2014
Jan
04





Google is a strong search engine. You can find a lot of knowledge and information in the search result of google web pages. But have you been hacked by google? Yes, I have.

Google spider is still hacking others system every day. I will explain what happen on my website.

A long time ago, I was a freelancer. One day, a customer gave me a case that they needed me to create a website for their customer. My customer had a content management system which includes member, news, guestbook and so on. They asked me to use their system to create a new website.

It was a simple website, so I just completed the development in about a week. Then I provided a test url of website for my customer. They could upload the information about products to my new content management system.

The web page was a little like the following table:

TitleImageContentEditDelete
First xxxxarticle content??EditDelete
Second xxxxarticle content??EditDelete
Third xxxxarticle content??EditDelete

My customer's customer uploaded many articles via this new content management system. But one day, a strange thing happened on this website. All of the articles had disappeared suddenly. The customer called me and asked me what happened to these articles today. At that moment, I had no idea and did not know how to explain this situation. Additionally, they thought my website was hacked by someone, maybe a hacker.

I started to check the access logs from apache service and found many logs about deleting articles action. I also noticed some special information, these access logs had the information of browser user agent, and that told me the attacker was "Google Bot". The following are the example of access logs on my website:

Access Logs
  1. 10.53.xx.x [01/Jan/2008] "GET /admin/delete.php?id=1 HTTP/1.1" 200 > 39 "Google Bot xxxx"
  2. 10.53.xx.x [01/Jan/2008] "GET /admin/delete.php?id=2 HTTP/1.1" 200 > 39 "Google Bot xxxx"
  3. 10.53.xx.x [01/Jan/2008] "GET /admin/delete.php?id=3 HTTP/1.1" 200 > 39 "Google Bot xxxx"

I tested the function of delete and found these articles really could be deleted by anyone even if he is not an admin of the system. A hacker could skip the login function and directly delete articles.

The problem is happened in login function of my customer's system. They never stopped the process from executing when the script tried to redirect the nonlogin member to login page.

The PHP script of deleting function is like the below codes.

delete.php content
  1. if (!login()) {
  2. header("location: index.php");
  3. }
  4.  
  5. deleteArticle($id);

This program has a big problem. When PHP execute header function. It will echo the response of HTTP request like the below example, and the program will run next line until the end of line or executing exit.。

HTTP Response
  1. HTTP/1.1 302
  2. location index.php

That is why Google Spider deleted every article. Because Google Spider scanned all of the articles on a website, and it click all deleting anchor. Unfortunately, Google Spider is still doing it right now. He is trying to delete every article on any website.



回應 (Leave a comment)