1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ODD! IP's spoofed as Googlebot!

Discussion in 'BlackHat Lounge' started by andy2009, Jun 29, 2011.

  1. andy2009

    andy2009 Junior Member

    Joined:
    Apr 18, 2009
    Messages:
    164
    Likes Received:
    26
    I was doing some snooping around in the raw logfiles of a site I have and noticed that almost ALL visitors was from googlebot. Sure that could be normal for some situations but the odd things was that when I tested and surfed to the site myself instead of my own IP it should googlebot again.

    Notice the useragents are diffrent. I only removed the referring site from the log below.

    Looks like IP spoofing but it aint that im sure of :)

    Anyone that can shed some light over this because its bugging me a bit.

    here is how it looks:
    Code:
    crawl-66-249-66-70.googlebot.com - - [29/Jun/2011:13:54:33 +0200] "GET / HTTP/1.1" 200 242 "http://www.domain.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.12) Gecko/20101026 FireDownload/2.0.1 Firefox/3.6.12 ( .NET CLR 3.5.30729) WebMoney Advisor"
    crawl-66-249-66-70.googlebot.com - - [29/Jun/2011:13:57:41 +0200] "GET / HTTP/1.1" 200 242 "http://www.domain.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.12) Gecko/20101026 FireDownload/2.0.1 Firefox/3.6.12 ( .NET CLR 3.5.30729) WebMoney Advisor"
    crawl-66-249-66-70.googlebot.com - - [29/Jun/2011:13:58:20 +0200] "GET / HTTP/1.1" 200 242 "http://www.domain.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.100 Safari/534.30"
    crawl-66-249-66-70.googlebot.com - - [29/Jun/2011:14:01:28 +0200] "GET / HTTP/1.1" 200 242 "http://www.domain.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0"
    crawl-66-249-66-70.googlebot.com - - [29/Jun/2011:14:01:57 +0200] "GET / HTTP/1.1" 200 242 "http://www.domain.com/" "Mozilla/5.0 (Linux; U; Android 2.2.1; en-us; SCH-I500 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"
    crawl-66-249-66-70.googlebot.com - - [29/Jun/2011:14:02:43 +0200] "GET / HTTP/1.1" 200 242 "http://www.domain.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.112 Safari/534.30"
    
     
  2. other_henry

    other_henry Junior Member

    Joined:
    Jun 1, 2011
    Messages:
    107
    Likes Received:
    19
    Occupation:
    Freelance coder, server guy
    Location:
    US
    The IP looks legit to me:

    Code:
    $host crawl-66-249-66-70.googlebot.com
    crawl-66-249-66-70.googlebot.com has address 66.249.66.70
    $host 66.249.66.70
    70.66.249.66.in-addr.arpa domain name pointer crawl-66-249-66-70.googlebot.com.
    $whois 66.249.66.70
    
    American Registry for Internet Numbers NET66 (NET-66-0-0-0-0) 66.0.0.0 - 66.255.255.255
    Google Inc. GOOGLE (NET-66-249-64-0-1) 66.249.64.0 - 66.249.95.255
    
    
     
  3. youngguy

    youngguy Senior Member

    Joined:
    Apr 11, 2009
    Messages:
    1,053
    Likes Received:
    1,560
    Location:
    Hell
    Google is just finding the cloak'd sites (BH sites) and kill 'em but unlucky for them, they never can find me :D