Google Getting (even) smarter

From: Josh Zlatin-Amishav (josh@tkos.co.il)
Date: Sun Feb 27 2005 - 09:43:51 EST


Google has now broadened their filter range. A simple inurl:viewtopic
gets blocked too with the imfamous message:

===================================================

We're sorry...
... but we can't process your request right now. A
computer virus or spyware application is sending us
automated requests, and it appears that your computer
or network has been infected.

We'll restore your access as quickly as possible, so
try again soon. In the meantime, you might want to run
a virus checker or spyware remover to make sure that
your computer is free of viruses and other spurious
software.

We apologize for the inconvenience, and hope we'll see
you again on Google.

==================================================

Notice that there is no mention of php in the query. This is probably
in response to the recent PhpBB path disclosure vulnerability.

Note: In the old days one could circumvent the php filter by changing
case (i.e. pHp) but that no longer works. You can still circumvent the
google filter by using a smarter query like some intext or a different
inurl phrase.

-- 
   - Josh
GPG: 445F 7FB3 3D99 EE8C 99A4  4313 352D FFD4 02B2 C7F3
>I tried this and got the message on admin.php initially. Subsequent
>attempts return search results normally so it looks like Google will let
>it through after you try it enough times. It's likely they implemented this
>because of the press surrounding the most recent phpBB exploit. Several of
>the news items covering the worm mentioned its use of google to find
>more vulnerable sites. While this isn't a new concept (using a search engine
>to find vulnerable sites) it's likely Google wanted to avoid being
>perceived as an attack vector.
>Scott
>Hi,
>I noticed today that a simple search in Google using
>inurl causes Google to display this message when you
>try to access the second page:
>===================================================
>We're sorry...
>... but we can't process your request right now. A
>computer virus or spyware application is sending us
>automated requests, and it appears that your computer
>or network has been infected.
>We'll restore your access as quickly as possible, so
>try again soon. In the meantime, you might want to run
>a virus checker or spyware remover to make sure that
>your computer is free of viruses and other spurious
>software.
>We apologize for the inconvenience, and hope we'll see
>you again on Google.
>
>==================================================
>No, i do not have a virus or spyware, tested that
>already ;)
>
>This as been attempted from multiple Internet
>connections.
>
>Basicly, any name that as an entry in Google and ends
>with "php" will cause this.
>
>Ex: inurl:admin.php
>    inurl:test.php
>        inurl:whatever.php
>
>	I've tried it with cgi, html, asp, sh, pl and this
>	does not happen.
>
>	What will it be next ???
>
>	John 
>
>


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:17 EDT