Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google To Send Detailed Info About Hacked Web Sites

kdawson posted more than 4 years ago | from the see-yourself-as-others-see-you dept.

Google 58

alphadogg writes "In an effort to promote the 'general health of the Web,' Google will send Webmasters snippets of malicious code in the hopes of getting infected Web sites cleaned up faster. The new information will appear as part of Google's Webmaster Tools, a suite of tools that provide data about a Web site, such as site visits. 'We understand the frustration of Webmasters whose sites have been compromised without their knowledge and who discover that their site has been flagged,' wrote Lucas Ballard on Google's online security blog. To Webmasters who are registered with Google, the company will send them an email notifying them of suspicious content along with a list of the affected pages. They'll also be able to see part of the malicious code." Another of the new Webmaster Tools is Fetch as Googlebot, which shows you a page as Google's crawler sees it. This should allow Webmasters to see malicious code that bad guys have hidden on their sites via "cloaking," among other benefits.

cancel ×

58 comments

Gentlemen, check your Webmaster tools (4, Interesting)

symbolset (646467) | more than 4 years ago | (#29741147)

This is a great service. Google should set up an opt-in email notification as well.

It helps the webmasters build better sites and teaches them to check the Google website tools that allow them to groom their site for best indexing on Google. That's great.

Re:Gentlemen, check your Webmaster tools (2, Informative)

madhurms (736552) | more than 4 years ago | (#29741197)

I dont know why the summary did not link to the official google blog. Here is the link: http:http://googlewebmastercentral.blogspot.com/2009/10/fetch-as-googlebot-and-malware-details.html/ [http]

Black Rose Immortal (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29741467)

In the name of desperation
I call your name
A lamentation I sigh
Again and again

Spiritual eclipse
The gateways are closed for me to seek

The night...
A veil of stars, watching
My shadow is born from light
The light of the eye, in darkness

Over troubled waters memories soar
Endlessly, searching night and day
The moonlight caresses a lonely hill
With the calmness of a whisper

I wear a naked soul
A blank face in the streaming water
It is cold in here
Frost scar my coat with dust

Eyes attach to your mute portrait
We spoke only through thoughts
Together we gazed, awaited
Hours brought thirst and the rising sun

Sunbirds leave their dark recesses
Shadows glide the archways

Do not turn your face towards me
Confronting me with my loneliness
You are in a forest unknown
The secret orchard
And your voice is vast and achromatic
But still so precious

Lullaby of the crescent moon took you
Mesmerized, its kaleidoscopic face
Granted you a hollow stare
Another soul within the divine herd

I have kept it
The Amaranth symbol
Hiddin inside the golden shrine
Until we rejoice in the meadow
Of the end
When we both walk the shadows
It will set ablaze and vanish
Black rose immortal

It is getting dark again
Dusk shuffle across the fields
The evening trees moan as if they knew
At night I always dream of you

Re:Gentlemen, check your Webmaster tools (1)

Lord Bitman (95493) | more than 4 years ago | (#29741983)

They do. It's the thing you said.

Re:Gentlemen, check your Webmaster tools (1)

sahala (105682) | more than 4 years ago | (#29750193)

This is a great service. Google should set up an opt-in email notification as well.

It helps the webmasters build better sites and teaches them to check the Google website tools that allow them to groom their site for best indexing on Google. That's great.

Webmaster Tools has opt-in email notification. Here are details: http://googlewebmastercentral.blogspot.com/2009/06/to-make-webmaster-tools-message-center.html [blogspot.com]

The "Malware details" feature (mentioned in the article), however, doesn't send you any notifications just yet.

Great (-1, Offtopic)

EricvanIngen (1437281) | more than 4 years ago | (#29741149)

Hmmm

Yes, but... (-1, Offtopic)

TheBilgeRat (1629569) | more than 4 years ago | (#29741257)

Who Vatches the Vatchers?

\conspiracy?

Google needs to clean up their own act first, (4, Informative)

Animats (122034) | more than 4 years ago | (#29741275)

Google has a malware hosting problem of their own.

Google Spreadsheets can be abused to create phony login pages. Here's one for "Free Habbo credits" [google.com] , designed to collect Habbo logins. It's been reported via the usual "Google abuse" mechanism, repeatedly, and it's still up. It's been up since October 28, 2008.

We track major domains being exploited by active phishing scams. [sitetruth.com] ("Major" here means only that it's in Open Directory, with about 1.5 million domains.) There are 39 exploited domains today. Only 7 have been on that list since 2008. The most abused site is Piczo.com, which is a hosting service/social network/shopping site for teenagers.

Just about everybody else has cleaned up their act. 18 months ago, that list had 174 entries, including Yahoo, eBay, Microsoft Live, and TinyURL. All those companies have become more aggressive about checking for phishing scams that were injected into their domain. Google's cluelessness in this area ought to be embarrassing to someone.

Typical (-1, Troll)

Anonymous Coward | more than 4 years ago | (#29741485)

I think you misspelt Micro$oft in your post. They are the ones with all the malware problems, the Google issue is a user error and nothing to do with Google itself. So how much $$$ did Micro$$$oft pay you for your post to discredit the opposition?

Re:Typical (0)

Anonymous Coward | more than 4 years ago | (#29741523)

Just for info: M$ was something started my Microsoft themselves in MS BASIC.

Also, fail.

S-S-s-s-s- (0)

Anonymous Coward | more than 4 years ago | (#29742267)

$-$-$-$hillll.....

Re:S-S-s-s-s- (1)

buchner.johannes (1139593) | more than 4 years ago | (#29742433)

Where is this $$$-hill and does it have trees? I'd prefer a €€€-hill though.

Re:S-S-s-s-s- (1)

ion.simon.c (1183967) | more than 4 years ago | (#29748977)

Heck. Money-hills of any sort are appreciated.

Re:Google needs to clean up their own act first, (0)

Anonymous Coward | more than 4 years ago | (#29742471)

Well... they did kill Google Pages... come on, you can't fault them there, that whole thing was just a nuclear bomb waiting to happen...

Still despise Google Sites though. It is almost embarrassing compared to the flexibility of Pages.

Re:Google needs to clean up their own act first, (3, Insightful)

aj50 (789101) | more than 4 years ago | (#29743223)

An ordinary scam (like the Habbo one listed above) is different from a phishing attack (which requires that the attacker impersonates another entity).

You have absolutely no hard evidence (other than your own experience and cynicism) that the site collecting Habbo logins isn't doing so for purely honest reasons and will only use them to deposit 500 credits in each account submitted.

This comes down to a matter of trust. If you trust random people on the Internet, you're going to get screwed over.

Re:Google needs to clean up their own act first, (1)

Animats (122034) | more than 4 years ago | (#29746657)

An ordinary scam (like the Habbo one listed above) is different from a phishing attack (which requires that the attacker impersonates another entity).

PhishTank calls it a phishing scam. [phishtank.com] We follow their data.

Re:Google needs to clean up their own act first, (0)

Anonymous Coward | more than 4 years ago | (#29747991)

We follow their data.

Which is wrong. Phishing involves impersonating a trusted party. This site definitely wants your Habbo credentials, and very likely not to give you free credits, but they don't claim to be Habbo.

Re:Google needs to clean up their own act first, (1)

aj50 (789101) | more than 4 years ago | (#29751753)

PhishTank is a crowd sourcing site which merely samples the opinions of their users which makes it accountable to... no-one?

Netcraft does not consider it a phish (although you have to use their toolbar to check that.)

Incidentally, the spreadsheet is suddenly gone so I suspect someone at Google is reading Slashdot.

Re:Google needs to clean up their own act first, (0)

Anonymous Coward | more than 4 years ago | (#29743951)

um, so I just reported that page as phishing to Google(bottom of the page, report as phishing), do these sites do that or just expect Google to find their hideous website and then fix the problem?

Re:Google needs to clean up their own act first, (2, Interesting)

tlhIngan (30335) | more than 4 years ago | (#29745033)

Google has a malware hosting problem of their own.

Google Spreadsheets can be abused to create phony login pages. Here's one for "Free Habbo credits", designed to collect Habbo logins. It's been reported via the usual "Google abuse" mechanism, repeatedly, and it's still up. It's been up since October 28, 2008.

We track major domains being exploited by active phishing scams. ("Major" here means only that it's in Open Directory, with about 1.5 million domains.) There are 39 exploited domains today. Only 7 have been on that list since 2008. The most abused site is Piczo.com, which is a hosting service/social network/shopping site for teenagers.

Just about everybody else has cleaned up their act. 18 months ago, that list had 174 entries, including Yahoo, eBay, Microsoft Live, and TinyURL. All those companies have become more aggressive about checking for phishing scams that were injected into their domain. Google's cluelessness in this area ought to be embarrassing to someone.

Let me guess - you want Google to remove people's documents arbitrarily? That's what you're saying.

Right now, Google's right to not do anything - how would you feel if someone just took down one of your documents arbitrarily? Not even a DMCA notice, just a vague "this is a hacker tool" thing? And how do you differentiate between "fake login page" and "log in page mockup"? After all, when designing a UI, you can do it in any medium you feel comfortable in.

So yeah, Google is clueless. They're so clueless, they'd rather not remove someone's document because there can be many legitimate reasons for it to be there. And I suppose, as much as Google would like to remove it, doing so sets a bad precedent. Your Google Doc annoys someone? Click "report abuse" and Google will take it down. Better than DMCA notice.

At best, Google can remove it from the index. But allowing Google to arbitrarily remove any document by an anonymous person invites a whole new can of worms. Might as well ban bullets, they've been used to harm people.

Re:Google needs to clean up their own act first, (1)

AmberBlackCat (829689) | more than 4 years ago | (#29745799)

It is my opinion that (Google is no more "secure" than any other website or corporation. Google is doing the same thing Sony does; they're just slapping their name on their new product and letting a bunch of people assume it's good because their name is on it. The only interesting thing mentioned in the article synopsis is the "Fetch as Googlebot" feature, because now when you search for a picture and Google lists some 4000x3000 photo that matches what you want and it turns out that was just bait which doesn't exist when you go to the actual site, you can "Fetch as Googlebot" and get the same result they fed to the search engine.)

Google cleans up their act. (1)

Animats (122034) | more than 4 years ago | (#29753445)

Google finally fixed this. The offending page now reads "We're sorry. You can't access this spreadsheet because it is in violation of our Terms of service. If you feel this is in error, please contact us."

Sometimes you just have to use a big clue stick to get their attention. It took some help from The Register to get Yahoo, Microsoft, and eBay to clean up their acts.

Five more long-term exploited sites remain. A bit more nagging, and we'll have this cleaned up.

Once this is cleaned up, phishing blacklists that blacklist entire second-level domains will be effective. No more just blacklisting the URL.

Good idea, but... (4, Interesting)

PrimaryConsult (1546585) | more than 4 years ago | (#29741385)

If Google's determination on whether a site has malicious content is based solely on crawling it, wouldn't a hacker be able to manipulate robots.txt to ignore the file with the malware? These tools would allow a hacker to test that theory out, by trying different things on his own sites and seeing what generates an email, instead of waiting around for Google to re-crawl them and having to check each one to see if it is filtered...

Re:Good idea, but... (1)

EvilIdler (21087) | more than 4 years ago | (#29741981)

I'm pretty sure Google checks to see what's reachable through links on the site. Just look at the dead link checker in the Webmaster Tools ;)

Re:Good idea, but... (1)

dave420 (699308) | more than 4 years ago | (#29743237)

It's even simpler than that - as the Googlebot identifies itself, it's trivial to have special content served up if Googlebot requests a page. You don't have to use robots.txt to hide anything.

Re:Good idea, but... (1)

GameboyRMH (1153867) | more than 4 years ago | (#29745299)

I imagine they could have a different bot that doesn't do any kind of search indexing, but checks for malware/security issues and can't be blocked with robots.txt

Re:Good idea, but... (1)

lonecrow (931585) | more than 4 years ago | (#29753495)

I think you are correct but it might be counter productive. GoogleBot obeys robots.txt so if the hacker listed the infected page in robots.txt google shouldn't ever request it. However, if you are a hacker and you have infected a page then I assume they want people to view it. Hiding the page from google probably lowers the number of visitors to an unacceptable low number.

Also, I think allot of infected pages are a result of SQL injection or simply dropping some cross-site scripting code into form field of completely insecure website. This is a lot more trivial than gaining enough access to the machine to modify the robots.txt file. If they had that kind of access they are probably already hosting a dozen of their own sites on your server and sending spam from it :)

However, I think your idea is sound in the context you presented it.

Now please excuse me, I have to scurry off and make sure my robots.txt file is set to deny-writes.

web health should be a communal effort (and free) (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#29741443)

I appreciate Google's need to make a buck, however if they truly were doing this "in the interest of general web health," they would not charge for notification. They ought to charge for fixing the bug, and give the notification for free if google happens to detect it.

  This has a revere side, if you don't pay them, and you don't know, the largest search engine can have you flagged as a risky site to visit. If it can hurt your site by scanning it then this would also be "protection money" more in mafia terms.

  I'm not preaching any system here, but security as a general effort should be made in general by the general community. Generally speaking O.F.C.

Re:web health should be a communal effort (and fre (0, Redundant)

lewko (195646) | more than 4 years ago | (#29741469)

Oh please.

Doctors do things for the common good as well. That doesn't mean they don't have bills to pay.

Re:web health should be a communal effort (and fre (2, Informative)

DrEldarion (114072) | more than 4 years ago | (#29741677)

Registered webmasters (registration is free) of infected sites do not need to specially enable the feature -- they will find links to it on the Webmaster Tools dashboard.

Google does not charge for Webmaster Tools.

Poor Google IT webmasters! (2, Funny)

snikulin (889460) | more than 4 years ago | (#29741449)

Default Apache e-mail is webmaster@localhost

Re:Poor Google IT webmasters! (1)

tepples (727027) | more than 4 years ago | (#29742949)

Default Apache e-mail is webmaster@localhost

Google would probably first try sending mail to the Google account that confirmed its control of the site.

If not, Google would just assume "localhost" is an error for whatever domain the site actually uses. For example, given webmaster@localhost at www.example.com, Google might look up the MX for www.example.com, not see it, look up the MX for example.com, and send mail.

If the site doesn't list such an address at all, there's an RFC that strongly recommends webmaster@example.com as the WWW technical contact for example.com.

Helping the hackers? (1)

NewsWatcher (450241) | more than 4 years ago | (#29741569)

If you wanted to test out malicious code to see whether it was likely to be discovered, wouldn't this be a great tool to have?

Who requests (-1, Troll)

camcorder (759720) | more than 4 years ago | (#29741779)

Who wants this service from Google? Any company starting to act like an internet police is a huge risk in future if not now, and it should be preemtively rejected by users. If people rely on this kind of services in future Google will list its do-s and don't-s. I didn't ask about their service, nor I would like to be informed by their *unknown* ways of analyzing my pages. And no I don't want to host a useless piece of text called robots.txt to get rid of google crawlers. Why in the hell I should say get away, while if I don't it means I welcome them.

Re:Who requests (3, Informative)

mftb (1522365) | more than 4 years ago | (#29741835)

It's an opt-in notification system - nobody's forcing you to do anything. Also, robots.txt has been around since long before google.

Re:Who requests (-1, Troll)

Anonymous Coward | more than 4 years ago | (#29741939)

Where did you get it's an opt-in system? If you mean opt-ing in with robots.txt, then that's in description of opt-out not opt-in, which most spams are categorzied in. robots.txt might not have been started by google, but it was started with a similar company. Same things can be said for any company behaving like Google or Microsoft.

Re:Who requests (1)

mftb (1522365) | more than 4 years ago | (#29741999)

The notifications are opt-in. That's what I meant.
And it's not like it's hard to set up. You should be thankful robots.txt is obeyed by most robots.

Re:Who requests (2, Interesting)

complete loony (663508) | more than 4 years ago | (#29742715)

Company? what the...

You obviously have no idea about the early days of the internet and HTTP. The whole point of HTTP was to publish documents, if you host something you are implicitly allowing other people to fetch a copy of it.

robots.txt came about in the very early days of HTTP. An enterprising hacker wrote a crawler to index the whole internet (which wasn't that big at the time). But his crawler got stuck fetching pages from one machine with dynamically generated pages. This obviously tied up the bandwidth, CPU and disk IO of the server which annoyed it's owner. So the 2 people had a polite conversation via email and the opt-out robots.txt was invented.

Re:Who requests (1)

Ant P. (974313) | more than 4 years ago | (#29742205)

Hi Mr. Murdoch!

Re:Who requests (1)

HNS-I (1119771) | more than 4 years ago | (#29742589)

Google is not playing police, they merely tell searchers it's a bad idea to go there. If you don't want others to link to you, don't go on the intarwebs. Also getting indexed by google is only possible if you sign up.

Yes it's terrible, you have to type in "User-agent: *\n Disallow / " I can feel you pain.

Re:Who requests (1)

tokul (682258) | more than 4 years ago | (#29742635)

If you are that paranoid, cut your network cable. It will ensure that those pesky googlebots stay away from your precious data.

If you put your data on public website, others are free to read that data.

Re:Who requests (0)

Anonymous Coward | more than 4 years ago | (#29743025)

Who wants this service from Google? Any company starting to act like an internet police is a huge risk in future if not now, and it should be preemtively rejected by users. If people rely on this kind of services in future Google will list its do-s and don't-s. I didn't ask about their service, nor I would like to be informed by their *unknown* ways of analyzing my pages. And no I don't want to host a useless piece of text called robots.txt to get rid of google crawlers. Why in the hell I should say get away, while if I don't it means I welcome them.

Take your shitty attitude and get the hell out of my internets.

Re:Who requests (1)

L4t3r4lu5 (1216702) | more than 4 years ago | (#29743111)

You put it on the internet.

If it's on the internet, it's public. Don't put anything private on the internet. Don't expect anything private put on the internet to remain private.

Information wants to be free. If you don't want your information to be free, keep it to your god damn self!

Re:Who requests (0)

Anonymous Coward | more than 4 years ago | (#29744503)

Normally I would agree, but a lot of websites are run without the advanced knowledge for finding these "broken" pages.

This is basically a free antivirus for your website that is less annoying because you do not even have to run it on your server. I am not a fan of Google, as a company, but they have the information to track and protect users (such as with the Malicious website warning in Firefox), so why not go the extra step and inform the most likely ignorant (of the issue) webmaster of the injected malware.

If it was an opt-in service, then most people would remain ignorant to the problems on their site, and the problems for web users would still persist. I prefer someone else was doing this, or that it was a separate service, but I am not going to complain about getting it as it could do a lot for helping to clean up the internet.

Happened over here (3, Interesting)

orta (786013) | more than 4 years ago | (#29741861)

This happened to my site and the google webmaster tools were helpful but frustrating, it took 2 weeks of my site being banned in all major browsers before they officially sanctioned it OK. It did give me a list of all the URLS where there was problems, so it wasn't too hard to debug.

Re:Happened over here (2, Interesting)

johndoejersey (679948) | more than 4 years ago | (#29742849)

My experience was less than 8 hours. A day or two later I realised I missed my .htaccess file had been gazumped as well. Though google seemed to miss that one....

From the awesome-for-pr0n dept. (1)

Jugalator (259273) | more than 4 years ago | (#29741929)

Another of the new Webmaster Tools is Fetch as Googlebot, which shows you a page as Google's crawler sees it.

Heh, could find some use outside of the designed purpose then... A number of pay-to-view web forums allow the Googlebot to freely navigate it, but requires payment from users. Among other boards, those involving erotica. :p

Re:From the awesome-for-pr0n dept. (1)

dazjorz (1312303) | more than 4 years ago | (#29742033)

Alas, I think you can only view your own sites with the Googlebot... So unless you can sneak in the "yes, this domain is mine" HTML file or DNS entry, in which case you probably don't need to worry about this anyway, probably not a chance... ;)

Academic cloaking (2, Informative)

tepples (727027) | more than 4 years ago | (#29743001)

A number of pay-to-view web forums allow the Googlebot to freely navigate it, but requires payment from users. Among other boards, those involving erotica.

This sort of cloaking is frustrating even for people who aren't porn fans. A lot of scholarly journals spam search engine result pages with their cloaked, noarchived pages <cough>elsevier and springerlink</cough>. Even more frustrating is that Google provides no way for users 1. to exclude noarchived pages from its results or 2. to report sites that violate Google's stated cloaking policy.

Re:Academic cloaking (2, Interesting)

skeeto (1138903) | more than 4 years ago | (#29745881)

You can report sites that use cloaking here: http://www.google.com/contact/spamreport.html [google.com] . I don't know what good it does since the sites I have reported have never been acted upon.

WOW sites (1)

BrookHarty (9119) | more than 4 years ago | (#29742189)

So many wow accounts are hacked from keyloggers that are installed just by visiting wow sites. Gold vendors, wow auction houses, and simple forums can cause you to lose your wow accounts...

What would be nice if google could make these sites it detects with googlebot available so developers could patch the holes in firefox.

Re:WOW sites (0)

Anonymous Coward | more than 4 years ago | (#29742565)

Haha, 2 of my friends who play WoW have been screwed over by viruses, stolen e-mail and accounts...

God, and both of them used to be quite in to computing as well, one who knew more than i did at one point.
Now? They barely know how to Control Panel for ANYTHING... quite sad indeed that WoW has rotted their brain.
Well, that's what happens when both of them dropped out of college because work piled up due to them playing WoW to 5 in the morning... so much for not being addicted to the game.

tit for tat (1)

happy_place (632005) | more than 4 years ago | (#29743253)

A friend of mine works at Bluecoat ( http://www.bluecoat.com/ [bluecoat.com] if you care...) (they do internet security and filtering services). He says they regularly send reports to Google when they find that Google is compromised with malicious code... so its good to know Google's taking part in helping fix a problem they certainly deal with.

I've tried this before, and failed (1)

hansamurai (907719) | more than 4 years ago | (#29745541)

My site was once getting hit really hard from some other web site with a hole on their feedback page. I tried to email their webmaster but my message got flagged as spam. I guess including IP addresses, multiple links, phrases like "spam", "execute script", "spambot", and "exploit" aren't looked kindly upon by the internet powers that be. I just blocked any connections coming from their IP, but I wish I could have gotten through to shut down the security exploit.

"Google" to send this info or Google pretenders? (1)

azdio (185000) | more than 4 years ago | (#29745667)

Phishing types are already preparing false communications and false sites with such warnings "from google". There are certainly many mechanisms in existence to help authenticate that a communication is actually from google. Hopefully the use of such mechanisms is clever enough to avoid more contamination.

Re:"Google" to send this info or Google pretenders (1)

sahala (105682) | more than 4 years ago | (#29750699)

All the diagnosis information and messages are presented through the Google Webmaster Tools UI, not through email. There is an option in Webmaster Tools to forward messages [blogspot.com] to email, but this is opt-in.

You have a point though...there are lots of "from google" false emails floating around. As you know it's a tough problem to solve :/

If You Find These Strings, You're Infected (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#29748277)

Every admin should grep all of their HTML srouce code for these malicious strings:
DoubleClick adsense google-analytics searchmarketing.yahoo.com
If you find any of those in your pages, delete them immediately before your users are harmed!

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...