ODD! IP's spoofed as Googlebot!

Discussion in 'BlackHat Lounge' started by andy2009, Jun 29, 2011.

  1. andy2009

    andy2009 Junior Member

    Joined:
    Apr 18, 2009
    Messages:
    173
    Likes Received:
    27
    Gender:
    Male
    Location:
    Somewhere in Spain
    I was doing some snooping around in the raw logfiles of a site I have and noticed that almost ALL visitors was from googlebot. Sure that could be normal for some situations but the odd things was that when I tested and surfed to the site myself instead of my own IP it should googlebot again.

    Notice the useragents are diffrent. I only removed the referring site from the log below.

    Looks like IP spoofing but it aint that im sure of :)

    Anyone that can shed some light over this because its bugging me a bit.

    here is how it looks:
    Code:
    crawl-66-249-66-70.googlebot.com - - [29/Jun/2011:13:54:33 +0200] "GET / HTTP/1.1" 200 242 "http://www.domain.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.12) Gecko/20101026 FireDownload/2.0.1 Firefox/3.6.12 ( .NET CLR 3.5.30729) WebMoney Advisor"
    crawl-66-249-66-70.googlebot.com - - [29/Jun/2011:13:57:41 +0200] "GET / HTTP/1.1" 200 242 "http://www.domain.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.12) Gecko/20101026 FireDownload/2.0.1 Firefox/3.6.12 ( .NET CLR 3.5.30729) WebMoney Advisor"
    crawl-66-249-66-70.googlebot.com - - [29/Jun/2011:13:58:20 +0200] "GET / HTTP/1.1" 200 242 "http://www.domain.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.100 Safari/534.30"
    crawl-66-249-66-70.googlebot.com - - [29/Jun/2011:14:01:28 +0200] "GET / HTTP/1.1" 200 242 "http://www.domain.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0"
    crawl-66-249-66-70.googlebot.com - - [29/Jun/2011:14:01:57 +0200] "GET / HTTP/1.1" 200 242 "http://www.domain.com/" "Mozilla/5.0 (Linux; U; Android 2.2.1; en-us; SCH-I500 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"
    crawl-66-249-66-70.googlebot.com - - [29/Jun/2011:14:02:43 +0200] "GET / HTTP/1.1" 200 242 "http://www.domain.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.112 Safari/534.30"
    
     
  2. other_henry

    other_henry Junior Member

    Joined:
    Jun 1, 2011
    Messages:
    107
    Likes Received:
    19
    Occupation:
    Freelance coder, server guy
    Location:
    US
    The IP looks legit to me:

    Code:
    $host crawl-66-249-66-70.googlebot.com
    crawl-66-249-66-70.googlebot.com has address 66.249.66.70
    $host 66.249.66.70
    70.66.249.66.in-addr.arpa domain name pointer crawl-66-249-66-70.googlebot.com.
    $whois 66.249.66.70
    
    American Registry for Internet Numbers NET66 (NET-66-0-0-0-0) 66.0.0.0 - 66.255.255.255
    Google Inc. GOOGLE (NET-66-249-64-0-1) 66.249.64.0 - 66.249.95.255
    
    
     
  3. youngguy

    youngguy BANNED BANNED

    Joined:
    Apr 11, 2009
    Messages:
    1,055
    Likes Received:
    1,560
    Google is just finding the cloak'd sites (BH sites) and kill 'em but unlucky for them, they never can find me :D