incrediBILL
msg:4529473 | 1:17 am on Dec 19, 2012 (gmt 0) |
What was the user agent?
I recently encountered the following and it appears to be legit.
203.208.60.198 (China) - crawl-203-208-60-198.googlebot.com
inetnum: 203.208.32.0 - 203.208.63.255
netname: GOOGLECN
|
keyplyr
msg:4529514 | 5:08 am on Dec 19, 2012 (gmt 0) |
What leads you to think it may be G? More likely an individual using the open network IMO.
|
dstiles
msg:4529740 | 9:18 pm on Dec 19, 2012 (gmt 0) |
Bill - sorry, forgot:
Two on the 14th...
Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 MRA 5.6 (build 03278) Firefox/3.6.3 sputnik 2.1.0.18 WebMoney Advisor
Opera/9.80 (Windows NT 5.1; U; Edition Campaign 09; ru) Presto/2.10.229 Version/11.64
On the 18th (the one in the OP with half-dozen hits)...
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.1634 Safari/535.19 YE
All through the same (compromised?) IP.
The 203 IP shows in DNS as belonging to googlecn - which could be anyone but probably isn't. The IP resolves to the same format as googlebot. But since it's China it's blocked anyway.
Keyplr - yes, that's why I was questioning its validity. But: to use a remote and possibly compromised IP as a proxy requires the forwarded-for IP (the 8's) to actually do the forwarding - ie to select and pass data to the ultimate IP. How could joe hacker arrange to access web sites via a google proxy and a probably compromised broadband IP? And do it consistently - the hits on 14th and 18th all used the same IP, which has open ports suggesting a compromised or deliberately open machine.
And...
I (belatedly) tried the 8s in robtex (enter only three 8s and terminate with a period to get the cnet). There are a LOT of domains in the list that look remarkably like web sites, so probably one of those is compromised or deliberately scraping/posting. For a small (/24) non-google-owned google-used IP range this is a very odd setup!
|
keyplyr
msg:4529822 | 7:07 am on Dec 20, 2012 (gmt 0) |
I guess I just don't see what G has to gain by this, nor why they'd spend the effort when they can just access your files normally. OTOH a user up to no good would have an advantage hiding in this manner, however it still seems like a lot of work when they could just use an anonymous proxy with a spoofed UA.
|
thetrasher
msg:4529859 | 11:15 am on Dec 20, 2012 (gmt 0) |
| The hits were actually from a proxy at 8.8.8.n (guess the fourth number!) using the Chinese IP as a (presumably) open proxy. |
|
| forwarded-for IP (the 8's) |
|
Did you see
X-Forwarded-For: 8.8.8.8
? [webmasterworld.com...] | You've been fooled by a distorting proxy. Don't trust X-Forwarded-For. |
|
|
dstiles
msg:4530024 | 8:13 pm on Dec 20, 2012 (gmt 0) |
Different situation. I'm more inclined to think the forwarder has a VPS registered there.
|
|
