We may all do one thing at the time of writing the site firewall rules: never shield those major search engine robots crawling (eg, Google, Bing, Yahoo, Baidu, etc.).
So far, we feel so good, but now we occasionally encounter some strange phenomenon, we have to think about a problem, if a legitimate search engine robots are used to attack websites that will happen? Are we still let such attacks unimpeded not to shield him?
This situation a few days ago did occur on our website, we want to start shield Google's ip address, because the request is sent when Google spiders crawl the site does exist SQLi attack. You're not wrong, Google spiders are indeed attack sites .
Request sent
Everything we found originated from a real Google ip address because the SQL injection was blocked. This is a log record (in order to protect the innocent victims made a little change)
66.249.66.138 - - [05/Nov/2013:00:28:40 -0500] "GET /url.php?variable=")%20declare%20@q%
20varchar(8000(%20select%20@q%20=%200x527%20exec(@q)%20-- HTTP/1.1" 403 4439 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
We initially thought it was a fake Google bot, but the review found that the ip ip Google really is: the
further investigation found that there are many other similar requests ip come from Google.
In the end what happened?
Logically speaking, Google should have no interest in us hack our website, ah, their automated robots should be attacker exploits.
In the above scenario, the robots are crawling the site A. A site has many hidden links SQLi can send a request to the target site when B.Google robot crawling these pages to see the connection, and then will follow this link we did not particularly notice may climb past, this is the case, Google robot inadvertently attacked the site B. this fact, but really should be a thought-provoking questions.
Can you create a lot of malicious link, and then let the robot to access these connections, then other sites will be able to carry out an attack it?
Robot secret attack
Let's say, there is an attacker called John.John every day to do is crawl page and discover new vulnerabilities. Much later, he found a lot of sites have vulnerabilities, it is time to put the disposable income of these sites but John is not an ordinary hackers, he is very familiar with the computer forensics process, aware of a successful hacker must not leave any traces.
Computer forensics, we will view the log .John certainly know this. But if John if done carefully enough, careful to
He had not found it? John now has a list of vulnerabilities, of which there is a SQLi on the B site or open their own websites RFI.John A, added some content looks good, but he also quietly added a few links, these Links to ordinary people access to the site is invisible, but very attractive to crawling reptiles. these links can all initiate RFI and SQLi attacks using a browser, so John can be completed more efficient attack, not people Find.
Perhaps this is a guess, maybe not ... have any idea what is?
We will on this matter contact Google, but we must remember that, not just their IP into the whitelist, and let any of peep are unobstructed.