Possible for someone to hack into my stat page using Google? Options

[pacseal]

Hello All,

Just came across an article on the web, about google hacking and how you can find documents and files on the web not meant to be seen, using google. I would like to try this out on myself, seeing if I could access my stats page using this method.

Anybody know how I might try using google or another tool to access a websites stats page?

[Adrian]

Hi, welcome to the forum, some of that kind of thing can be done, depends how the pages are setup

Try a search on Google for "generated by webalizer" (keep the quotes) for example. Have a look at some of the results, how open some sites stats are.

Easy to block by having the area password protected....

[bragadocchio]

Hi pacseal,

Welcome to the forums.

If your stats page isn't password protected, and if the page isn't excluded from being indexed by something like a robots.txt file, then it is possible that your page may be indexed by search engines.

To check to see if your's is indexed, grab a string of text from your stats page that may be unique to that page. Maybe up to a dozen words that appear in a row. Put quotation marks around them, and search for that phrase.

If it appears in that search, then you know that it could be found by someone who might be looking.

[bobbb]

I have to ask this.

So someone sees your stats. How is that a risk or even a problem?

Plus if your stats page is not on a link somewhere on your site then a spider will not find it.

[bwelford]

I agree, bobbb. Apart from the possible privacy sensitivity (others knowing what they shouldn't know), there's no great risk done. However it does point out what can happen.

Occasionally search engine spiders go on 'fishing trips'. Don't ask me why. You can sometimes spot this if you look at your traffic logs and spot errors. For example a few weeks ago, the Microsoft spider created a whole series of 404 errors (file not found) by looking for newsletters on my website numbered 1 to 34 with the file extension shtml. All the early newsletters I wrote had the extension htm, whereas more recent ones had the shtml extension.

It doesn't matter unless you put up an important file with a common name that you're working on but which you do not want others to find. You may find this is indexed even though there's no link to it.

[whitemark]

So someone sees your stats. How is that a risk or even a problem?

It can help competitors get a better idea of how your website is doing. Some websites go to great trouble to find keywords that can get visitors to their site. A stat can reveal those and a competitor would love to get his hand on such information. To put it simply - knowledge is power.

Plus if your stats page is not on a link somewhere on your site then a spider will not find it.

Here are some of the other ways the hungry Google Bot is said to scour the net for web pages:

- Your Google toolbar, if some of the features (like the PageRank bar) is enabled).
- If you advertise through Google Adword, Google Bot is said to visit the site/page being pointed to in the ad.
- If a site uses Google Adsense.
- If you have directory listing enabled, Google can find every file in a directory. (Example - http://benleonard.net/downloads/grandaddy/ )

[Added Google Adsense to the list]

[pacseal]

Yes, competition is what I was worried about, they could see where I am getting most of my hits from and set up shop on these pages. I searched for terms on my page and didnt come up with anything, so I guess it would be impossible ,..........? for someone else to find it? It is password protected, but I am sure there are ways around that, right?

[pacseal]

Anybody use freeservers.com? What is the stats program they use, anybody know?

[whitemark]

It is password protected, but I am sure there are ways around that, right?

Not unless your visitor is a hacker trying to delete all traces of his visit to your site. More realistically, if it is password protected, you can relax. No solution on the net is 100% secure anyway.

[projectphp]

I have to ask this. 
So someone sees your stats. How is that a risk or even a problem?

Referer log spamming is party an issue.

Most stats programmes create links to the top XYZ referers. So if someone spams a site with a stats package with requests like:

CODE

GET /headers HTTP/1.1

Host:www.xhaus.com

Connection: close

Accept: */*

Referer: http://www.dudelove.com/stuff/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Then a link back to me will be created on your stats package page.

If Google indexes your stats package page, then the spammer gets a backlink. If I do this for a bunch of pages on my site, then I get backlinks galore.

Problem is, you have 100,000 extra, wasted requests, wasted server and bandwidth, as well as useless stats that now make zero sense. So password protecting a stats package is HIGHLY recommended.

As an example of how this works "properly", click through to http://www.xhaus.com/headers and you will see what your browser sends to every server.

[bragadocchio]

Hi pacseal,

They don't mention which software is used for the stats provided at freeservers, but there are different levels of reporting based upon which service you choose. After digging around a little over there (this page was hidden pretty well) I found the following comparison chart:


http://www.freeservers.com/cgi-bin/show_me...e=stats_compare

[bobbb]

Ok I see how that could be useful to know a competitors search terms.

I just did a query for certain terms that are in my log file and see the log files for many servers. Most were generic and out of date and did not create a list of top users but that was 10 minutes work. Bet if I sat there all day (with a program) I could find some that would be worth spamming.

[Peter (IMC)]

In my simple opinion, you´re better of spending time on your own website than to spend time on other website's stats...

Finding keywords based on your competition stats is also a waste of time if you ask me. You´re always better of doing it your self.

It seems so insecure if you have to depend on your competition to build your own success,.

[Grant]

Plus if your stats page is not on a link somewhere on your site then a spider will not find it.

I don't think this is exactly true. I've noticed that if you go to a page not linked to from anywhere and you have the Google Toolbar installed, it must add the page to the google index to check at a later time. Then it might get checked and indexed. I'm not 100% sure, but definately a possiblity.

[invader]

I've noticed that if you go to a page not linked to from anywhere and you have the Google Toolbar installed, it must add the page to the google index..

Negative. Doesn't happen for me.
Guess it's subjective then.

[Tim]

Negative. Doesn't happen for me.
Guess it's subjective then.

They don't neccessarily add all pages to the index, and if they do it could be quite awhile before doing so. So we don't really know for sure, and there isn't really a way to find out either.