Can Someone explain me this?
# Visit type: Spider – Google AdSense
# IP: 66.249.71.107
# Hostname: crawl-66-249-71-107.googlebot.com
# Url Requested: /blog/category/computer-stuff/security
/?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C4152
45204054207661726368617228323535292C404320766172636861722834
30303029204445434C415245205461626C655F437572736F722043555253
4F5220464F522073656C65637420612E6E616D652C622E
# User Agent: Mediapartners-Google
Why is the GoogleBot requesting a URL from my blog with what looks like an SQL Injection attack?
Have you verified it is a true googlebot? Maybe it is a fake one…
Most likely the referrer and the user-agent used are fake/spoofed. Exactly with the intent to avoid already known/blocked bots.
Keep a closer eye on the blog for the following days. Also a good trick is to set up a google alert for [site:domain.com spammykewords].
maggie:Desktop ricardo$ cat teste.txt | perl -pe ‘s/([a-fA-F0-9]{2})/chr(hex $1)/eg’
/?;?CLARE% @S% CHAR(@);SET% @S=?ST(0×DECLAR
E @T varchar(255),@C varchar(4
000) DECLARE Table_Cursor CURS
Tens qualquer coisa como isto….
Probably because someone placed that URL in a webpage that was indexed by Google.
Toda a gente pode ser o GOOGLEBOT… normalmente andar mascarado de googlebot até abre muitas portas… 😉
@Tiago: whois 66.249.71.107
OrgName: Google Inc.
OrgID: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US
NetRange: 66.249.64.0 – 66.249.95.255
CIDR: 66.249.64.0/19
NetName: GOOGLE
NetHandle: NET-66-249-64-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.GOOGLE.COM
NameServer: NS2.GOOGLE.COM
NameServer: NS3.GOOGLE.COM
NameServer: NS4.GOOGLE.COM
Comment:
RegDate: 2004-03-05
Updated: 2007-04-10
OrgTechHandle: ZG39-ARIN
OrgTechName: Google Inc.
OrgTechPhone: +1-650-318-0200
OrgTechEmail: arin-contact@google.com
@Pedro Dias: I’ve checked my server logs as well, the IP matches, if hackers are spoofing Google’s IPs, this is very serious. I got no keyword or referal from the hits.
@Ricardo Filipe Teixeira: Nope, nothing of that.
@Pedro Melo: That might be the case, but I should be able to find it searching Google as well, right?
@VDIAS: Check above…
eu tenho tido o mesmo problema no meu site e tem gerado uma quantidade de tráfego muito acima do normal.
Sorry I didn’t explain myself clearly.
When I said to set up a google alert for [site:domain.com spammykewords], it’s in case your blog gets hacked and injected with hidden external links or keywords; those keywords/links are usually known spammy terms and will trigger the alert.
See http://www.blogstorm.co.uk/how-to-use-google-alerts-to-find-out-if-your-site-gets-hacked/
Hopefully you don’t have an outdated WP installation 🙂
@Odrakir: and??? Do you really think that is impossible or difficult to spoof that?
@VDIAS: not impossible of course, but I don’t believe it’s the case.
Interesting…
I find it very unlikely that was not the true Google Adsense Spider bot. It is weird that it crawled that link though. Google for “google adsense Spider”, maybe there is more published about its inner workings.
Questions that might help finding the cause:
– Do you have (or have been) a member of Google AdSense?
– Have you bought any google adwords for your blog?
The most likely cause is that someone somewhere on the Web created a link with that code that got crawled by google. The motives are a mistery (evil?), but it might have simply be the result of bad dynamic code…
btw, the hex string is translated to a normal text string that seems to be incomplete (GET parameters can only take a few data, i think 256 bytes):
“DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.”
I had an AdSense account until yesterday… but no adwords.
Mistery Solved. This is the effect of a massive automated SQL Injection attack that took place around Abril-May 2008 and infected more than 1.5 million Web sites. Since the attacks were automated it is possible that links were created to your site containing the attack payloads, that got indexed by Google.
Check the following URL’s for englightenment:
http://blog.wired.com/monkeybites/2008/04/microsoft-datab.html
http://ddanchev.blogspot.com/2008/04/united-nations-serving-malware.html
http://www.networkworld.com/news/2008/051508-sql-injection-attack-third-wave.html
You will be seeing more and more of these attacks in the future.