Googlecache Backdoor
An old “trick” that never seems to get old, even when it doesn’t quite work.
Every once in a while, I actually talk about technical stuff on this blog and this week, I’m focused on Google. Oh, sure, it’s called “Diary of a Network Geek”, but I generally talk about all sorts of geeky things that have nothing to do with computers or networking at all. Well, today you get a treat, gentle readers, and I’ll write a little technical bit about what this is and how it works, or doesn’t. Here’s the trick, in a nutshell: Google a specific site or page with no extra parameters, using the “site:ryumaou.com” syntax. (To hit a specific page, “site:ryumaou.com/hoffman/netgeek/“) When you get your search results, notice at the bottom of each description, there is a link labelled “Cached”. Click that and you’re looking at the page as it resides on the Google servers. At this point, normally, you’d not be hitting the actual website at all, but simply viewing the page as it was stored on Google’s servers when they spidered the site for their search database.
Now, normally, that would hide you from a web log, but not from this blog. Why? Good question. What you see pictured in the graphic on this post is a rookie mistake. Googlecache browsing doesn’t work well to conceal one’s IP address when browsing dynamic content. I know it might not always seem like it, but this blog is, actually, fairly dynamic. In this particular case, what tripped up our inexperienced sneak is a plugin, or set of plugins, running on the blog. Mainly, it was the plugin that makes the pretty title graphics via PHP. When our tricksy, little Hobbit hit the Googlecached page, his browser made a call directly back to code stored on my site to generate the cool graphics. Graphics which, because they are generated dynamically, are not stored in Google’s cache, but created “on the fly” every time someone hits my page. Interestingly enough, even if our erstwhile intruder had turned off the ability to view graphics in his browser, the PHP code would have still generated graphic, thereby alerting me to his rather weak attempt to conceal his identity.
The only thing one might gain from this “hack” is the ability to get around a blocked IP address. Sadly, the sneak doesn’t need to do this, as I block very few IP addresses at all. For one thing, an IP block is of limited value for blocking spammers, since they change IPs regularly to avoid such blocks. For another, to deal with spam and other unwanted visitors, I have other tools that work much better. So, really, all this particular tricksy, little Hobbit did was, well, waste their own time and give me a handy topic to write a quick piece about very basic web security.
So, um, thanks. Now, c’mon in from the cold and just browse the site to your heart’s content, okay? Oh, and don’t forget to vote on the poll in the sidebar there everybody!
Advice from your Uncle Jim:
"Any jackass can kick a barn down, but it takes a carpenter to build it."
--Sam Rayburn