What do you do if you are being hacked by something coming from a supposedly legitimate IP address such as from Google?

So I don’t know, are they doing, if it is supposed “white hat” stuff, or whatever. It seems like that is an illegal intrusion. They aren’t doing anything after they log in.

You are assuming Google themselves are “attacking” your server, when the reality is Google also provides web hosting and application hosting services to most anyone who pays to use them. So a user using those services could have a script/program in place that is doing the “hacking.”

Doing a reverse DNS record (PTR) lookup on 23.236.57.199 further confirms this idea:

199.57.236.23.bc.googleusercontent.com

You can check this—on your own—from the command line in Mac OS X or Linux like this:

dig -x 23.236.57.199 +nocomments +noquestion +noauthority +noadditional +nostats

And the result I get from the command line in Mac OS X 10.9.5 (Mavericks) is:

; <<>> DiG 9.8.3-P1 <<>> -x 23.236.57.199 +nocomments +noquestion +noauthority +noadditional +nostats
;; global options: +cmd
199.57.236.23.in-addr.arpa. 86400 IN    PTR 199.57.236.23.bc.googleusercontent.com.

Or you could use just +short to truly get only the core response answer like this:

dig -x 23.236.57.199 +short

Which would return:

199.57.236.23.bc.googleusercontent.com.

The base domain name of googleusercontent.com clearly is what it says it is, “Google User Content” which is known to be connected to the Google App Engine “Platform as a Service” product. And that allows any user to create and deploy code in Python, Java, PHP & Go applications to their service.

If you feel these accesses are malicious, you can report suspected abuse to Google directly via this page. Be sure to include your raw log data so Google staff can see exactly what you are seeing.

Past any of that, this Stack Overflow answer explains how one can go about getting a list of IP addresses connected to the googleusercontent.com domain name. Could be useful if you want to filter “Google User Content” accesses from other system accesses.

The following information obtained using the command whois 23.236.57.199 explains what you need to do:

Comment:        *** The IP addresses under this Org-ID are in use by Google Cloud customers ***
Comment:        
Comment:        Please direct all abuse and legal complaints regarding these addresses to the
Comment:        GC Abuse desk ([email protected]).  Complaints sent to 
Comment:        any other POC will be ignored.