Autarchy of the Private Cave

Tiny bits of bioinformatics, [web-]programming etc

  • Categories

  • Tags list

Does Google attack your servers, too?

5th December 2009

Evil?

For about 2 weeks now, I am every day alerted of the suspicious behavior of some computer/server from the Google’s IP range:

Dec 5 05:39:33 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘_REQUEST[option]‘ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:33 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘_REQUEST[Itemid]‘ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:33 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘GLOBALS’ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:33 mx suhosin[3701]: ALERT – ASCII-NUL chars not allowed within request variables – dropped variable ‘mosConfig_absolute_path’ (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:42 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘_REQUEST[option]‘ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:42 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘_REQUEST[Itemid]‘ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:42 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘GLOBALS’ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:42 mx suhosin[3701]: ALERT – ASCII-NUL chars not allowed within request variables – dropped variable ‘mosConfig_absolute_path’ (attacker ’66.249.71.20′, file ‘html/index.php’)

These requests repeat up to several hundred times per hour, with periods of no or very little malicious requests.

Here’s WHOIS information about 66.249.71.20:

OrgName: Google Inc.
OrgID: GOGL

NetRange: 66.249.64.0 – 66.249.95.255
CIDR: 66.249.64.0/19
NetName: GOOGLE
NetHandle: NET-66-249-64-0-1
Parent: NET-66-0-0-0-0

Does Google attack you, too?

These attacks initially started from a different Google IP – 66.249.71.2; I wrote to abuse at google, and got an automated response with the ticket number (in the hundreds of millions range). A week after that, requests started flowing from IP 66.249.71.20. I am not inferring “evil Google abuse department” here, just that there was no response, and the problem shifted to a different IP from the Google’s IP range.

Update: I decided just to ignore this class of problems.

“Evil?” image by copyblogger.com.

Share

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>