This morning one of our client's servers had the common 'old forum software, easy to hijack' situation exploited. Not that big a deal, our traffic monitors catch it in a minute or 2, a tech has it shut down before any real damage.
What made this morning's incident unique is the attack came from Google's webcrawler bot. This I have not seen before, usualy the ip's track back outside the US to the end user or a proxy gateway of sorts somewhere - but the attack was coming in (the attack was generating about 15,000 spam's in the mail queue within 30 minutes simply by loading forum topic web pages) simply by accessing a specific page in the forum:
The apache-status on the server showed:
name = crawl-66-249-65-13.googlebot.com.
-0 3994 0/41/41 _ 2.25 6 103 0.0 0.42 0.42 184.108.40.206 **DOMAINNAME*** GET /Forum/viewtopic.php?p=1638&sid=dbbacc1bc506cbb62e57e58292d
1-0 3995 0/26/26 _ 0.84 35 99 0.0 0.44 0.44 220.127.116.11 **DOMAINNAME*** GET /Forum/viewtopic.php?p=1961&sid=0d6e0772e2ccf8004c8da269b71
and about 8 more total of the same thing (pointing at different topic numbers) but all coming in from the same remote ip.
netstat confired the sockets, it wasn't some spoof- and tracerouts confirmed the 18 ms ping/traceroute to the datacenter at above.net where google host's this 'bot server' to crawl the net.
Now my question - has anyone seen this before? Clearly the forum must of been modified previously (hacked to send spam when certain pages get loaded). The hacker then waited some time and tricked google into loading the pages and thus generating the spam(s) - with their remote ip attached to the situation (clever).
Anyone else seen something like this before? It's a first for me - never seen a hacker care enough to try and frame someone like that - no doubt google didn't do anything here except crawl the site - but the hacker no doubt tricked google into doing it so they could remain hidden. The actual 'hack' in the logs came from a proxy server about 24 hours earlier but no spams then were triggered.
It's a first for me
hopefully a last.