 | |
Google media-partner bot used to hack my site
Search Engine Optimization Discussion about SEO/Search Engine Optimization (alt.internet.search-engines)
 |
| | Thread Tools | Display Modes |
#1
 
| |||||
| |||||
|
Google media-partner bot used to hack my site -
01-20-2006
, 04:38 AM
| |
Http Code: 200 Date: Jan 18 04:59:16 Http Version: HTTP/1.1 Size in
Bytes: 28334
Referer: -
Agent: Mediapartners-Google/2.1
Quote:
| |
Http Code: 200 Date: Jan 18 04:59:49 Http Version: HTTP/1.1 Size in
Bytes: 28334
Referer: -
Agent: Mediapartners-Google/2.1
Quote:
| |
Http Code: 200 Date: Jan 18 05:00:05 Http Version: HTTP/1.1 Size in
Bytes: 28334
Referer: -
Agent: Mediapartners-Google/2.1
Quote:
| |
Http Code: 200 Date: Jan 18 05:00:14 Http Version: HTTP/1.1 Size in
Bytes: 28334
Referer: -
Agent: Mediapartners-Google/2.1
Quote:
| |
Http Code: 200 Date: Jan 18 05:00:43 Http Version: HTTP/1.1 Size in
Bytes: 28334
Referer: -
Agent: Mediapartners-Google/2.1
i contacted my server admin, who done the upgrade on php-nuke for me,
as you need ssh and i am on a shared server. i then sent an email to
google to let them know this had occurred, and as of yet, they have not
even acknowledged receipt of the notice. there is no mention of this
type of activity on the net, as i have searched the big 3 SEs. if
somebody in here knows or can help me get the word spread about this,
that google needs to take a look at what is going on with that IP and
the media bot.
#2
| |||
| |||
|
|
I joined here today becuase i dont know who to tell about what has happened, and what i feel is a catastrophic occurrence. I logged into my site this morning and there was a scrolling banner on my sites content: you have been hacked by (xxx). i forgot the name of it, at any rate, i searched my logs and was shocked to see who had been in my admin on that morning. i am pasting the log: Host: 66.249.66.40 /robots.txt Http Code: 200 Date: Jan 18 04:59:15 Http Version: HTTP/1.1 Size in Bytes: 225 Referer: - Agent: Mediapartners-Google/2.1 | | | /admin.php Http Code: 200 Date: Jan 18 04:59:16 Http Version: HTTP/1.1 Size in Bytes: 28334 Referer: - Agent: Mediapartners-Google/2.1 | | | /admin.php?op=hreferer Http Code: 200 Date: Jan 18 04:59:49 Http Version: HTTP/1.1 Size in Bytes: 28334 Referer: - Agent: Mediapartners-Google/2.1 |
Quote:
|
i contacted my server admin, who done the upgrade on php-nuke for me, as you need ssh and i am on a shared server. i then sent an email to google to let them know this had occurred, and as of yet, they have not even acknowledged receipt of the notice. there is no mention of this type of activity on the net, as i have searched the big 3 SEs. if somebody in here knows or can help me get the word spread about this, that google needs to take a look at what is going on with that IP and the media bot. |
hack your site, and that's usually directly followed by the Media bot.
Did you see any other visitor right before the Media bot?
--
Els http://locusmeus.com/
Sonhos vem. Sonhos vão. O resto é imperfeito.
- Renato Russo -
Now playing: Christina Aguilera - Loving Me For Me
#3
| |||
| |||
|
|
dosdawgs wrote: I joined here today becuase i dont know who to tell about what has happened, and what i feel is a catastrophic occurrence. I logged into my site this morning and there was a scrolling banner on my sites content: you have been hacked by (xxx). i forgot the name of it, at any rate, i searched my logs and was shocked to see who had been in my admin on that morning. i am pasting the log: Host: 66.249.66.40 /robots.txt Http Code: 200 Date: Jan 18 04:59:15 Http Version: HTTP/1.1 Size in Bytes: 225 Referer: - Agent: Mediapartners-Google/2.1 | | | /admin.php Http Code: 200 Date: Jan 18 04:59:16 Http Version: HTTP/1.1 Size in Bytes: 28334 Referer: - Agent: Mediapartners-Google/2.1 | | | /admin.php?op=hreferer Http Code: 200 Date: Jan 18 04:59:49 Http Version: HTTP/1.1 Size in Bytes: 28334 Referer: - Agent: Mediapartners-Google/2.1 [snip more loglines] i contacted my server admin, who done the upgrade on php-nuke for me, as you need ssh and i am on a shared server. i then sent an email to google to let them know this had occurred, and as of yet, they have not even acknowledged receipt of the notice. there is no mention of this type of activity on the net, as i have searched the big 3 SEs. if somebody in here knows or can help me get the word spread about this, that google needs to take a look at what is going on with that IP and the media bot. It's also possible that your hacker used an ad-version of Opera to hack your site, and that's usually directly followed by the Media bot. Did you see any other visitor right before the Media bot? |
All the different urls, come back with exactly 28334 bytes. I'm
thinking this Media bot didn't come firther than the admin.php page.
I've just tried it myself - whatever I fill out after admin.php, I get
the login screen. That's most likely what the Mediabot saw too, and
whoever got in there before might be your hacker - not Mediabot.
--
Els http://locusmeus.com/
Sonhos vem. Sonhos vão. O resto é imperfeito.
- Renato Russo -
Now playing: Electric Boys - Electrified
#4
| |||
| |||
|
|
Host: 66.249.66.40 Agent: Mediapartners-Google/2.1 |
Best,
Borek
--
http://www.chembuddy.com/?left=pH-ca...right=pH-scale
http://www.chembuddy.com/?left=pH-ca...=pH-definition
#5
| |||
| |||
|
|
User agent can be forged easily, no idea about host. |
E.g. to see if a site is using cloaking.
best regards
Thomas
http://www.micro-sys.dk/products/sitemap-generator/
#6
| |||
| |||
|
|
I joined here today becuase i dont know who to tell about what has happened, and what i feel is a catastrophic occurrence. I logged into my site this morning and there was a scrolling banner on my sites content: you have been hacked by (xxx). i forgot the name of it, at any rate, i searched my logs and was shocked to see who had been in my admin on that morning. i am pasting the log: |
might have been able to change the log as well.
--
John Experienced (web) developer: http://castleamber.com/
Perl SEO tools: http://johnbokma.com/perl/
NEW ----> Textpad reference card (pdf): http://johnbokma.com/textpad/
#7
| |||
| |||
|
|
On Fri, 20 Jan 2006 10:38:44 +0100, dosdawgs <admin (AT) dosdawgs (DOT) com> wrote: Host: 66.249.66.40 Agent: Mediapartners-Google/2.1 User agent can be forged easily, no idea about host. |
reply goes to that address, and there is no program expecting that reply.
Either the log has been cleaned up to remove traces, or the OP is looking
at the wrong info. I doubt you can hijack the google bot :-D (I mean, then
the hacker would probably deface Google).
--
John Experienced (web) developer: http://castleamber.com/
Perl SEO tools: http://johnbokma.com/perl/
NEW ----> Textpad reference card (pdf): http://johnbokma.com/textpad/
#8
| |||
| |||
|
|
Host: 66.249.66.40 Agent: Mediapartners-Google/2.1 User agent can be forged easily, no idea about host. With spoofing you can supply a different IP address. The problem is, the reply goes to that address, and there is no program expecting that reply. |
What I see in my log are string types like:
netsprint.pl
155.37.254.150
crawl-66-249-72-207.googlebot.com
wireless-pppoe-214.cyg.net
and so on. That's terra incognita for me, however what I have
found in Apache manual is that logged information is IP taken
from headers, but it can be also translated to hostname before
logging (HostnameLookups On). Host name is taken from DNS, so
if you have your own DNS server you may be able to forge this
information too.
But that's only my guess.
Best,
Borek
--
http://www.chembuddy.com/?left=pH-ca...right=pH-scale
http://www.chembuddy.com/?left=pH-ca...=pH-definition
#9
| |||
| |||
|
|
On Fri, 20 Jan 2006 19:46:29 +0100, John Bokma <john (AT) castleamber (DOT) com wrote: Host: 66.249.66.40 Agent: Mediapartners-Google/2.1 User agent can be forged easily, no idea about host. With spoofing you can supply a different IP address. The problem is, the reply goes to that address, and there is no program expecting that reply. What is logged by Apache (and other servers) as host? What I see in my log are string types like: netsprint.pl 155.37.254.150 crawl-66-249-72-207.googlebot.com wireless-pppoe-214.cyg.net and so on. That's terra incognita for me, however what I have found in Apache manual is that logged information is IP taken from headers, but it can be also translated to hostname before logging (HostnameLookups On). Host name is taken from DNS, so if you have your own DNS server you may be able to forge this information too. |
this feature off. The only way someone can fake this is by hijacking the
DNS that Apache uses. I guess this can be done, but I doubt someone
defacing a page would go that far or has the abilities to do such a thing.
Defacing is mostly done via a weak spot in a script AFAIK.
--
John Experienced (web) developer: http://castleamber.com/
Perl SEO tools: http://johnbokma.com/perl/
NEW ----> Textpad reference card (pdf): http://johnbokma.com/textpad/
#10
| |||
| |||
|
|
Yup, Apache does use DNS to translate IP to names. Quite some hosters turn this feature off. The only way someone can fake this is by hijacking the DNS that Apache uses. I guess this can be done, but I doubt someone defacing a page would go that far or has the abilities to do such a thing. |
expiration information? I believe that's how Google select its
datacenters. If you have your own DNS server for your own domain and you
set the expiration to - say - 5 minutes - you are effectively forcing
every Apache trying to log the information to ask _your_ DNS server about
domain name. Thus you can change it in almost real time and there is no
need to hijack DNS used by the local Apache.
Once again, disclaimer: I am only guessing.
Best,
Borek
--
http://www.chembuddy.com/?left=pH-ca...right=pH-scale
http://www.chembuddy.com/?left=pH-ca...=pH-definition
|
« Previous Thread
|
Next Thread »
| Thread Tools | |
| Display Modes | |
Linear Mode
| |
Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.