dstiles - 9:18 pm on Dec 19, 2012 (gmt 0)
Bill - sorry, forgot:
Two on the 14th...
Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:126.96.36.199) Gecko/20100401 MRA 5.6 (build 03278) Firefox/3.6.3 sputnik 188.8.131.52 WebMoney Advisor
Opera/9.80 (Windows NT 5.1; U; Edition Campaign 09; ru) Presto/2.10.229 Version/11.64
On the 18th (the one in the OP with half-dozen hits)...
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.1634 Safari/535.19 YE
All through the same (compromised?) IP.
The 203 IP shows in DNS as belonging to googlecn - which could be anyone but probably isn't. The IP resolves to the same format as googlebot. But since it's China it's blocked anyway.
Keyplr - yes, that's why I was questioning its validity. But: to use a remote and possibly compromised IP as a proxy requires the forwarded-for IP (the 8's) to actually do the forwarding - ie to select and pass data to the ultimate IP. How could joe hacker arrange to access web sites via a google proxy and a probably compromised broadband IP? And do it consistently - the hits on 14th and 18th all used the same IP, which has open ports suggesting a compromised or deliberately open machine.
I (belatedly) tried the 8s in robtex (enter only three 8s and terminate with a period to get the cnet). There are a LOT of domains in the list that look remarkably like web sites, so probably one of those is compromised or deliberately scraping/posting. For a small (/24) non-google-owned google-used IP range this is a very odd setup!