Autarchy of the Private Cave » abuse https://bogdan.org.ua Tiny bits of bioinformatics, [web-]programming etc Wed, 28 Dec 2022 16:09:04 +0000 en-US hourly 1 https://wordpress.org/?v=3.8.27 Does Google attack your servers, too?https://bogdan.org.ua/2009/12/05/does-google-attack-your-servers-too.html https://bogdan.org.ua/2009/12/05/does-google-attack-your-servers-too.html#comments Sat, 05 Dec 2009 12:28:34 +0000 http://bogdan.org.ua/?p=942 Evil?

For about 2 weeks now, I am every day alerted of the suspicious behavior of some computer/server from the Google’s IP range:

Dec 5 05:39:33 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘_REQUEST[option]‘ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:33 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘_REQUEST[Itemid]‘ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:33 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘GLOBALS’ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:33 mx suhosin[3701]: ALERT – ASCII-NUL chars not allowed within request variables – dropped variable ‘mosConfig_absolute_path’ (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:42 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘_REQUEST[option]‘ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:42 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘_REQUEST[Itemid]‘ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:42 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘GLOBALS’ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:42 mx suhosin[3701]: ALERT – ASCII-NUL chars not allowed within request variables – dropped variable ‘mosConfig_absolute_path’ (attacker ’66.249.71.20′, file ‘html/index.php’)

These requests repeat up to several hundred times per hour, with periods of no or very little malicious requests.

Here’s WHOIS information about 66.249.71.20:

OrgName: Google Inc.
OrgID: GOGL

NetRange: 66.249.64.0 – 66.249.95.255
CIDR: 66.249.64.0/19
NetName: GOOGLE
NetHandle: NET-66-249-64-0-1
Parent: NET-66-0-0-0-0

Does Google attack you, too?

These attacks initially started from a different Google IP – 66.249.71.2; I wrote to abuse at google, and got an automated response with the ticket number (in the hundreds of millions range). A week after that, requests started flowing from IP 66.249.71.20. I am not inferring “evil Google abuse department” here, just that there was no response, and the problem shifted to a different IP from the Google’s IP range.

Update: I decided just to ignore this class of problems.

“Evil?” image by copyblogger.com.

Share

]]> https://bogdan.org.ua/2009/12/05/does-google-attack-your-servers-too.html/feed 0