Fake GoogleBot

[kk2000]

Interesting things can be found when brownsing thru the webserver logs just for fun ...
218.145.25.14 - - [25/Jul/2003:14:14:04 +0200] "GET /robots.txt HTTP/1.0" 200 86 "-" "GoogleBot"
218.145.25.14 - - [25/Jul/2003:14:14:05 +0200] "GET / HTTP/1.0" 200 10124 "-" "dloader(NaverRobot)/1.5"
218.145.25.14 - - [25/Jul/2003:14:14:07 +0200] "GET /dir/otherpage.htm HTTP/1.0" 200 18775 "-" "dloader(NaverRobot)/1.5"
218.145.25.14 - - [25/Jul/2003:14:14:08 +0200] "GET /dir/otherpage2.htm HTTP/1.0" 301 304 "-" "dloader(NaverRobot)/1.5"
218.145.25.14 - - [25/Jul/2003:14:14:09 +0200] "GET /dir/morepages HTTP/1.0" 200 5109 "-" "dloader(NaverRobot)/1.5"

Is this a Google undercover operation or a pirate?

inetnum: 218.145.25.0 - 218.145.25.255
netname: KORNET-NETINFRA-JUNGANG-KR
descr: CENTRAL DATA COMMUNICATION OFFICE
descr: 128-9 YEUNKEONDONG JONGROKU
descr: SEOUL
descr: 110-460
country: KR

Incidently, a few hours later another bot showed up with different IP address but hosted by the same company, this time just running straight into my bot trap:
220.73.165.141 - - [26/Jul/2003:03:45:51 +0200] "GET /robots.txt HTTP/1.0" 200 86 "-" "minibot(NaverRobot)/ 1.0"
220.73.165.141 - - [26/Jul/2003:03:45:51 +0200] "GET / HTTP/1.0" 200 10134 "-" "minibot(NaverRobot)/1.0"
220.73.165.141 - - [26/Jul/2003:03:45:53 +0200] "GET /bottrap/ HTTP/1.0" 200 185 "-" "minibot(NaverRobot)/1.0"

As this got me interested I found another one:
220.73.165.141 - - [11/Jul/2003:20:13:21 +0200] "GET /robots.txt HTTP/1.0" 200 86 "-" "GoogleBot"
220.73.165.141 - - [11/Jul/2003:20:13:22 +0200] "GET / HTTP/1.0" 200 10134 "-" "dloader(NaverRobot)/1.5"
220.73.165.141 - - [11/Jul/2003:20:13:23 +0200] "GET /dir/file.htm HTTP/1.0" 200 18775 "-" "dloader(NaverRobot)
/1.5"

This operation looks strange to me.

Regards,
Ralf

cyberkat

New User



joined:July 6, 2003
posts:26
msg #:2
12:51 pm on July 26, 2003 (utc 0)

From almost a year with KORNET IPs showing up in my logs with the same spoofing. I just now ban their IP range.
Google normally leaves entries in my logs like the following:
crawler10.googlebot.com - - [24/Jul/2003:09:22:49 -0400] "GET /robots.txt HTTP/1.0" 200 1921 "-" "Googlebot/ 2.1 (+http://www.googlebot.com/bot.html)"

Conard

Full Member



joined-Mar 14, 2001
posts:260
msg #:3
1:14 pm on July 26, 2003 (utc 0)

This week my personal site was hit big time by this piece or c**p. minibot(NaverRobot)/1.0

The first places it went were all of the directories that are listed in the robots.txt file as off limits.

So cyberkat got a .htaccess code snippet to ban the IP range? Wanna share?

bull

Full Member



joined:June 3, 2002
posts:205
msg #:4
1:40 pm on July 26, 2003 (utc 0)

Wanna share?


yes please. thanks

Romeo

Junior Member



joined:Sept 28, 2002
posts:74
msg #:5
1:46 pm on July 26, 2003 (utc 0)

The following in my .htaccess excludes KORNET's address ranges:

# reject NaverRobot from KORNET KR, 2003-07-26
SetEnvIf Remote_Addr "^218\.145\.25\." bad_bot
SetEnvIf Remote_Addr "^220\.73\.165" bad_bot
SetEnvIf Request_URI "^/403\.shtml$" allowit
Deny from env=bad_bot
Allow from env=allowit

Regards,
R.

Conard

Full Member



joined-Mar 14, 2001
posts:260
msg #:6
3:57 pm on July 26, 2003 (utc 0)

I use rewrite so this will zap them no matter how they name the first part of the string:

RewriteCond %{HTTP_USER_AGENT} NaverRobot [OR]