFILE DONT intitle:index.of haccess.ctl Reveals administrative usernames and authorization file paths for Frontpage. Reveals administrative usernames and authorization file paths for Frontpage. 1002 http://www.1000.com 70 T24 TECHNOLOGY PROFILE DONT filetype:htaccess Basic Possible password file. Possible password file. 1002 http://www.1000.com 71 P9 PRIVACY RELATED DONT intitle:"statistics of" "advanced web statistics" Statistics for web servers 1002 http://www.1000.com 72 P10 PRIVACY RELATED DONT intitle:"Usage Statistics for" "Generated by Webalizer" Statistics for web servers The webalizer program shows web statistics for web servers. This information includes who is visiting the site, what pages they visit, error codes produced, filetypes hosted on the server, number of hits, referrers, exit pages, and more which can provide interesting information for an attacker. 1002 http://www.1000.com 73 T25 TECHNOLOGY PROFILE DONT intitle:"wbem" compaq login Good fingerprinting information These devices are running HP Insight Management Agents for Servers which "provide device information for all managed subsystems. Alerts are generated by SNMP traps." The information on these pages include server addresses and other assorted SNMP information. 1002 http://www.1000.com 74 T26 TECHNOLOGY PROFILE DONT intitle:admin intitle:login Finds administrative login pages This search can find administrative login pages. Not a vulnerability in and of itself, this query serves as a locator for administrative areas of a site. Further investigation of the surrounding directories can often reveal interesting information. 1002 http://www.1000.com 75 T27 TECHNOLOGY PROFILE DONT intitle:index.of "Apache" "server at" Shows version of Apache This is a very basic string found on directory listing pages which show the version of the Apache web server. Hackers can use this information to find vulnerable targets without querying the servers. 1002 http://www.1000.com 76 P11 PRIVACY RELATED DONT intitle:index.of inbox dbx Potential location of mailbox This search reveals potential location for mailbox files by keying on the Outlook Express cleanup.log file. In some cases, the data in this directory or file may be of a very personal nature and may include sent and received emails and archives of email data. 1002 http://www.1000.com 77 P12 PRIVACY RELATED DONT intitle:index.of dead.letter Reveals unfinished emails dead.letter contains the contents of unfinished emails created on the UNIX platform. Emails (finished or not) can contain sensitive information. 1002 http://www.1000.com 78 P13 PRIVACY RELATED DONT intitle:index.of inbox Reveals potential location of mailbox files This search reveals potential location for mailbox files. In some cases, the data in this directory or file may be of a very personal nature and may include sent and received emails and archives of email data. 1002 http://www.1000.com 79 P14 PRIVACY RELATED DONT intitle:index.of inbox dbx Reveals potential location of mailbox files This search reveals potential location for mailbox files. In some cases, the data in this directory or file may be of a very personal nature and may include sent and received emails and archives of email data. 1002 http://www.1000.com 80 P15 PRIVACY RELATED DONT intitle:index.of ws_ftp.ini ws_ftp.ini config files has usernames and passwords ws_ftp.ini is a configuration file for a popular FTP client that stores usernames, (weakly) encoded passwords, sites and directories that the user can store for later reference. These should not be on the web! 1002 http://www.1000.com 81 P16 PRIVACY RELATED DONT inurl:admin filetype:xls Excel file in administrative directory This search can find Excel spreadsheets in an administrative directory or of an administrative nature. Many times these documents contain sensitive information. 1002 http://www.1000.com 82 T27 TECHNOLOGY PROFILE DONT inurl:admin intitle:login Finds administrative login pages This search can find administrative login pages. This is not a vulnerability in and of itself, this query serves as a locator for administrative areas of a site. Further investigation of the surrounding directories can often reveal interesting information. 1002 http://www.1000.com 83 T28 TECHNOLOGY PROFILE DONT inurl:changepassword.asp Reveals script for changing password This is a common script for changing passwords. This doesn't actually reveal the password, but it provides great information about the security layout of a server. These links can be used to troll around a website. 1002 http://www.1000.com 84 T29 TECHNOLOGY PROFILE DONT inurl:main.php phpMyAdmin Reveals accessibility to phpMyAdmin tool From phpmyadmin.net : "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the WWW." 1002 http://www.1000.com 85 T29 TECHNOLOGY PROFILE DONT inurl:main.php Welcome to phpMyAdmin Reveals accessibility to phpMyAdmin tool From phpmyadmin.net : "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the WWW." 1002 http://www.1000.com 86 T30 TECHNOLOGY PROFILE DONT inurl:vbstats.php "page generated" Statistical information about the visitors This is your typical stats page listing referrers and top ips and such. This information can certainly be used to gather information about a site and its visitors. 1002 http://www.1000.com 87 T31 TECHNOLOGY PROFILE DONT inurl:ipsec.conf -intitle:manpage ipsec.conf file reveals what is protected The ipsec.conf may reveal information about freeswan VPN's. 1002 http://www.1000.com 88 T32 TECHNOLOGY PROFILE DONT inurl:ipsec.secrets -history -bugs Contains useful information ipsec_secrets The manpage for ipsec_secrets: "It is vital that these secrets be protected. The file should be owned by the super-user, and its permissions should be set to block all access by others." 1002 http://www.1000.com 89 T33 TECHNOLOGY PROFILE DONT inurl:ipsec.secrets "holds shared secrets" Contains useful information The manpage for ipsec_secrets: "It is vital that these secrets be protected. The file should be owned by the super-user, and its permissions should be set to block all access by others." 1002 http://www.1000.com 90 T34 TECHNOLOGY PROFILE DONT intitle:"Index of" mt-db-pass.cgi Has interesting information 1002 http://www.1000.com 91 P17 PRIVACY RELATED DONT mystuff.xml intitle:"index of" check other files in the same directory 1002 http://www.1000.com 92 T35 TECHNOLOGY PROFILE DONT "phpinfo.php" -manual phpinfo.php has lots of useful information "phpinfo.php" files contain system versioning, SSL version, sendmail version and path, ftp, LDAP, SQL info, and Apache mods. 1002 http://www.1000.com 93 T36 TECHNOLOGY PROFILE DONT "# phpMyAdmin MySQL-Dump" filetype:txt Reveals accessibility to phpMyAdmin tool Reveals phpMyAdmin SQL information. 1002 http://www.1000.com 94 T37 TECHNOLOGY PROFILE DONT "# phpMyAdmin MySQL-Dump" "INSERT INTO" -"the" Reveals accessibility to phpMyAdmin tool Reveals accessibility to phpMyAdmin tool 1002 http://www.1000.com 95 T38 TECHNOLOGY PROFILE DONT intitle:Index.of robots.txt File provides pointers to restricted files/directories The robots.txt file contains "rules" about where web spiders are allowed (and NOT allowed) to look in a website's directory structure. Without over-complicating things, this means that the robots.txt file gives a mini-roadmap of what's somewhat public and what's considered more private on a web site. 1002 http://www.1000.com 96 P18 PRIVACY RELATED DONT site:edu grades admin Student names, SSN, grades Potential exposure of student names, Grades, and SSN's. 1002 http://www.1000.com 97 T39 TECHNOLOGY PROFILE DONT "# Dumping data for table" SQL database dumps Raw SQL dumps may provide information to an attacker. 1002 http://www.1000.com 98 T40 TECHNOLOGY PROFILE DONT "cacheserverreport for" "This analysis was produced by calamaris" Reveals squid server cache reports Web proxy logs may log sensitive information. 1002 http://www.1000.com 99 P19 PRIVACY RELATED DONT "index of" / lck Used for Username harvesting These lock files often contain usernames of the user that has locked the file. Username harvesting can be done using this technique by spammers or attackers. 1002 http://www.1000.com 100 C21 CONFIG MANAGEMENT DONT intitle:"Index of" .bash_history Log of what the user typed inside a bash shell. Log of what the user typed inside a bash shell. 1002 http://www.1000.com 101 P20 PRIVACY RELATED DONT inurl:admin filetype:asp inurl:userlist Reveals userlists This search reveals userlists of administrative importance. Userlists found using this method can range from benign "message group" lists to system userlists containing passwords. 1002 http://www.1000.com 102 P21 PRIVACY RELATED DONT inurl:admin inurl:userlist Reveals userlists This search reveals userlists of administrative importance. Userlists found using this method can range from benign "message group" lists to system userlists containing passwords. 1002 http://www.1000.com 103 C22 CONFIG MANAGEMENT DONT intitle:"Index of" .sh_history Log of what the user typed inside a shell. Log of what the user typed inside a shell. 1002 http://www.1000.com 104 E4 ERROR MESSAGES DONT "ORA-00921: unexpected end of SQL command" Reveals web pathnames and php filenames Reveals web pathnames and php filenames 1002 http://www.1000.com 105 E5 ERROR MESSAGES DONT "A syntax error has occurred" filetype:ihtml Possible source code disclosure. An Informix error message, this message can display path names, function names, filenames and partial code. Possible source code disclosure. 1002 http://www.1000.com 106 E6 ERROR MESSAGES DONT "access denied for user" "using password" Possible source code disclosure. Another SQL error message, this message can display the username, database, path names and partial SQL code. Possible source code disclosure. 1002 http://www.1000.com 107 E7 ERROR MESSAGES DONT "An illegal character has been found in the statement" -"previous message" Possible source code disclosure. An Informix error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers... 1002 http://www.1000.com 108 E8 ERROR MESSAGES DONT "Can't connect to local" intitle:warning Lots of source code information Another SQL error message, this message can display database name, path names and partial SQL code, all of which are very helpful for hackers... 1002 http://www.1000.com 109 E9 ERROR MESSAGES DONT "Chatologica MetaSearch" "stack tracking:" Possible information disclosure attacker against Chatologica. Possible information disclosure attacker against Chatologica. 1002 http://www.1000.com 110 E9 ERROR MESSAGES DONT "detected an internal error [IBM][CLI Driver][DB2/6000]" Lots of source code information A DB2 error message, this message can display path names, function names, filenames, partial code and program state. 1002 http://www.1000.com 111 E10 ERROR MESSAGES DONT "Fatal error: Call to undefined function" -reply -the -next Lots of source code information This error message can reveal information such as compiler used, language used, line numbers, program names and partial source code. 1002 http://www.1000.com 112 E11 ERROR MESSAGES DONT "Incorrect syntax near" Possible information disclosure attack. An SQL Server error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers... 1002 http://www.1000.com 113 E12 ERROR MESSAGES DONT "Incorrect syntax near" -the Possible information disclosure attacke. An SQL Server error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers... 1002 http://www.1000.com 114 E13 ERROR MESSAGES DONT "ORA-00933: SQL command not properly ended" Possible information disclosure attack. An Oracle error message, this message can display path names, function names, filenames and partial SQL code. 1002 http://www.1000.com 115 E14 ERROR MESSAGES DONT "PostgreSQL query failed: ERROR: parser: parse error" Lots of source code information An PostgreSQL error message, this message can display path names, function names, filenames and partial code. 1002 http://www.1000.com 116 E15 ERROR MESSAGES DONT "Supplied argument is not a valid MySQL result resource" Possible information disclosure attack. Another generic SQL message, this message can display path names, function names, filenames and partial SQL code. 1002 http://www.1000.com 117 E16 ERROR MESSAGES DONT "Syntax error in query expression " -the Possible information disclosure attack. An Access error message, this message can display path names, function names, filenames and partial code. 1002 http://www.1000.com 118 E16 ERROR MESSAGES DONT "Unclosed quotation mark before the character string" Possible information disclosure attack. An SQL Server error message, this message can display path names, function names, filenames and partial code. 1002 http://www.1000.com 119 E17 ERROR MESSAGES DONT "Warning: Cannot modify header information - headers already sent" Lots of source code information A PHP error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers... 1002 http://www.1000.com 120 E18 ERROR MESSAGES DONT An unexpected token "END-OF-STATEMENT" was found Lots of source code information A DB2 error message, this message can display path names, function names, filenames, partial code and program state, all of which are very helpful for hackers... 1002 http://www.1000.com 121 E19 ERROR MESSAGES DONT "Error Diagnostic Information" intitle:"Error Occurred While" Gives some interesting information about web sites These aren't too horribly bad, but there are SO MANY of them. These sites got googlebotted while the site was having "technical difficulties." The resulting cached error message gives lots of juicy tidbits about the target site. 1002 http://www.1000.com 122 E20 ERROR MESSAGES DONT filetype:asp "Custom Error Message" Category Source Gives out some source code information This is an ASP error message that can reveal information such as compiler used, language used, line numbers, program names and partial source code. 1002 http://www.1000.com 123 E21 ERROR MESSAGES DONT intitle:"the page cannot be found" inetmgr Signature for IIS 4.0 servers IIS 4.0 servers. Extrememly old, incredibly easy to hack... 1002 http://www.1000.com 124 E22 ERROR MESSAGES DONT intitle:"the page cannot be found" "internet information services" Searchs for IIS servers This query finds various types of IIS servers. This error message is fairly indicative of a somewhat unmodified IIS server, meaning it may be easier to break into... 1002 http://www.1000.com 125 E23 ERROR MESSAGES DONT intitle:"500 Internal Server Error" "server at" Reveals the type of web server running by the site This one shows the type of web server running on the site, and has the ability to show other information depending on how the message is internally formatted. 1002 http://www.1000.com 126 E24 ERROR MESSAGES DONT intitle:"Under construction" "does not currently have" Narrows OS and wev server version This error message can be used to narrow down the operating system and web server version which can be used by hackers to mount a specific attack. 1002 http://www.1000.com 127 E26 ERROR MESSAGES DONT "supplied argument is not a valid MySQL result resource" Provides path names inside the webserver Potential interesting information from this error message . The results of this message give you real path names inside the webserver as well as more php scripts for potential "crawling" activities. 1002 http://www.1000.com 128 E27 ERROR MESSAGES DONT "mySQL error with query" Provides information regarding mySql Another error message, this appears when an SQL query bails. This is a generic mySQL message, so there's all sort of information hackers can use, depending on the actual error message... 1002 http://www.1000.com 129 E28 ERROR MESSAGES DONT "ORA-00921: unexpected end of SQL command" Provides some Sql source information Another generic SQL message, this message can display path names, function names, filenames and partial SQL code, all of which are very helpful for hackers... 1002 http://www.1000.com 130 E29 ERROR MESSAGES DONT "ORA-00936: missing expression" Provides path names and partial database code A generic ORACLE error message, this message can display path names, function names, filenames and partial database code. 1002 http://www.1000.com 131 E30 ERROR MESSAGES DONT inurl:sitebuildercontent Shows a naive web site builder This is a default directory for the sitebuilder web design software program. 1002 http://www.1000.com 132 E31 ERROR MESSAGES DONT inurl:sitebuilderfiles Shows a naive web site builder This is a default directory for the sitebuilder web design software program. If these people posted web pages with default sitebuilder directory names. 1002 http://www.1000.com 133 E32 ERROR MESSAGES DONT inurl:sitebuilderpictures Shows a naive web site builder This is a default directory for the sitebuilder web design software program. If these people posted web pages with default sitebuilder directory names. 1002 http://www.1000.com 134 E33 ERROR MESSAGES DONT "You have an error in your SQL syntax near" Displays partial SQL code and path names Another generic SQL message, this message can display path names and partial SQL code. 1002 http://www.1000.com 135 E34 ERROR MESSAGES DONT "Supplied argument is not a valid PostgreSQL result" Displays function names, filename, source code An PostgreSQL error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers... 1002 http://www.1000.com 136 E35 ERROR MESSAGES DONT warning "error on line" php sablotron This error message reveals interesting information Sablotron is an XML tool. This query hones in on error messages generated by this toolkit. These error messages reveal all sorts of interesting informaion such as source code snippets, path and filename info, etc. 1002 http://www.1000.com 137 E36 ERROR MESSAGES DONT intitle:"the page cannot be found" "2004 microsoft corporation" Fingerprints a Window 2000 web server Windows 2000 web servers are usually weak spots. 1002 http://www.1000.com 138 C23 CONFIG MANAGEMENT DONT "Welcome to phpMyAdmin" AND " Create new database" give access to phpMyAdmin to maintain SQL phpMyAdmin is a widly spread webfrontend used to mantain sql databases. The default security mechanism is to leave it up to the admin of the website to put a .htaccess file in the directory of the application. 1002 http://www.1000.com 139 C23 CONFIG MANAGEMENT DONT intitle:"Index of c:\Windows" Sharing C:\Windows directory These pages indicate that they are sharing the C:\WINDOWS directory, which is the system folder for many Windows installations. 1002 http://www.1000.com 140 P22 PRIVACY RELATED DONT intitle:"index.of.personal" Reveals personal information This directory has various personal documents and pictures. 1002 http://www.1000.com 141 B5 BACKUP FILES DONT inurl:backup intitle:index.of inurl:admin Reveals back up directories. This query reveals backup directories. These directories can contain various information ranging from source code, sql tables, userlists, and even passwords. 1002 http://www.1000.com 142 B6 BACKUP FILES DONT "Index of /backup" Reveals back up directories with juicy stuff Backup directories are good targets for information gathering. 1002 http://www.1000.com 143 P22 PRIVACY RELATED DONT intitle:index.of.private Private directories are interesting 1002 http://www.1000.com 144 P23 PRIVACY RELATED DONT inurl:index.of.protected Potential access to a protected direcroty. Potential access to a protected direcroty. 1002 http://www.1000.com 145 P24 PRIVACY RELATED DONT intitle:index.of.protected Potential access to a "secure" directory. Potential access to a "secure" directory. 1002 http://www.1000.com 146 P25 PRIVACY RELATED DONT intitle:index.of.secret Potential access to a "secure" directory. Potential access to a "secure" directory. 1002 http://www.1000.com 147 P26 PRIVACY RELATED DONT intitle:"index.of.secure" Potential access to a "secure" directory. Potential access to a "secure" directory. 1002 http://www.1000.com 148 C24 CONFIG MANAGEMENT DONT intitle:index.of.winnt checks if \WINNT is shared The \WINNT directory is the directory that Windows NT is installed into by default. Now just because google can find them, this doesn't necessarily mean that these are Windows NT directories that made their way onto the web. However, sometimes this happens. 1002 http://www.1000.com 149 T41 TECHNOLOGY PROFILE DONT "Select a database to view" intitle:"filemaker pro" Locates servers providing Filemake pro This search locates servers which provides access to Filemaker pro databases via the web. The severity of this search varies wildly depending on the security of the database itself. 1002 http://www.1000.com 150 T40 PRIVACY RELATED DONT "Welcome to Intranet" Intranet should not be accessible from the internet. Potential access to an internal site. 1002 http://www.1000.com 151 T42 TECHNOLOGY PROFILE DONT "Welcome to PHP-Nuke" congratulations Searches defaults installation of postnuke CMS system This finds default installations of the postnuke CMS system. In many cases, default installations can be insecure especially considering that the administrator hasn't gotten past the first few installation steps. 1002 http://www.1000.com 152 T43 TECHNOLOGY PROFILE DONT "YaBB SE Dev Team" This Bulletin board has SQL injection vulnerability Yet Another Bulletin Board (YABB) SE (versions 1.5.4 and 1.5.5 and perhaps others) contain an SQL injection vulnerability which may allow several attacks including unauthorized database modification or viewing. See http://www.securityfocus.com/bid/9674 1002 http://www.securityfocus.com/bid/9674 153 T44 CONFIG MANAGEMENT DONT allinurl:install/install.php Pages with install/install.php may be insecure Pages with install/install.php files may be in the process of installing a new service or program. These servers may be insecure due to insecure default settings. In some cases, these servers may allow for a new installation of a program or service with insecure settings. In other cases, snapshot data about an install process can be gleaned from cached page images. 1002 http://www.1000.com 155 P28 PRIVACY RELATED DONT intitle:"Gallery in Configuration mode" Gallery config mode allows changes in gallery Gallery configuration mode allows outsiders to make changes to your gallery. 1002 http://www.1000.com 156 T45 TECHNOLOGY PROFILE DONT inurl:shop "Hassan Consulting's Shopping Cart Version 1.18" Vulnerable to ../ and many other bugs These servers can be messed with in many ways. One specific way is by way of the "../" bug. This lets you cruise around the web server in a somewhat limited fashion. 1002 http://www.1000.com 157 RA4 REMOTE ADMIN INTERFACE DONT intitle:"osCommerce" inurl:admin filetype:php Explore admin interface This is a decent way to explore the admin interface of osCommerce e-commerce sites. Depending on how bad the setup of the web store is, web surfers can even Google their way into customer details and order status, all from the Google cache. 1002 http://www.1000.com 158 RA5 REMOTE ADMIN INTERFACE DONT intitle:"Remote Desktop Web Connection" MS remote desktop connection Microsoft Remote Desktop Connection Web Connection pages. These pages are not necessarily insecure, sine many layers of security can be wrapped around the actual use of this service, but simply being able to find these in Google gives hackers an informational advantage, and many of the sites are not implemented securely. In the worst case scenario these pages may allow an attacker to bypass a firewall gaining access to an otherwise inaccessible machine. 1002 http://www.1000.com 159 RA6 REMOTE ADMIN INTERFACE DONT intitle:"Terminal Services Web Connection" MS Terminal services web connector pages Microsoft Terminal Services Web Connector pages. These pages are not necessarily insecure, sine many layers of security can be wrapped around the actual use of this service, but simply being able to find these in Google gives hackers an informational advantage, and many of the sites are not implemented securely. In the worst case scenario these pages may allow an attacker to bypass a firewall gaining access to a "protected" machine. 1002 http://www.1000.com 160 RV4 REPORTED VULNS DONT inurl:footer.inc.php AllMyPHP family contains several vulnerabilities From http://www.securityfocus.com/bid/9664, the AllMyPHP family of products (Versions 0.1.2 - 0.4) contains several potential vulnerabilities, som elalowing an attacker to execute malicious code on the web server. 1002 http://www.securityfocus.com/bid/9664 161 RV5 REPORTED VULNS DONT inurl:info.inc.php AllMyPHP family contains several vulnerabilities From http://www.securityfocus.com/bid/9664, the AllMyPHP family of products (Versions 0.1.2 - 0.4) contains several potential vulnerabilities, som elalowing an attacker to execute malicious code on the web server. 1002 http://www.securityfocus.com/bid/9664 162 RA7 REMOTE ADMIN INTERFACE DONT inurl:manyservers.htm MS Terminal services multiple clients pages Microsoft Terminal Services Multiple Clients pages. These pages are not necessarily insecure, sine many layers of security can be wrapped around the actual use of this service, but simply being able to find these in Google gives hackers an informational advantage, and many of the sites are not implemented securely. 1002 http://www.1000.com 163 RV6 REPORTED VULNS DONT inurl:search.php vbulletin Version 3.0.0 candidate 4 and below have vulnerabilites Version 3.0.0 candidate 4 and earlier of Vbulletin may have a cross-site scripting vulnerability. See http://www.securityfocus.com/bid/9656 1002 http://www.securityfocus.com/bid/9656 164 E36 ERROR MESSAGES DONT "seeing this instead" intitle:"test page for apache" Helps to determine the version of the web page This is the default web page for Apache 1.3.11 - 1.3.26. Hackers can use this information to determine the version of the web server, or to search Google for vulnerable targets. In addition, this indicates that the web server is not well maintained. 1002 http://www.1000.com 165 C25 CONFIG MANAGEMENT DONT aboutprinter.shtml Printers on the internet. Xerox printers on the internet. Google found these printers. 1002 http://www.1000.com 166 C26 CONFIG MANAGEMENT DONT allintitle:Netscape FastTrack Server Home Page Default installation of Netscape Fastrack server is insecure This finds default installations of Netscape Fasttrack Server. In many cases, default installations can be insecure especially considering that the administrator hasn't gotten past the first few installation steps. 1002 http://www.1000.com 167 C27 CONFIG MANAGEMENT DONT intitle:"Apache HTTP Server" intitle:"documentation" Naiver Web site builder Manuals indicate a default Apache web root. This is not a security best practice. 1002 http://www.1000.com 168 C28 CONFIG MANAGEMENT DONT intitle:"Welcome to IIS 4.0" Indicates poor administration. Default installs are not secure. 1002 http://www.1000.com 169 C29 CONFIG MANAGEMENT DONT i_index.shtml "Ready" Could be used to lock administrators out. These printers are on the Internet. 1002 http://www.1000.com 170 C30 CONFIG MANAGEMENT DONT intitle:"Test Page for Apache" "It Worked!" Dertermine the web server This is the default web page for Apache 1.2.6 - 1.3.9. Hackers can use this information to determine the version of the web server, or to search Google for vulnerable targets. In addition, this indicates that the web server is not well maintained. 1002 http://www.1000.com 171 E37 ERROR MESSAGES DONT intitle:"Test Page for Apache" "It Worked!" "on this web" Dertermine the web server This is the default web page for Apache 1.2.6 - 1.3.9. Hackers can use this information to determine the version of the web server, or to search Google for vulnerable targets. In addition, this indicates that the web server is not well maintained. 1002 http://www.1000.com 172 C31 CONFIG MANAGEMENT DONT inurl:tech-support inurl:show Cisco Find cisco products with open web interface This is a way to find Cisco products with an open web interface. These are generally supposed to be user and password protected. 1002 http://www.1000.com 173 C32 CONFIG MANAGEMENT DONT "powered by openbsd" +"powered by apache" Known vulnerabilities with apache on openbsd Banner disclosure. 1002 http://www.1000.com 175 RA8 REMOTE ADMIN INTERFACE DONT intitle:admin intitle:login Admin Login page Potential admin Login pages. 1002 http://www.1000.com 176 B7 BACKUP FILES DONT intitle:"Index of" index.html.bak May contain interesting info Has old html pages that may contain interesting information 1002 http://www.1000.com 177 B8 BACKUP FILES DONT intitle:"Index of" index.php.bak May contain interesting info Holds old php files 1002 http://www.1000.com 178 B9 BACKUP FILES DONT intitle:"Index of" index.html~ May contain interesting info Holds old html files 1002 http://www.1000.com 179 B10 BACKUP FILES DONT intitle:"Index of" index.php~ May contain interesting info Holds old php files 1002 http://www.1000.com 180 P29 PRIVACY RELATED DONT inurl:"MultiCameraFrame?Mode=" Open security webcams Finds security webcams, somtimes private and confidential 1002 http://www.1000.com