Hacking attempt from Googlebot

Question

Today I found this in my server log:

66.249.64.140 crawl-66-249-64-140.googlebot.com [22/Sep/2016:11:23:30 +0300] "GET /C/Users/%EF%BF%BD%C3%8A/Documents/%EF%BF%BD%EF%BF%BD%EF%BF%BD%C3%AF/Documents/26.05.2013/Major%2026.05.2013/Listpub+/No%2012,%20juin%202009 HTTP/1.1" 302 227 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "text/html"

I can't even correctly unescape the coded part of request... Help, please. How do you think, is it a hacking attempt?

PS. I ported this topic from stackoverflow by recommendation. Sorry I didn't know about such gradation of questions here.

What exactly is the problem this is causing? An entry in a log isn't a problem. It's coming from the Google IP address range. It's probably just crawling a link it found somewhere. — Tim, Sep 23 '16 at 05:37
Tim, So if it's from Google then it's all right because they just can do it? — Uzgraph, Sep 23 '16 at 05:55
Why is this titled "hacking attempt"? There is no hacking attempt here. — Michael Hampton, Sep 23 '16 at 06:03
This is a crawl. If someone can compromise your server by trying random URLs your security needs to be improved. — Tim, Sep 23 '16 at 06:04
@Uzgraph From the perspective of it being a potential exploit attempt it's not ok based on who does it but it's rather just the kind of background noise you will always have and if your server is not vulnerable to it there's not really much to fix. As for Googlebot making that request, it's almost certainly just a case of it following a link pointing there. — Håkan Lindqvist, Sep 23 '16 at 06:04
http://serverfault.com/c:/users/documents/passwords.txt - this is your hack attempt. A link to a non-existant path on your site, somewhere, anywhere on the internet. When Google crawl it they will try to read secret passwords from serverfault. If you click it you will be the hacker. omg omg omg — TessellatingHeckler, Sep 23 '16 at 06:09
@Uzgraph I don't believe Googlebot provides referrer information. — Håkan Lindqvist, Sep 23 '16 at 06:14

Ryan Babchishin · Answer 1 · 2016-09-23T05:46:28.743

1

That IP address belongs to google.com. I'm not sure why they are crawling that odd request. Perhaps something on your site?

$ whois 66.249.64.140

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=66.249.64.140?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       66.249.64.0 - 66.249.95.255
CIDR:           66.249.64.0/19
NetName:        GOOGLE
NetHandle:      NET-66-249-64-0-1
Parent:         NET66 (NET-66-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       
Organization:   Google Inc. (GOGL)
RegDate:        2004-03-05
Updated:        2012-02-24
Ref:            https://whois.arin.net/rest/net/NET-66-249-64-0-1

Even if it was from somewhere else besides a Google IP, I wouldn't be too concerned. Internet facing services get hit by bots/viruses/whatever constantly looking for vulnerabilities (you will see things like this often). Would your web server allow access to files other than what you want it serving?

edited Sep 23 '16 at 05:46

answered Sep 23 '16 at 05:39

Ryan Babchishin

6,260
2
17
37

Ryan, of course it's Google domain - "crawl-66-249-64-140.googlebot.com" is a hostname lookup. By configuration server allowed only web requests. "C/Users" of course not allowed because it's not in web directory! – Uzgraph Sep 23 '16 at 05:52
@Uzgraph The point was that it comes from a google IP, so you know it's Google. You should not be concerned. Or do you think Google is trying to hack you? Why did you ask the question? – Ryan Babchishin Sep 23 '16 at 05:54
Because I'm shocked, Ryan. "C\Users" is a windows users accounts directory. It's a possible security issue! – Uzgraph Sep 23 '16 at 06:01
@Uzgraph It is odd, but like Tim said, Google probably just picked that up somewhere. It's harmless.. read my answer about how you'll see actual hack/vulnerability attempts from bots and such constantly... it's normal. This is from google, there's should be no concern since all you have is a simple log entry. – Ryan Babchishin Sep 23 '16 at 06:08
Thank you, Ryan. Maybe it's just a someone's joke but bad. – Uzgraph Sep 23 '16 at 06:12
1

@Uzgraph It is only a security issue if **you** have configured the server and application in an insecure manner. – EEAA Sep 23 '16 at 12:08

Hacking attempt from Googlebot

1 Answers1