Fellow EH's I need some advice. I was doing some GoogleFoo and found a site that had public access to a directory that held some shell scripts. I noticed one of them was named in a way that led me to believe that it may have some 'login' info in it. Sure enough it had the SA credentials for their MYSQL database. What is a good way to notify the site admin? I know the easy way is just to email them, but I know that some admins get a little upset when you discover a flaw in their system. I guess I really want to know:
1) Legally I didn't do anything wrong; am I correct? I didn't download any data and found it with a "simple" google search...
2) How do I approach the Admin in a way to let him/her know that I am trying to help them?
3) Do any of you have any experience with something like this?

Thanks in advance for any advice. I crawl around these forums often and appreciate all of the information that everyone provides. It has really helped me get from, "Yeah, I think security would be a cool thing to get into," to "Wow! I've come a long way in a few months! This stuff is awesome!!!"

-inf3KT1d

I agree with Dengar and would advice you to just ignore it. GHDB has a lot of such vulnerable sites, would you go about notifying each one of them?

I'm of 2 minds of this.

If it was my network, I'd want someone to tell me so I can get it fixed. Usually by passing it back to the developers..

On the other hand, I'm sure the company would be interested in putting you under a microscope with lawyers at the eye piece since you were doing reconnaissance against the network.

Know what I mean?

I'd like to know if I had a massive hole in my external network before it becomes "managed" by someone esle ;-)

You may want to contact a trusted 3rd party like the SANS Internet Storm Center and ask them to inform the company. If they can't help they may be able to point you in the right direction on whom to report this to.

http://isc.sans.org/contact.html

Worth a shot and then at least you've tried.

The response you'd get would depend entirely on the admin.  Some people have a tendency to get defensive and will see you as a threat no matter what  your intentions.  If you're really convicted that something needs addressed, you could try to approach the admin anonymously, but even then you put yourself at risk.  Even if you send an anonymous email that can not be traced back to you, the admin is likely to start digging through some logs and may find if he's determined enough may still find something to track back to you.  Don't forget, you've already accessed the vulnerable area of their website.
Perhaps rather than an anonymous type saying, "I found login info at XYZ", maybe an anonymous tip, "Have you seen this GoogleFoo? It could turn up something interesting on your site."  Give him a chance to find it himself.

this is a hard situation. being a white hat that i am, i would prefer to notify the company. then again it also depends largely on your personal situation. How old are you? are you working in the IT security field? have any certificates that prove you know what you are doing? these things influence the outcome of the reply mail (from thanks and plz come consult for us to get lost and you will hear from our lawyers).

another possibility: if you are not in it for the credits report it anonymously. just send an email and let them decide what to do with it...

good luck and let us know what you decide (if possible).

Shame that you didn't get a chance to report it, but good to hear that it's fixed.

Thanks for sharing it with the group!