One thing to keep in mind about compromised websites

Published: 2008-04-25
Last Updated: 2008-04-25 13:46:06 UTC
by Joel Esler (Version: 1)
1 comment(s)

We've all done it.  Taken some piece of code that machines are being exploited with and plugged it into Google to see how many machines were infected.  You do it, and you say to yourself "OH NOEZ, 10,000 MACHINES!  BIG BIG EXPLOIT RAISE THE RED FLAG!"

(Disclaimer:  Since Google is a verb in today's language, I don't necessarily mean Google, when I say Google.  I mean search engine, but I probably mean Google.  )

Things to keep in mind:

1) When you do that, most likely the exploit method is potentially:

    a) already known

    b) being worked on

    c) already been worked on

    d) cleaned up

2) There aren't that many machines actually infected/exploited.  Google takes awhile to index websites, usually about 2 days behind.  It depends on the popularity of your site.  I am not going to try and explain how the Google search algorithm/page rank thing works, because number one, I don't know, and number two, if I did, I am sure I could command alot of money from both Google and/or Microsoft for me to work there.  But anyway, my point is, Google takes a bit to index sites.  Then once the sites are indexed and are then subsequently cleaned up, Google takes a while to clean the entries back out again.  (Again, by re-indexing.)

So, at any given point, the index results in Google for "x" exploit are not correct.  The numbers at least.  The websites you see in Google are either currently exploited, or have been several days/weeks/whatever ago.  So keep that in mind.

The next time you read something about "OH NOEZ THE EXPLOIT IS TAKING OVER TEH WORLD.  OMG LOL!!11".  Try not and panic, it's probably not as big as it's claimed to be.

 

--

Joel Esler

http://www.joelesler.net

Keywords:
1 comment(s)

Comments

Hey Joel,

on the one hand side I see your point, but consider:

You come across a website which has been compromised.
You see a suspect iFrame at the source code which leads to an exploit or something.

You take the link, put it into google and get a result of, lets say about 2 other sites.
Isn't it possible that there are 10.000 infected websites out which aren't indexed right now? ;)

Diary Archives