184.108.40.206 - - [05/Nov/2013:00:28:40 -0500] "GET /url.php?variable=")%20declare%20@q% 20varchar(8000(%20select%20@q%20=%200x527%20exec(@q)%20-- HTTP/1.1" 403 4439 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
The analysis of origin IPs revealed that the source if the attack was the legitimate Google bot, following the report on one of them:
$ host 220.127.116.11 18.104.22.168.in-addr.arpa domain name pointer crawl-66-249-66-138.googlebot.com. NetRange: 22.214.171.124 - 126.96.36.199 CIDR: 188.8.131.52/19 OriginAS: NetName: GOOGLE
“John goes to his site, Site A, he adds all this awesome content about kittens and cupcakes, but in the process he adds a number of what appear to be benign links that are unsuspecting to the user reading, but very effective to the bot crawling the site. Those links are riddled with RFI and SQLi attacks that allow John to plead ignorance, also allowing him to stay two arms lengths away from Site B. This doesn’t mean he can’t verify success, it just means he doesn’t open himself to early detection by more active scanning and attacks.” the post states.
The security experts at Securi have already advised Google about the possible abuse of its Bot activity, site admin are advised, before to trust any source it is necessary a further level of inspection.
(Security Affairs – Google Bot, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.