The Internet is a wonderful thing. Think of all the ways it has changed how we do things. Over the weekend, I needed to find some information on a particularly nasty weed we had growing in our woods. Back in the day, it would have entailed a trip to the local library and a pretty good possibility of not finding anything at all. Now, all I need is a little bit of Google-Fu, and I was able to find a web page with way more information on this plant than I ever wanted.
There are web pages out there for EVERYTHING (thus Rule #34), and at this point, pretty much anyone can stand up a website. Take a course or two at the community college, shell out a few bucks for an "HTML for Dummies" book, and heck, you're a "web designer."
Therein lies the problem.
Knowing how to "design" a page o' dancing gerbils does not a secure site make. (<-- Note: while grammatically correct, like Yoda do I sound...) Once you've mastered the fine art of the <blink> tag, you need to actually check your site to make sure that one of the evil denizens of the 'net hasn't altered your masterpiece.
In the brilliant precursor to this sequel, I tried to point out a little bit o' Google-dorking that found some really interesting things on the sites of various institutions of higher learning. This time around, I'll throw some .gov sites under the bus as well.
Try tossing the following query at big-G: "site:.edu filetype:html buy viagra"
Last time I did this, I didn't name names... but I'm older and more curmudgeonly now, so here is a cross-section of some of the .edu sites that made the "little blue pill" hit parade:
What's kinda' cool is that since Google takes some time to "forget," you can also see the folks who WERE whacked for long enough to get spidered by the Google bot, but have since cleaned things up.
And let's not forget our fine government. Nothing makes a taxpayer more proud than to know that their government websites are flogging fixes for flagging phalluses (ain't the alliteration sweet?). Head back to Google and search for: "site:.gov filetype:html order viagra online"
Let's see... who do we have here?
So, if any of you happen to have some free time on your hands, give those Google queries a shot. Play around with different combinations of words and different combinations of search constraints. Drop a nice, polite note to the folks in charge of the compromised sites and point out the issues... but don't be surprised if they get a bit ticked off at you: there is a long, time-honored tradition in the IT world of blaming the messenger...
So what's the deal here? While I haven't had (and don't have) the time to do an in-depth investigation, my guess would be that these are a result of having a Content Management System (CMS) get "managed" by someone else, either through a weak password or through a vulnerability in the CMS itself (these things are notoriously buggy...) Generally these "additions" are housed in a <span> marked with "visibility:hidden," and so a cursory glance at the site shows nothing amiss. If no one bothers to look at the actual code of the page, the altered pages can hang around forever-- making your university, unit of government, or business look pretty darned silly.
The moral of the story: CHECK YOUR SITE, MONITOR YOUR LOGS, THEN DO IT ALL OVER AGAIN. LATHER, RINSE, REPEAT.
Tom Liston - InGuardians, Inc. -Handler on Duty
May 4th 2009
9 years ago