If you are like most people, you use Google to search the internet for news, recipes, and pictures of cats. You type in your query, search, and most likely select the first link that Google returns. If you are a savvy user, you know how to use a colon to search specific sites or quotes to find specific words in your search. If you are a hacker, you most likely know how to Google Dork.
Google Dorking, or “Google Hacking,” got its start back in the early 2000s when a hacker realized Google could be used to uncover sensitive data with well-crafted queries. Fast forward to today, and the Google Hacking Database is brimming with over five thousand queries that can be used to find vulnerable information.
Normally, when a website is exposed to the internet, a file called robots.txt is added to the root of the website with a set of rules that disallows Google or other search engines from crawling and indexing certain pages. If this file is not present or properly configured, a lot of sensitive information can be exposed. This means the data becomes public knowledge and is free for anyone to view legally. It is also there for others to illegally exploit.
Recently, we began to see an uptick on a file called installer-log.txt show up in one of our queues for websites containing specific types of infections. The file itself is not malicious or an indicator of compromise; rather, it is a byproduct of the Duplicator plugin providing information regarding a recent duplication. According to the plugin’s entry on WordPress.org, “The Duplicator plugin gives WordPress Administrators and Developers the ability to migrate/clone a site from one location to another location.” The plugin is typically accessible from either the /installer.php or installer-backup.php files once a backup is complete. The file can then be downloaded and used anywhere to install the backup. Commonly, this file is left on the server after the duplication process is finished. An attacker can discover this if they are automating a search for hidden files and directories, using a specific dictionary of commonly used words, for web applications. Or, they could just Google it.
Enter the Dork: inurl:installer-log.txt intext:DUPLICATOR INSTALL-LOG. For an attacker, this kind of information is significant. Worse, it is publicly available to anyone and relatively easy to find. The plugin, prior to version 1.2.42, was susceptible to a vulnerability called remote code execution, commonly shortened to RCE, and would allow an attacker to alter a wp-config.php or .htaccess file. From here, it is a hop, skip, and a jump for someone to take over an entire site or achieve other malicious actions.
Sure enough, the sites we saw with these files, also had the installer, and the tell-tale signs of infection: altered wp-config.php files. These files had completely removed the connection to the original database associated with the original WordPress site, and replaced it with a malicious database that was serving up malicious content such as additional malware, spam, or phishing related content. Further, each one of the sites we cleaned and created new signatures for also had an out of date Duplicator plugin installed.
This is a perfect example of why it is important to update outdated plugins, themes, and WordPress files to prevent security vulnerabilities in your website. An additional recommendation for website owners is to configure a robots.txt file properly, it is a must to prevent Dorks from accessing sensitive data through a Google search. It’s important to note, these infections could have been avoided had the plugin been kept up to date, and the files that indicated the installation of a file were not cached. Further, these files would never have been cached if the files had been removed in the first place.
Lastly, Dorking is a powerful tool for both malicious actors and security professionals. Take some time to familiarize yourself with Dorks that can be used to find sensitive information for your web application of choice can help shore up sensitive data.