Support

Hi Curtis,

First, add Googlebot's IP address to the "Never block these IPs" field in Admin Tools' Configure WAF page. This will prevent Googlebot from being accidentally blocked. Do NOT add this IP to any other whitelist.

Next, please show me the URLs! One uncommon and very tricky hacking method is the attacker filling a page of hack URLs on a page and have Google index the page. The hack URLs are URLs pointing to your site with a known exploit, e.g. SQLi, DFI and so on. Google will index that page and try to follow the links. The idea is that most sites give Googlebot a "free pass" without any security check. So, if Google tries to access the hack URL, the site could be caught off guard and hacked. The only way to know if this is the case here is showing me the URLs in question.

Yes, that's the URL I was talking about. I thought it was truncated. OK, if this is the URL, it's definitely a hacking attempt. The flypage parameter is supposed to point to a PHP file holding the product presentation page and it's set to .. (list the directory above). So, just do what I said above and let Google see a few 403 errors for this URL so that it stops trying to index it.

Ah, regarding your question about GoogleBot's IPs, look here: http://chceme.info/ips/

The attack is simple. I create a page which looks like legitimate content and link to your site. Only the link includes some nefarious query string, designed to (hopefully) hack your site. Then I let Google index my page, e.g. submitting a sitemap. Google will scan my page and try to follow all links, including the ones with the nefarious parts. It's actually very simple. The benefit of this method is twofold:
- You don't now who tried or succeeded to hack you, so you can't block them or easily trace it back to the attacker. Tougher forensics mean less risk of being caught.
- Many sites give Googlebot a "free pass", not enforcing any security checks to traffic generated by GoogleBot. This means that the possibility of the attack being blocked is significantly lower.

Regarding the solution I proposed. Here's what's going on now. If GoogleBot repeatedly triggers exceptions on your site, its IP will be automatically blocked be Admin Tools. You don't want that. You want Googlebot to continue seeing the 403s for the nefarious URLs (so that it will stop trying to index them after a while), but still be able to "see" the rest of your site. That's exactly what my proposed solution does.

Hm, the "Never block these IPs" doesn't support ranges yet. OK, I will be fixing that for the next release. In the meantime, you can't do much. Just wait for these URLs to not be indexed any more :(