Autarchy of the Private Cave

Tiny bits of bioinformatics, [web-]programming etc

    Does Google attack your servers, too?

    5th December 2009

    Evil?

    For about 2 weeks now, I am every day alerted of the suspicious behavior of some computer/server from the Google’s IP range:

    Dec 5 05:39:33 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘_REQUEST[option]‘ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
    Dec 5 05:39:33 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘_REQUEST[Itemid]‘ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
    Dec 5 05:39:33 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘GLOBALS’ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
    Dec 5 05:39:33 mx suhosin[3701]: ALERT – ASCII-NUL chars not allowed within request variables – dropped variable ‘mosConfig_absolute_path’ (attacker ’66.249.71.20′, file ‘html/index.php’)
    Dec 5 05:39:42 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘_REQUEST[option]‘ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
    Dec 5 05:39:42 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘_REQUEST[Itemid]‘ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
    Dec 5 05:39:42 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘GLOBALS’ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
    Dec 5 05:39:42 mx suhosin[3701]: ALERT – ASCII-NUL chars not allowed within request variables – dropped variable ‘mosConfig_absolute_path’ (attacker ’66.249.71.20′, file ‘html/index.php’)

    These requests repeat up to several hundred times per hour, with periods of no or very little malicious requests.

    Here’s WHOIS information about 66.249.71.20:

    OrgName: Google Inc.
    OrgID: GOGL

    NetRange: 66.249.64.0 – 66.249.95.255
    CIDR: 66.249.64.0/19
    NetName: GOOGLE
    NetHandle: NET-66-249-64-0-1
    Parent: NET-66-0-0-0-0

    Does Google attack you, too?

    These attacks initially started from a different Google IP – 66.249.71.2; I wrote to abuse at google, and got an automated response with the ticket number (in the hundreds of millions range). A week after that, requests started flowing from IP 66.249.71.20. I am not inferring “evil Google abuse department” here, just that there was no response, and the problem shifted to a different IP from the Google’s IP range.

    Update: I decided just to ignore this class of problems.

    “Evil?” image by copyblogger.com.

    Share

    Leave a Reply

    XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>