Welcome to WebmasterWorld Guest from 54.224.41.46

Forum Moderators: Ocean10000 & incrediBILL & keyplyr

Message Too Old, No Replies

googlebot drink the brown acid?

Gobbledygook "GETs" from google

     
6:49 pm on Jul 20, 2012 (gmt 0)

New User

5+ Year Member

joined:Apr 25, 2012
posts: 40
votes: 0


I am getting some strange requests from Google. For example:

66.249.68.97 - - [20/Jul/2012:12:16:45 -0600] "GET /eqbdyrmhxsgc.html HTTP/1.1" 404 298 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

I have gotten about 2 dozen of these this morning. Each has a different googleykook set of letters following the GET. What is going on?
7:35 pm on July 20, 2012 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3148
votes: 4


Yep! A known G intrusion attack. Got the same on my server today, worst I've seen so far.

We THINK that G thinks it should see how you site works when presented with garbage. If G got on with sorting out their own house instead of trying it on in ours they may begin to get a better reputation. Although I doubt it.

Since the attacks come from real bot IPs with real bot UAs etc there isn't much can be done about it other than block using 404 or, in my case, a 403 or 405 because an html extension is an illegal access attempt on the site.

I've been contemplating, this past couple of hours, removing G's access entirely from at least one of my sites. It's no business of theirs and their actions and instrusions are getting worse.
7:42 pm on July 20, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5460
votes: 3


Just a thought?

Why not generate something using the same method used to eliminate the "old random UA's", however based upon "random request"?
10:05 pm on July 20, 2012 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8992
votes: 409



I'd leave it alone
10:08 pm on July 20, 2012 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13841
votes: 485


Hey, I met one of those not long ago. I'd recently changed a batch of individual 404s or 410s to page-specific redirects. So it made sense for Google to want to confirm that I hadn't stepped into Soft 404 territory by redirecting everything.

I realize that this makes it sound like blaming the victim. But to me it did seem like a reasonable action. I might have felt differently if it threw out lots and lots of them. It only takes one to get the message.

The requested URL is unambiguous gobbledygook, not at all like the garbage they routinely come up with when following sloppy links.
8:24 pm on July 23, 2012 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3148
votes: 4


For the record: just accidentally discovered a new google IP range - 172.218.0.0/16 registered April this year. No known hits from it as yet. I've blocked it, mainly because I do not trust G and have all their other non-bot IPs blocked.
8:28 pm on July 23, 2012 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2002
posts:4866
votes: 14


How does WMT authentication work, is it still a file like /eqbdyrmhxsgc.htm?

Was just thinking that a site's competitors would look for lax .htaccess rules and try and get a HTTP 200 to get access to some analytics.
11:58 pm on July 23, 2012 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13841
votes: 485


For the record: just accidentally discovered a new google IP range - 172.218.0.0/16 registered April this year.

172 ? ! ? ! Aren't those supposed to be private registrations? Has the range been reclassified?

:: routine detour to raw logs ::

172.218.23.126 - - [26/Jun/2012:17:53:02 -0700] "GET /{administrative gif from a different site} HTTP/1.1" 200 318 "{the other site}" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1"

172.218.201.152 - - [02/Jul/2012:20:12:54 -0700] "GET /{same file} HTTP/1.1" 200 310 "{same site}" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2"

172.218? Are you sure? I'm getting Telus (whole /15 range), which is much more probable for this file and this site.




Edit:

I am getting some strange requests from Google. For example:

I got a bit behind on logs. In the course of about half an hour on the 20th-- around the same time as the OP, looks like-- I got eleven of these in a row. One I can understand: routine checking of suspected Soft 404s. Eleven and I think the thread title is right. Googlebot's been drinking something.
12:36 am on July 24, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5460
votes: 3


172.218? Are you sure? I'm getting Telus


I agree.

How'd ya get Google?
12:39 am on July 24, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5460
votes: 3


How does WMT authentication work


There's somebody hanging about here that has utilized those for a long while.
I seem to recall looking at it some years ago, and decided not to jump those hoops.

Google was no help on "WMT authentication".
1:25 am on July 24, 2012 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2002
posts:4866
votes: 14


Just to clarify, I meant google webmaster tools just in case there was any confusion there. I somehow came to the acronym WMT..... I remember first (and maybe last) time I used it, you simply had to upload an empty file to the root of your site, and in some cases, you would be able to peak at other peoples data.
7:16 am on July 24, 2012 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13841
votes: 485


Yup, it's a file with a nonsense name-- except that unlike the ones g### has been looking for recently, the authentication file's name is mixed alphanumerics. If you have file-upload access to someone else's site I guess you could easily claim to be the site's owner for gwt purposes. Don't know how else you'd do it.

Now, if googlebot were a human in a certain age bracket, it would turn out that it had simply forgotten the name of that authentication file and was wildly guessing in hopes of hitting the right one. But, even at the minimum range of ten lower-case letters, the odds of guessing right don't look good. (Calculator says it's a 15-digit number. I'll take its word for it.)
8:18 pm on July 24, 2012 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3148
votes: 4


Lucy - thanks for the correction.

It is, in fact, 172.217/16

Telus was the one I was actually registering in my system, G was the accidental finding when I checked to see how big telus was. I always try to check adjacent IP ranges when registering a naughty one.

Don't know about WMT authentication but to verify ownership of a domain (aka web URL) you have two options: one is a file in the root, the other is to paste the verification code into each page header - the one I preferred until I gave up playing G's games. Same methods for bing and (once upon a time) yahoo. The codes are much longer and more alpha-numeric than G's current attacks on web sites.
9:08 pm on July 24, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:July 3, 2002
posts:18903
votes: 0


the other is to paste the verification code into each page header

AFAIR you need it only on the root page of the site.

In any case I use only the googlennnnnnnnnnnnnnn.html file.
8:37 pm on July 25, 2012 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3148
votes: 4


You could be right about only 1st page - I'm just cautious. :)
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members