220.127.116.11 - - [05/Nov/2013:00:28:40 -0500] "GET /url.php?variable=")%20declare%20@q% 20varchar(8000(%20select%20@q%20=%200x527%20exec(@q)%20-- HTTP/1.1" 403 4439 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
The analysis of origin IPs revealed that the source if the attack was the legitimate Google bot, following the report on one of them:
$ host 18.104.22.168 22.214.171.124.in-addr.arpa domain name pointer crawl-66-249-66-138.googlebot.com. NetRange: 126.96.36.199 - 188.8.131.52 CIDR: 184.108.40.206/19 OriginAS: NetName: GOOGLE
“John goes to his site, Site A, he adds all this awesome content about kittens and cupcakes, but in the process he adds a number of what appear to be benign links that are unsuspecting to the user reading, but very effective to the bot crawling the site. Those links are riddled with RFI and SQLi attacks that allow John to plead ignorance, also allowing him to stay two arms lengths away from Site B. This doesn’t mean he can’t verify success, it just means he doesn’t open himself to early detection by more active scanning and attacks.” the post states.
The security experts at Securi have already advised Google about the possible abuse of its Bot activity, site admin are advised, before to trust any source it is necessary a further level of inspection.
(Security Affairs – Google Bot, hacking)