Security experts at Securi firm have recently detected a series of SQL Injection attacks conducted abusing of the Google Bot activity.
66.249.66.138 - - [05/Nov/2013:00:28:40 -0500] "GET /url.php?variable=")%20declare%20@q% 20varchar(8000(%20select%20@q%20=%200x527%20exec(@q)%20-- HTTP/1.1" 403 4439 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
The analysis of origin IPs revealed that the source if the attack was the legitimate Google bot, following the report on one of them:
$ host 66.249.66.138 138.66.249.66.in-addr.arpa domain name pointer crawl-66-249-66-138.googlebot.com. NetRange: 66.249.64.0 - 66.249.95.255 CIDR: 66.249.64.0/19 OriginAS: NetName: GOOGLE
It’s well known the use of Google bot to crawl the Internet and to index the content of the visited websites, every single link embedded in the website is inspected by the crawler independently of its forms and target.
“John goes to his site, Site A, he adds all this awesome content about kittens and cupcakes, but in the process he adds a number of what appear to be benign links that are unsuspecting to the user reading, but very effective to the bot crawling the site. Those links are riddled with RFI and SQLi attacks that allow John to plead ignorance, also allowing him to stay two arms lengths away from Site B. This doesn’t mean he can’t verify success, it just means he doesn’t open himself to early detection by more active scanning and attacks.” the post states.
The security experts at Securi have already advised Google about the possible abuse of its Bot activity, site admin are advised, before to trust any source it is necessary a further level of inspection.
(Security Affairs – Google Bot, hacking)