ForumPostersUnion.com

AnthonyCea · #1 03-11-2007, 07:47 AM

Here is a fake GoogleBot using an unknown IP

09:44 AM Google Spider Viewing Index
Forum Posters Union 85.17.141.169
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

Location: Netherlands [City: ]

85.17.141.0-85.17.141.255 LEASEWEB LeaseWeb P.O. Box 93054 1090BB AMSTERDAM Netherlands www.leaseweb.com
<<85.17.141.168 save2web.gr >>85.17.141.170 new-mona-model.net
85.17.0.0/16 OCOM
AS16265 LeaseWeb AS Amsterdam, Netherlands
85.17.141.0-85.17.141.255 LEASEWEB LeaseWeb P.O. Box 93054 1090BB AMSTERDAM Netherlands www.leaseweb.com
85.17.141.169
HTTP:Apache/2.2.3 (CentOS)
DNS alpinchalets.com A
alpinchaletschoeneben.com A
alpinchaletschoneben.com A
alpinchaletsschoeneben.com A
alpinchaletsschoneben.com A
chaletplus.com A
leaseweb.interversa.nl PTR A
mail.alpinchaletschoeneben.com A
mail.alpinchaletschoneben.com A
mail.alpinchaletsschoeneben.com A
mail.alpinchaletsschoneben.com A
ns3.interversa.nl A

Answer:
85.17.141.169 PTR record: hosted-by.leaseweb.com.

Here is a way to verify Google Bot posted by Matt Cutts of Google.

AnthonyCea · #2 11-20-2007, 09:52 AM

Here is a fake Google bot operator who was caught reading this fake Google bot thread today.

This idiot is running his fake spoofed GoogleBot from a Comcast cable TV IP which could have been acquired from a hijacked zombie computer which is part of a bot net run by Russian hackers.

08:00 AM Google Spider Viewing Thread Fake GoogleBot spoofed crawler
65.96.164.24 c-65-96-164-24.hsd1.ma.comcast.net
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

AnthonyCea · #3 11-25-2007, 06:37 AM

Here is a spam bot operator spoofing GoogleBot from a blacklisted spam source open proxy IP out of China.

08:35 AM Google Spider Viewing Index
59.55.132.127 PTR= 127.132.55.59.broad.nc.jx.dynamic.163data.com.cn.
Mozilla/5.0 (compatible; Googlebot/2.1;+http://www.google.com/bot.html)

Remember, spam bot net operators will try anything to fool webmasters and server administrators, including using open proxy IP's, hijacked zombie computers and many of them operate behind fake web hosting companies as a front for their spam bot networks.

AnthonyCea · #4 12-20-2007, 07:29 AM

Hacker spoofing GoogleBot reading Fake Google Bot thread today !!!

Fake GoogleBot

09:26 AM Google Spider Viewing Thread
Fake GoogleBot spoofed crawler 152.13.103.46 faog6c54c1.uncg.edu.
Googlebot/2.1 (+http://www.google.com/bot.html)

Real GoogleBot

66.249.66.177 crawl-66-249-66-177.googlebot.com
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

AnthonyCea · #5 02-21-2008, 05:10 PM

Here is another goofball spoofing GoogleBot, this guy is so dumb he was even reading this thread while spoofing the Google Spider.

07:00 PM Google Spider Viewing Thread
Fake GoogleBot spoofed crawler 41.232.77.94 host-41.232.77.94.tedata.net

Data on IP: 41.232.77.94

41.0.0.0-41.255.255.255 NET41
<<41.232.76.17 host-41.232.76.17.tedata.net >>41.232.78.37 ns1.hopserve5.com
41.232.0.0/13 Telecom Egypt Data
AS8452 TEDATA
41.232.64.0/19 error
AS8452 TEDATA
41.232.64.0/20 error
AS8452 TEDATA
41.0.0.0-41.255.255.255 NET41
41.232.77.94 host-41.232.77.94.tedata.net PTR A?

% Information related to '41.232.0.0/13AS8452'

route: 41.232.0.0/13
descr: Telecom-Egypt-Data
origin: AS8452
mnt-by: GEGA-MNT
source: RIPE # Filtered

AnthonyCea · #6 06-15-2008, 08:28 AM

Here is another moron content scraper impersonating GoogleBot, he was actually reading this thread when we banned his blacklisted open proxy IP.

10:26 AM Google Spider Viewing Thread Fake GoogleBot spoofed crawler
189.5.229.200 bd05e5c8.virtua.com.br
Googlebot/2.X (http://www.googlebot.com/bot.html)

AnthonyCea · #7 06-22-2008, 04:37 PM

This Russian forum hacker is now spoofing Googlebot, this guy runs command line URL variables seeking to conduct SQL Injection or PHP Shell attacks on servers worldwide.

06:28 PM Google Spider Viewing Thread 79.82.206.38 38.206.82-79.rev.gaoland.net
Googlebot/2.1 (+http://www.googlebot.com/bot.html)

miqrogroove · #8 02-10-2010, 06:25 AM

Code:

Host: 94.214.74.219 5ed64adb.cable.ziggo.nl
Date: Feb 10 06:16:22
Http Version: HTTP/1.0
Referer: http://images.google.nl/search?imgtbs=z&gbv=2&ndsp=18&hl=nl&tbo=1&tbs=rcnt:1&q=zuzana&start=70&sa=N
Agent: Googlebot/2.1

AnthonyCea · #9 02-10-2010, 06:28 AM

You know your site is popular when GoogleBot visits from unknown IP ranges !!

miqrogroove · #10 02-10-2010, 07:18 AM

Code:

Host: 89.149.223.104
Date: Feb 10 07:13:28
Http Version: HTTP/1.0
Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

srslywtf?

AnthonyCea · #11 02-10-2010, 10:26 AM

These are the morons behind InternetServiceTeam.com spam botnet, they have been spoofing GoogleBot for years now, look at the hosting information, if you follow the linked thread and all the links within you will see they use this host, they quit using the Internetserviceteam.com host name on some IP's because I have been exposing them to the world for years now.

Same deal here when gang InternetServiceTeam.com changed their host name to fool server administrators and webmasters.

You gotta love these guys, they try hard !!

Information related to '89.149.222.0 - 89.149.223.255'

inetnum: 89.149.222.0 - 89.149.223.255
netname: NETDIRECT-NET
descr: netdirekt e.K.
remarks: INFRA-AW
country: DE
admin-c: WW200-RIPE
tech-c: SR614-RIPE
status: ASSIGNED PA
mnt-by: NETDIRECT-MNT
mnt-lower: NETDIRECT-MNT
mnt-routes: NETDIRECT-MNT
source: RIPE # Filtered

person: Wiethold Wagner
address: netdirekt e. K.
address: Kleyer Strasse 79 / Tor 14
address: 60326 Frankfurt
address: DE
phone: +49 69 90556880
fax-no: +49 69 905568822
e-mail: info@netdirekt.de
nic-hdl: WW200-RIPE
mnt-by: NETDIRECT-MNT
source: RIPE # Filtered

person: Simon Roehl
address: netdirekt e. K.
address: Kleyer Strasse 79 /Tor 14
address: 60326 Frankfurt
address: DE
phone: +49 69 90556880
fax-no: +49 69 905568822
e-mail: technik@netdirekt.de
nic-hdl: SR614-RIPE
mnt-by: NETDIRECT-MNT
source: RIPE # Filtered

% Information related to '89.149.192.0/18AS28753'

route: 89.149.192.0/18
descr: netdirect Frankfurt, DE
origin: AS28753
org: ORG-nA8-RIPE
mnt-lower: NETDIRECT-MNT
mnt-routes: NETDIRECT-MNT
mnt-by: NETDIRECT-MNT
source: RIPE # Filtered

organisation: ORG-nA8-RIPE
org-name: netdirect
org-type: LIR
address: netdirekt e. K.
Kleyer Strasse 79 / Tor 14
60326 Frankfurt
Germany
phone: +49 69 90556880
fax-no: +49 69 905568822
e-mail: ripe@netdirekt.de
admin-c: SR614-RIPE
admin-c: WW200-RIPE
mnt-ref: NETDIRECT-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered

miqrogroove · #12 04-10-2010, 04:16 PM

Code:

Host: 213.162.107.60
Http Version: HTTP/1.1
Agent: Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html)

AnthonyCea · #13 04-10-2010, 04:20 PM

Damn, these morons must find a ton of suckers or they would not try spoofing Google bot, thanks !!

PS: Then we wonder how these new search engines build a database so fast !!

213.162.107.60 resolves to mail.pixata.com

Information related to '213.162.107.0 - 213.162.107.255'

inetnum: 213.162.107.0 - 213.162.107.255
netname: PARBIN-NET-E
descr: Parbin Limited
descr: ADSL Connections
country: GB
admin-c: PH1124-RIPE
tech-c: PH1124-RIPE
status: ASSIGNED PA
mnt-by: PARBIN-MNT
source: RIPE # Filtered

role: Parbin Hostmaster
address: PlusNet Plc
address: Internet House
address: Tenter Street
address: Sheffield
address: S1 4BY
phone: +44 114 2200084
remarks: trouble: Please report any network abuse to abuse@plus.net
admin-c: SB195-RIPE
tech-c: RM6084-RIPE
nic-hdl: PH1124-RIPE
mnt-by: PARBIN-MNT
source: RIPE # Filtered
abuse-mailbox: abuse@plus.net

% Information related to '213.162.96.0/20AS6871'

route: 213.162.96.0/20
descr: PARBIN-213-162-96-0-20
origin: AS6871
mnt-by: MAINT-AS6871
mnt-routes: MAINT-AS6871
mnt-lower: MAINT-AS6871
source: RIPE # Filtered

% Information related to '213.162.96.0/19AS6871'

route: 213.162.96.0/19
descr: PARBIN-213-162-96-0-19
origin: AS6871
mnt-by: MAINT-AS6871
mnt-routes: MAINT-AS6871
mnt-lower: MAINT-AS6871
source: RIPE # Filtered

miqrogroove · #14 05-25-2010, 01:31 PM

Code:

204.13.53.200 - - [24/May/2010:16:13:04 -0600] "GET /wp-login.php HTTP/1.1" 403 930 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:05 -0600] "GET /old/wp-login.php HTTP/1.1" 403 934 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:05 -0600] "GET /cms/wp-login.php HTTP/1.1" 403 934 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:07 -0600] "GET /blog/wp-login.php HTTP/1.1" 403 935 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:08 -0600] "GET /blog_old/wp-login.php HTTP/1.1" 403 939 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:08 -0600] "GET /blog-old/wp-login.php HTTP/1.1" 403 939 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:08 -0600] "GET /blog/wp/wp-login.php HTTP/1.1" 403 938 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:11 -0600] "GET /wp/wp-login.php HTTP/1.1" 403 933 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:11 -0600] "GET /wp-old/wp-login.php HTTP/1.1" 403 937 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:11 -0600] "GET /wp-old-blog/wp-login.php HTTP/1.1" 403 942 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:12 -0600] "GET /wp_old/wp-login.php HTTP/1.1" 403 937 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:12 -0600] "GET /WP/wp-login.php HTTP/1.1" 403 933 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:12 -0600] "GET /WP-backup/wp-login.php HTTP/1.1" 403 940 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:12 -0600] "GET /backup/wp-login.php HTTP/1.1" 403 937 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:13 -0600] "GET /blog/backup/wp-login.php HTTP/1.1" 403 942 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:13 -0600] "GET /wp-blog/wp-login.php HTTP/1.1" 403 938 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:13 -0600] "GET /wp_blog/wp-login.php HTTP/1.1" 403 938 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:13 -0600] "GET /WP_blog/wp-login.php HTTP/1.1" 403 938 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:14 -0600] "GET /blog/wp_blog/wp-login.php HTTP/1.1" 403 943 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:14 -0600] "GET /Test/wp/blog/wp-login.php HTTP/1.1" 403 943 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:14 -0600] "GET /test/wp-login.php HTTP/1.1" 403 935 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:14 -0600] "GET /test/wp/wp-login.php HTTP/1.1" 403 938 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:14 -0600] "GET /testblog/wp-login.php HTTP/1.1" 403 939 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:14 -0600] "GET /test-blog/wp-login.php HTTP/1.1" 403 940 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:15 -0600] "GET /test_blog/wp-login.php HTTP/1.1" 403 940 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:15 -0600] "GET /test/blog/wp-login.php HTTP/1.1" 403 940 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:17 -0600] "GET /test/wordpress/wp-login.php HTTP/1.1" 403 945 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:17 -0600] "GET /wordpress-test/wp-login.php HTTP/1.1" 403 945 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:17 -0600] "GET /wordpress_test/wp-login.php HTTP/1.1" 403 945 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:18 -0600] "GET /wp/test/wp-login.php HTTP/1.1" 403 938 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:18 -0600] "GET /test/blog/wp-login.php HTTP/1.1" 403 940 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:18 -0600] "GET /test-blog/wp-login.php HTTP/1.1" 403 940 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:19 -0600] "GET /wptest/wp-login.php HTTP/1.1" 403 937 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:19 -0600] "GET /wp-test/wp-login.php HTTP/1.1" 200 3010 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:24 -0600] "GET /wp2/wp-login.php HTTP/1.1" 403 934 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:24 -0600] "GET /wordpress/wp-login.php HTTP/1.1" 403 940 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:25 -0600] "GET /Wordpress/wp-login.php HTTP/1.1" 403 940 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
204.13.53.200 - - [24/May/2010:16:13:25 -0600] "GET /wordpress2/wp-login.php HTTP/1.1" 403 941 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

Two things can be learned here.
1. People who write URL guessing bots have brain damage.
2. It's a good thing I audit my logs, because this guy found a hole (200) where there should not be one.

AnthonyCea · #15 05-25-2010, 05:10 PM

Wow, what a low life hacker this cat is, thanks for the IP range so we can ban it !!

I'm sure Google thanks you too, they do read this thread once in a while !!

Check this spam bot operator who thinks running GoogleBot user agent is the answer to run his spam script.

miqrogroove · #16 06-28-2010, 03:32 AM

Code:

Host: 212.178.21.115
Http Version: HTTP/1.0
Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)