Strange Requests from Googlebot

Forum Moderators: open

Message Too Old, No Replies

Strange Requests from Googlebot

aristotle

9:37 pm on May 4, 2010 (gmt 0)

Looking at the logs for one of my sites, I just saw a whole series of about 20 strange requests from Googlebot. Here is a sample of three of them:

/CMS/administrator/index.php

/joomia_old/administrator/index.php

/test/administrator/index.php

All of these 20 requests took place in a period of about 4 seconds, and the server returned 404's for all of them.

Everything on this site was hand-coded by me in static xhtml. There have never been any scripts, CMS, Joomia, or other things of that nature on ths site.

Does anyone have any idea why Googlebot would make these strange requests?

g1smd

10:24 pm on May 4, 2010 (gmt 0)

Do the IP addresses the requests came from, match real IP addresses actually assigned to Google?

aristotle

11:02 pm on May 4, 2010 (gmt 0)

Do the IP addresses the requests came from, match real IP addresses actually assigned to Google?

Good question, but I'm not sure of the answer, because using Google Search the most recent list of Google IP's I've been able to find is from 2008.

Here is what the latest visitor log entry for one of therequests looks like:

Host: 95.211.***.**
/cms_old/administrator/index.php
Http Code: 404 Date: May 04 14:07:34 Http Version: HTTP/1.1 Size in Bytes: 661
Referer: -
Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

The reverse IP Lookup gives a location of Amsterdam, Netherlands with a domain name 62.IN-ADDR.ARPA

So maybe it's a fake Googlebot. When I get more time, I'll investigate it further.

[edited by: tedster at 12:03 am (utc) on May 5, 2010]
[edit reason] obscure the IP address [/edit]

g1smd

11:07 pm on May 4, 2010 (gmt 0)

From memory, nothing in 95.nnn.nnn.nnn is assigned to Google.

lammert

11:22 pm on May 4, 2010 (gmt 0)

These are hack attempts to find Joomla installations with a vulnerable administrator module. They are just using the Googlebot user agent to make you think they are legitimate.

The IP address resolves to a Dutch hosting provider.

brotherhood of LAN

11:22 pm on May 4, 2010 (gmt 0)

Same requests for me, though a couple more and all in that same class C.

A quick IP Whois shows it does not resolve to Google

[edited by: tedster at 11:34 pm (utc) on May 4, 2010]

aristotle

11:44 pm on May 4, 2010 (gmt 0)

Thanks everyone for the information. I've seen similar types of requests in my logs before, but these are the first ones I've notived from "Googlebot". Anyway, I'm hoping that my sites are relatively safe from hacks because they are all hand-coded static html.

Pfui

6:27 pm on May 5, 2010 (gmt 0)

@aristotle:

FYI, "hand-coded static html" files are not immune from attacks of many kinds. The ones I see most often (in new clients' sites) are iframe hacks hard-coded into index/home/welcome files courtesy of server breaches. The original static html file is literally recoded to include anything from a pop-up (e.g., for a gambling or porn site) to malicious browser exploits.

Because the actual file dates may not reflect any changes, ditto your looking at the pages in a browser (some hacks trigger on search engine referers, for example), eyeball the raw code in your FTP directories every now and then. If/when you find you've been hacked -- notify your admins, clean your code, and get outta there. Research and move to an on-the-ball ISP ASAP.

@all:

Apparently the same Leaseweb-based fake-Googlebot botnet is traveing far and wide, and frequently. If you've not yet been visited by this specific plague, here's what a full attack looks like, distributed across Leaseweb IPs (all within 95.211.132.7*) and Host (.leaseweb.com) -- all of which I've found block-worthy for ages. (Aside: I also don't use PHP so all requests for .php automatically fail anyway.)

In ~15 seconds:

95.211.***.**
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
04:02:49
/v2/administrator/index.php
04:02:50
/en/administrator/index.php
04:02:53
/site_old/administrator/index.php
04:02:54
/Site_old/administrator/index.php

95.211.***.**
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
04:02:47
/content/administrator/index.php
04:02:48
/main/administrator/index.php
04:02:51
/joom/administrator/index.php
04:02:51
/joomla1.5/administrator/index.php
04:02:53
/Site/administrator/index.php
04:02:54
/cms_old/administrator/index.php
04:02:55
/joomla_old/administrator/index.php

hosted-by.*.com
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
04:02:46
/cms/administrator/index.php
04:02:50
/j/administrator/index.php
04:02:53
/joomla1/administrator/index.php

95.211.***.**
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
04:02:45
/joomla/administrator/index.php
04:02:48
/portal/administrator/index.php
04:02:48
/web/administrator/index.php
04:02:55
/CMS/administrator/index.php

95.211.***.**
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
04:02:41
/administrator/index.php
04:02:46
/site/administrator/index.php
04:02:47
/home/administrator/index.php
04:02:49
/v1/administrator/index.php
04:02:51
/Joomla/administrator/index.php
04:02:52
/joomla15/administrator/index.php
04:02:52
/joomla2/administrator/index.php
04:02:55
/test/administrator/index.php
04:02:56
/backup/administrator/index.php

##

caribguy

8:23 pm on May 5, 2010 (gmt 0)

Sounds a bit like the rondcube scan that makes the rounds through OVH and related networks from time to time.

Among other things, anything originating from either LeaseWeb or OVH gets dropped at my firewall.