.

Website Indexing

<<

curioustester

Newbie
Newbie

Posts: 1

Joined: Wed May 21, 2008 12:11 pm

Post Wed May 21, 2008 12:21 pm

Website Indexing

Hi,

I was going through IIS logs and and trying to figure out how hackers from the internet where able able find a directory/file that was hidden through obscurity.  I ran sensepost against the website and it indicates that the directories/site is not indexable.  So how did they find it.  The names were extremely uncommon. 

A friend with a great deal of experience tells me the indexing of website cannot be turned off and is part of the w3 standard. 

Any insight would be really appreciated.  I am really trying to figure out how this want found.  Thanks.
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Wed May 21, 2008 1:45 pm

Re: Website Indexing

What do your logs show thus far?

Are there a bunch of requests like they were scanning for uncommon files?

GET /weirdname.htm
GET /weirdname2.htm
etc.

Was it simply accessed directly without any pre-attacks? Could it have been an inside job? Are there links anywhere on any of your pages that lead to these sites?
<<

jimbob

Post Wed May 21, 2008 4:55 pm

Re: Website Indexing

curioustester wrote:A friend with a great deal of experience tells me the indexing of website cannot be turned off and is part of the w3 standard. 


Indexing can be turned off, there is no standard to my knowledge which dictates that directory indexing must be enabled. Security by obscurity provides little in the way of protection.

If someone has accessed these 'hidden' files perhaps they knew the correct URL in the first place. Does the attacker try to guess the URL or do they go straight there?

Jimbob
<<

geekyone

User avatar

Full Member
Full Member

Posts: 180

Joined: Fri Oct 26, 2007 12:45 pm

Location: Peoria, IL

Post Wed May 21, 2008 6:43 pm

Re: Website Indexing

Do you have the directory/file hidden from indexing using the robots.txt file?  Maybe they tried all the directories listed there?
CISSP, CEH, GPEN, GCIH, GCFA

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software