Are these strange URLs that are being loaded to access our site hackers or what?

We have noticed lately some strange looking URLs being loaded to access our site in rapid successions of like once per Second, they are like:




Are these URLs being fired by a Hacker trying to engage in MySQL injection type Hack?
or are they legit URLs being fired by search engine spiders?

I ask both possiblity, because the above URLs were fired by ips from Google and Microsoft as well as ips belonging to unkown Hosts from Ukraine, etc.

So what is going on?

Much Thanks

Definitely an attempted SQL injection attack there. :frowning:

Getting them from Google and Microsoft may mean that they’ve indexed a page that features those links, which isn’t good news. You could try googling for those particular links to see if you can find the page(s) that they’re on.

I just googled that and found a russian forum website with lots of ‘hacked’ links on, so yeah - every site linked on that page will end up sending Googlebot to the link as well.

Hi there WorldNews,

If you’d like to see what they’re trying to do, you can use this site to decode the URLs. It will give you a better idea of the attempted exploit.

I’ve written a check for these into my homegrown system to check for common exploit code in the URL’s. for instance “%28select”. When it’s found, it automatically bans the IP for an hour to give the system a break from the often rapid hits from the bot scripts. After an hour, the autoban drops off.

1 Like

Hi Raven,

I Googled the same URLs and I do not find what you did on Google. But I will take your Word that you did. So you definitely think, or say, that these attempts where MySQL injection attempts?

And in the cases where the originating ip address for these was Google or Microsoft, in those case sites on Google or Microsoft?

1st, part of your comment I can buy but the 2nd part hard to fathom!


Hello Swhwim,

1st, thanks for your reply.
So I used that Site you provided to decode the sample URL I provided but the decoded results shown by that site looks a lot like the URL that I enter!

Anyway, so you too are sure and confirming that the URLs are provided are MySQL injection type Hacks?

And what about the fact that some, not all, but some of these URLs are originating from Google and Microsoft ips?

And what are they exactly trying to do where the URLs start like:

and then switch to:

They all have that 999999 in the URLs that they fire by the 100s.


It’s more that because there is a page on the internet that provides SQL injection formatted links to other sites, when Googlebot indexes the page, it will also see those links too. Whenever Googlebot sees a link it doesn’t already know about, it will follow that link to index the new url as well.

That is how I think Googlebot is arriving at your site - somebody posted a link to your site on their web page, which Googlebot saw and thought, aha! I haven’t indexed that url yet, I’ll go look at it next.

Does that make sense?

If you try this search in google, you should get an idea of who’s linking to your site:


(Without the quotes and obviously changing the web address to your own)

Or better still, if you have Googles free webmaster tools (highly recommended), you’ll get better results and a clearer picture.

Without a doubt. You do see the MySQL commands they’re passing in the URL, correct? The union and selects are their attempt to find a way in.

The reason they’re using the 999’s is because they don’t want a legitimate return from the script, so they’re using an ID that will never be matched. They’re only interested in the part of the SQL statement they’re providing.

You’re getting hit tons of times because these scripts just loop through potential exploits hoping to get a promising response, for instance a MySQL error stating that no column named “theirVar” exists, letting them know that the SQL statement was passed unfiltered to the DB. Once that return is recorded by a script, the script kiddie will be notified and he’ll come do some personal work on an attempt to get access.

Finally, Google isn’t trying to hack your site. They follow links around the web and somewhere, someone thought your site looked promising and posted the URLs on a publicly accessible page, which the search engines then followed.


1st part of what you are saying makes sense.
But what does not make sense is why Google or Microsoft are entering these URLs like 600 times within an Hour? Which BTW is the trigger that causes a Code that I have to Block that IP and to infirm us that an IP was blocked for engaging in suspicious acts.
So I can see as you have stated that Google or Microsoft are following a URL they found on another site, but would they do it like 600 times per Hour?


Ah, I missed the numerous iterations part!

I’d be more likely to suspect that the person responsible is spoofing the user agent header in the requests. The numerous iterations are likely scripted to run through a catalogue of generally workable exploits.

If you take a look at your logs, do the ‘Google’ lines include an ip address? (They should)

running dig like this from the command line

dig -x $ip_addy   <- replace $ip_addy with the actual ip address in your logs

should either confirm it is Google, or it’s all hacker related and with spoofed headers too.

Unfortunately, $_SERVER[‘remote_addr’] is easy to spoof as well.

True :frowning:


So I issued the command you suggested and here is the result:

[root@server5 ~]# dig -x

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6 <<>> -x
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9808
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0


;; Query time: 26 msec
;; WHEN: Wed Apr 1 11:15:01 2015
;; MSG SIZE rcvd: 45

I cannot see anything in there that would indicate one way or another!
FYI: ip is our ISP.

Well, that IP address certainly does seem to belong to Microsoft (despite the lack of a PTR record), so I’d guess the IP addy is indeed being spoofed in light of the fact that the urls in question are most certainly SQL injection attack attempts.

I take it you have tried those URLs on your own site yourself? Hopefully you’ve taken the appropriate steps already to prevent them from working (sanitised input, prepared statements etc)


So we have gotten more of the same URLs being submitted in rapid succession to us, by ip from Google, that is the the URLs are like:



They are coming from ip address of:
which maps to Google in Mountain View, so it must be a legit Google ip.

So again, are these URLs somehow Google trying to do a legit Crawling of our Site?
Or are they attempt at Hacking our Site, which I think they are to a 99% degree by looking at these URLs. But maybe I am wrong.

So what do you think?
Are these Hacks or legit Google crawling?
If they are Hack attempts, how are they coming from Google ip?


Same as before - you can’t trust those IP addresses in your logs to be genuine - the structure of those query strings makes it pretty clearly a hacking attempt.

Presumably you are guarding against such beasts?

Hello RavenVelvet,

1st, yes we are protecting against such beasts. At least I hoppe.

2nd, but these URLs were issued by the ip address listed which ip address is clearly that of Google in Mountain View. To be exact these ip addressed were detected using Php command:

which of course captures the ip address of the source which issued that URL.

So what the HEK is going on?
Is Google trying to HACK us? OTN, we run an alternative People powered search engine to Google, as you can read about it here:

But still cannot fathom that Google is trying to Hack us, and that more logical explanation is somehow someone else is trying to Hack us but how in GODs name are they using the actual ip address of Google servers???

Just because I can send you a letter in an envelope where the return address on the back is quoted as being “Buckingham Palace, London”, it doesn’t mean that the letter came from the Queen. :wink:

Whoever’s hitting your site with these requests are likely spoofing the ip address.

Have a look at this article

Just spotted something…

that last bit: “FrOm+people_ne”…

Does “people_ne” correspond to a table in your db, even if it’s just the start of a table name?

If yes, then it would appear that you are indeed vulnerable to these SQL injection attacks :frowning: That, or they’re good at guessing your table names.


Do you think that as a good defense against all sort such attacks, we should have Code that checks all incoming URLs and if they contain “select+” then it will rejects all such access?
Since all such HACKs as the URLs I have you they all have SeLeCt+ (with variations in case) in them.