Tuesday, May 5, 2009

More Google Whacking to Detect Compromises

Tom Liston posted "Putting the ED _back_ in .EDU" on the ISC diary yesterday. I've discussed using Google Alerts to monitor institutional webspace in the past:

The lessons from both remain valid - I've detected a number of webspace compromises in the past year, and continue to use Google Alerts as an easy detection method. The methodology is simple: just build a query along the lines of:

site (your site) -pdf -ppt -doc "poker" or "xanax" or "viagra" or "cialis"

Then set your alert and watch. I keep mine sorted into a unique mail folder, so all I have to do is see if that folder shows a new alert. You can end up with some false positives, particularly with the inurl directive, but in general, you'll find that this is a great tripwire for large institutional webspaces with dynamic or user generated content.

This technique can also be used to monitor for internal documents and files - simply build your search to include the search terms that are of interest for your specific site.

No comments: