odrakir.com

Can Someone explain me this?

·

Odrakir

# Visit type: Spider – Google AdSense
# IP: 66.249.71.107
# Hostname: crawl-66-249-71-107.googlebot.com
# Url Requested: /blog/category/computer-stuff/security
/?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C4152
45204054207661726368617228323535292C404320766172636861722834
30303029204445434C415245205461626C655F437572736F722043555253
4F5220464F522073656C65637420612E6E616D652C622E
# User Agent: Mediapartners-Google

Why is the GoogleBot requesting a URL from my blog with what looks like an SQL Injection attack?

Comments

13 responses to “Can Someone explain me this?”

  1. Tiago Avatar
    Tiago

    Have you verified it is a true googlebot? Maybe it is a fake one…

  2. Pedro Dias Avatar
    Pedro Dias

    Most likely the referrer and the user-agent used are fake/spoofed. Exactly with the intent to avoid already known/blocked bots.

    Keep a closer eye on the blog for the following days. Also a good trick is to set up a google alert for [site:domain.com spammykewords].

  3. Ricardo Filipe Teixeira Avatar
    Ricardo Filipe Teixeira

    maggie:Desktop ricardo$ cat teste.txt | perl -pe ‘s/([a-fA-F0-9]{2})/chr(hex $1)/eg’
    /?;?CLARE% @S% CHAR(@);SET% @S=?ST(0×DECLAR
    E @T varchar(255),@C varchar(4
    000) DECLARE Table_Cursor CURS

    Tens qualquer coisa como isto….

  5. VDIAS Avatar
    VDIAS

    Toda a gente pode ser o GOOGLEBOT… normalmente andar mascarado de googlebot até abre muitas portas… 😉

  6. Odrakir Avatar
    Odrakir

    @Tiago: whois 66.249.71.107

    OrgName: Google Inc.
    OrgID: GOGL
    Address: 1600 Amphitheatre Parkway
    City: Mountain View
    StateProv: CA
    PostalCode: 94043
    Country: US
    NetRange: 66.249.64.0 – 66.249.95.255
    CIDR: 66.249.64.0/19
    NetName: GOOGLE
    NetHandle: NET-66-249-64-0-1
    Parent: NET-66-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.GOOGLE.COM
    NameServer: NS2.GOOGLE.COM
    NameServer: NS3.GOOGLE.COM
    NameServer: NS4.GOOGLE.COM
    Comment:
    RegDate: 2004-03-05
    Updated: 2007-04-10
    OrgTechHandle: ZG39-ARIN
    OrgTechName: Google Inc.
    OrgTechPhone: +1-650-318-0200
    OrgTechEmail: arin-contact@google.com

    @Pedro Dias: I’ve checked my server logs as well, the IP matches, if hackers are spoofing Google’s IPs, this is very serious. I got no keyword or referal from the hits.

    @Ricardo Filipe Teixeira: Nope, nothing of that.

    @Pedro Melo: That might be the case, but I should be able to find it searching Google as well, right?

    @VDIAS: Check above…

  11. Luis Grangeia Avatar
    Luis Grangeia

    Interesting…

    I find it very unlikely that was not the true Google Adsense Spider bot. It is weird that it crawled that link though. Google for “google adsense Spider”, maybe there is more published about its inner workings.

    Questions that might help finding the cause:

    – Do you have (or have been) a member of Google AdSense?
    – Have you bought any google adwords for your blog?

    The most likely cause is that someone somewhere on the Web created a link with that code that got crawled by google. The motives are a mistery (evil?), but it might have simply be the result of bad dynamic code…

    btw, the hex string is translated to a normal text string that seems to be incomplete (GET parameters can only take a few data, i think 256 bytes):

    “DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.”

  13. Luis Grangeia Avatar
    Luis Grangeia

    Mistery Solved. This is the effect of a massive automated SQL Injection attack that took place around Abril-May 2008 and infected more than 1.5 million Web sites. Since the attacks were automated it is possible that links were created to your site containing the attack payloads, that got indexed by Google.

    Check the following URL’s for englightenment:
    http://blog.wired.com/monkeybites/2008/04/microsoft-datab.html

    http://ddanchev.blogspot.com/2008/04/united-nations-serving-malware.html

    http://www.networkworld.com/news/2008/051508-sql-injection-attack-third-wave.html

    You will be seeing more and more of these attacks in the future.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.