Bot targeting BlogEngine.Net with unchanged user credential admin/admin

Topics: ASP.NET 2.0
Jan 24, 2015 at 7:40 PM
Edited Jan 24, 2015 at 7:51 PM
I have noticed a bot targeting blogengine.net based blogs.The bot targets blogs with default admin./admin credentials left unchanged.Sometimes bloggers leave it unchanged on install and go on to create new users.This is also a vulnerability.

Image

Full View

The bot creates a virtual path ~/abortionpills in blogs area of administration.

The contents from the folder mixes with the google search results of your blog...

--Himanshu
Jan 26, 2015 at 1:36 AM
Hi Himanshu,

Thanks for the heads up.

This can also be done if a BE site is set up to allow Users to create their own blog too.


I think a way to slow that down is to block the search engines from the Login page.

Doing a Google search for "Don't have account yet? Create now!"

Results in the Following:

https://www.google.com/search?num=30&site=&source=hp&q=%22Don%27t+have+account+yet%3F+Create+now!%22&oq=%22Don%27t+have+account+yet%3F+Create+now!%22&gs_l=hp.12...2159.3175.0.5200.4.4.0.0.0.0.172.397.3j1.4.0.msedr...0...1c.1.61.hp..4.0.0.0.NIFXM28Su40


From real world experience with our Demo Site:

http://demo.bloggersonline.com

Seeing alot of spammers creating blogs using Google to find BE sites that allow the creation of User Accounts that creates Blogs for their users :)



To have a quick fix edit the page

YourSite.com/Account/login.aspx

and change the wording for the link

"Don't have account yet? Create now!"

To some thing that is Unique to your website.


But, long term solution would be to block that page from being indexed from the Search Engines in the First place.

It appears Google still indexes them even when the Robots.txt tells it not to.

So have to do a force 301 Redirect for the Search Engines on the account page.


Also for spam control I think we need Email confirmation for both User accounts and User Accounts that are allowed to create a blog for user when they create an account.
Jan 26, 2015 at 5:59 PM
Exactly ! , Spammers are using some typical footprints to search BlogEngine.Net blogs.The footprint should either be removed or those strings should be changed to such text that merges with other blogging platforms texts in google results.
Jan 26, 2015 at 10:15 PM
Hi Jha,

They use what you call "Google Hacks" or "Google Dorks"

http://www.exploit-db.com/google-dorks/


The issues with BlogEngine.net and other Platforms can be fixed :)

For BlogEngine.net I am working on some patches that once done and tested going to submit a pull request that should fix these issues when I get the time.

Hopefully in about 3-5 days hopefully.

I am thinking and currently experimenting with is providing Search Engines with a different "View" than a require user.

Similar what you do for "mobile" users where you have a different theme for "mobile" users so why not the same for Search Engines and Crawlers?


I am testing this new concept out at:

http://boilerplate.bloggersonline.com/


In that case through it is using MVC.

Search Engines get one view

Users get another.

The only difference between the two is that the Search Engine View only has Text, does not have Javascript, images, and all of the links of the website.

In the case for BlogEngine.Net the Search Engine view can also take out all of the "footprints" or tail signs that the website is using BlogEngine.net

This way none of that information is indexed by the search engines.

Only thing that is indexed is only the actual content of each allowable page and that is it.


SEO wise and saving on bandwidth also have the User view all Meta tags are taken out.

Meta tags are only on the Search Engine View.

Currently Just experimenting to see if this have any negative effects by Google indexing and Page ranking.

BE 3.0 has some of these features I included before and so far seems to be working ok :)


So Next round of fixing should solve hopefully all of the following:
  1. Search Engine Indexing Security Issues
  2. Force Search Engines to obey Robot.txt rules
  3. Have good SEO, and Page Ranking
If you or anyone else see something I am missing please let me know.


If you like to experiment with the test version of this please let me know, will give you link to download once it is available.


Have a great day!

Brian Davis

http://BloggersOnline.Com