Forum Moderators: open

Hacker spoofing as GoogleBot

136.234.222.64

         

Bewenched

5:19 pm on May 19, 2026 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



136.234.222.64
perfectly mimicking google bot UAs but hits pages and a few times then tries SQL injection. UGH

not2easy

5:45 pm on May 19, 2026 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



Yuk! Looks like it is a Cyprus sub-host on NL-PROLINE

136.234.222.0 - 136.234.222.255
136.234.222.0/24

lucy24

8:55 pm on May 19, 2026 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



My version goes
BrowserMatch Googlebot fake_google
SetEnvIf Remote_Addr ^(66\.249\.[67]\d|192\.17[89]) !fake_google
I'm not generally concerned with what it is, only with what it isn't. Though googlebot spoofers seem to be less common than they once were, I'm not removing the rule any time soon.

Bewenched

4:53 pm on May 23, 2026 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Here's another one 138.124.60.171
138.124.60.0/24

SumGuy

2:51 pm on May 24, 2026 (gmt 0)

5+ Year Member Top Contributors Of The Month



> Yuk! Looks like it is a Cyprus sub-host on NL-PROLINE

AS202656 Country of origin: Ukraine

142k IP's, a lot registered to IT Hostline, most of those run out of Seychelles.

I'd be surprised if I'm not already IP-blocking the entire AS and all of it's peers. For curiousity I'll check that. Same with AS210644 (AEZA GROUP - Russia).

blend27

11:36 pm on May 27, 2026 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Old Baby steps here, mostly soup, if I understood I would cry......


#SQL Injection Attempts
RewriteCond %{REQUEST_URI} ^.*(,|;|:|<|>|">|"<|\.\.\.).* [NC,OR]
#RewriteCond %{REQUEST_URI} ^.*(\=|\@|\[|\]|\^|\`|\{|\}|\~).* [NC,OR]
#RewriteCond %{REQUEST_URI} ^.*(\'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
##RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\*|;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).* [NC]
RewriteRule ^(.*)$ - [F]
#End SQL Injection Attempts


#script xss insert
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{HTTP_REFERER} (\<|%3C).*script.*(\>|%3E)
RewriteRule ^(.*)$ - [F]

blend27

11:45 pm on May 27, 2026 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



and some of none standard, more soup..
RewriteCond %{QUERY_STRING} (insert|union|select|declare|md5|benchmark|column|distinct|substr|concat|schema|hex|truncate|convert|exec|passthru|system|popen|proc|load|between|null|delay|char|sleep|schema|unhex)
RewriteRule ^(.*)$ - [F]

lucy24

3:23 pm on May 28, 2026 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Why are you using NC flags for terms that contain no alphabetic characters?
(\=|\@|\[|\]|\^|\`|\{|\}|\~)
Brackets [ ] and (sometimes) carets ^ are reserved characters. The others aren’t, and do not need to be escaped. For that matter, what have you got against grouping brackets?
[=\[\]^`{}~]

But I digress.
:: turning away in horror from non-final .* ::