GoogleBot used as HTTP Agent by Hackers/Botscripts

Written by - 0 comments

Published on September 5th 2012 - Listed in PHP Internet Linux Hacks


In the past few weeks I got aware of more and more bot scripts which claim to be the GoogleBot. In the HTTP Header they claim as HTTP Agent "GoogleBot", like the original one. Only a look at the IP address shows that this is fake (GoogleBot always comes from a 69.249.x.x address).

This is such an access:

95.141.32.238 - - [05/Sep/2012:19:28:05 +0200] "GET /images.php HTTP/1.1" 200 3 "-" "Mozilla/5.0 (compatible; Goooglebot/2.1; +http://www.google.com/bot.html)"

In this case, image.php was accessed, a malicious PHP file to launch processes.

The main goal why they're faking the GoogleBot is probably to trick System Admins, e.g. when grep -iv bot is used to check access logs.

Besides that, in this case they even seemed to have made a typo-mistake as it says "Goooglebot" with 3 o's.


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.