Finding Google’s Stealth IPs (Part 2) : Slightly Shady SEO

Finding Google’s Stealth IPs (Part 2)

Ok, so I finally got off my butt and finished part 2 of how to nail down Google’s stealth IPs. Keep in mind, they employ people all over the world to manually check things, but this is a good way to at least make it complicated for them.

Project Files Are Available Here - And Remember to change the SQL Settings in each file, and create the table.

Prequisites(If you Don’t have these, don’t Sweat it. I give my results at the end):

Ranges.txt (Available in the Project Files It’s our list of IP ranges we’re checking)
ips.txt (a dump of all the IP addresses that have accessed your site)
A MySQL Database.
- The Table Architecture is as Follows:
  CREATE TABLE `gip` (
  `id` int(11) NOT NULL auto_increment,
  `min` bigint(60) default NULL,
  `max` bigint(60) default NULL,
  PRIMARY KEY (`id`)
  ) ENGINE=MyISAM AUTO_INCREMENT=84 DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci;
A web server that can access the MySQL Server.

Ok, so you’ve got all that. Time to get scripting.

File 1: sqlInsert.php - Inserts the ranges into our database
<?php
$data=file_get_contents(”./ranges.txt”);
$data=str_replace(”\r”,”",$data);
$spl=explode(”\n”,$data);
$q=”INSERT INTO gip (min,max) VALUES “;
for($i=0; $i<sizeof($spl); $i++)
{
if(strlen($spl[$i])>3)
{
$spl2=explode(”-”,$spl[$i]);//split the IP ranges into min/max values
$min=ip2long($spl2[0]);//convert IP to long
$max=ip2long($spl2[1]);//convert IP to long
if($min===FALSE OR $max===FALSE OR $min==-1 OR $max==-1)//die on failure
{
die(”Error! At index $i”);//Isn’t die such a dramatic sounding function?
}
else
{
$q=$q.” ($min,$max),”;//Append the new min/max onto our query
}
}
}
$q=trim($q,”,”);//Kill the trailing comma
$link=connectToSQL();
$ret=mysql_query($q);
if(mysql_error() OR !$ret)
{
echo mysql_error();
}
else
{
echo “Done!”;
}
mysql_close($link);
function connectToSQL()
{

$server=”localhost”; //CHANGE THIS TO MATCH YOUR SERVER
$user=”root”;//CHANGE THIS TO MATCH YOUR MYSQL SERVER
$dbName=”test”;//CHANGE THIS TO YOUR DB NAME
$link = mysql_connect(’$server:3306′, $user, ”);
if (!$link)
{
die(”Could not connect In Lib: ” . mysql_error());
}
mysql_select_db($dbName, $link) or die(”Could not select database.”);
return($link);
}
function getSafeString($str)
{
return(”‘”.mysql_real_escape_string($str).”‘”);
}
?>

Alright! So now we Have the IP Ranges Inserted into the Database!
Next, we have to find the ips in our database, see if they’re Google in disguise
File 2: sqlChecker.php - Finds, and outputs our IPs. Google.txt will hold our google IPs at the end.
<?php
$data=file_get_contents(”./ips.txt”);
$data=str_replace(”\r”,”",$data);
$spl=explode(”\n”,$data);
$link=connectToSQL();
$handle=fopen(”./google.txt”,”a+”);
$count=0;
for($i=0; $i<sizeof($spl); $i++)
{
if(strlen($spl[$i])>3)
{
$long=ip2long($spl[$i]);
$q=”SELECT id FROM gip WHERE max>$long AND min<$long LIMIT 1″;
$res=mysql_query($q);
if(mysql_error())
{
die(mysql_error());
}
if(mysql_num_rows($res)>0)
{
$row=mysql_fetch_row($res);
echo $spl[$i].” @”.$row[0].”<br>”;
fwrite($handle, $spl[$i].”\r\n”);
}
$count++;
}
}
echo “Executed “.$count.” Queries<br>”;
fclose($handle);
mysql_close($link);
function connectToSQL()
{
$server=”localhost”;//CHANGE THIS TO MATCH YOUR SERVER
$user=”root”;//CHANGE THIS TO MATCH YOUR SERVER
$db=”test”;//CHANGE THIS TO MATCH YOUR SERVER
$pass=”";//CHANGE THIS TO MATCH YOUR SERVER
$link = mysql_connect($server.”:3306″, $user, $pass);
if (!$link)
{
die(”Could not connect In Lib: ” . mysql_error());
}
mysql_select_db($db, $link) or die(”Could not select database.”);
return($link);
}
function getSafeString($str)
{
return(”‘”.mysql_real_escape_string($str).”‘”);
}
?>

Conclusion:
The more IPs the better. Pool IPs with your friends. Your neighbors. That creepy guy in the bathroom. Anyone with a webserver. Mine examined 18322 IPs, and produced the following list.
64.233.178.136
66.249.84.10
72.14.193.1
72.14.193.129
72.14.194.19
72.14.195.30
74.125.16.1
Those IPs have no Reverse DNS entry, and have examined sites I have owned, without announcing themselves w/ a Reverse DNS entry. They also forge their browser(or are used for manual review, and did not forge)

Have fun!

Share and Enjoy(You know you want to): These icons link to social bookmarking sites where readers can share and discover new web pages.

Posted on Wednesday, November 14th, 2007 at 12:09 pm in the category:cloaking, google, programming, scripts, seo. Comment RSS 2.0 feed. Comment it , or trackback this post.

6 Responses to “Finding Google’s Stealth IPs (Part 2)”

5ubliminal says:
November 18th, 2007 at 5:35 pm
Dude … these are all Google’s IPs. whois.arin.net. Check them out
I don’t get it why the effort? Just use arin and query IPs if you really feel like it … Validate each C Class.

If Google is on to you they will catch you with your pants down. For manual reviews I bet they have several proxies around the world. They ARE GOOGLE and can afford sheet!
admin says:
November 18th, 2007 at 6:16 pm
Heh I know. I’m using all of them from whois.arin.net.
And I do the effort, beacause these are potentially automated crawlers, and can still be fooled.
I don’t want to tangle all of google’s IPs, because quite frankly, my database isn’t set up like that, and I find shit like this interesting.

Of course I’ll get caught with my pants down. And I’m sure I’ll eventually die too. But in the same way I’d slow that whole “death” thing down if I had the chance, I slow the “getting caught with my pants down” as much as I can.
Vagif Kuliyev says:
December 27th, 2007 at 4:01 pm
Wait, why don’t you just compare every visitor IP versus all known search engine IP ranges when the visitor is called as part of your cloaking script? Why would you even be backtracking through your IP data to compare? I dont see how you identify new IPs since the ranges are freely available… just block the entire range. Maybe I’m missing something…
peter says:
January 26th, 2008 at 1:39 pm
Hi.

Do you know of any software to see cloaked content of a page using noarchive? Is it possible to see this content in any way?

thanks for a great blog.
admin says:
January 26th, 2008 at 3:01 pm
@peter: Most people make their own cloaking script, so each one is 100% unique in how to break it. There’s no way to see the cloaked content for most though.
Either way, given the fact that I do blackhat/cloaking work, it’s not really in my interests to talk about defeating it too much

Glad you enjoy the blog though!
Dennis says:
January 31st, 2008 at 5:47 pm
I have a question not about stealth IPs but about the ones that are known.

If we get hit by a human Google visitor and we do a whois check and we see that they have the entire range of IPs is there a reason not to add all those IPs to the bot list.

I don’t know why I would want a Google employee or script seeing something different than what the Google bots see. To me that would be a dead give away that cloaking is going on.

As an example Whois shows that Google has the entire range of 74.125.0.0 - 74.125.255.255

That is over 60,000 IPs. Probably the majority are not bots but from your view can you think of any reason why they should see different content than the Google spiders.

Thanks,
Dennis

Slightly Shady SEO | Blackhat is Back, Baby.

Recent Articles

Links

Categories