OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Turnitinbot exploits webserver vulnerabilities?

From: Keith T. Morgan (keith.morganterradon.com)
Date: Thu May 20 2004 - 15:36:44 CDT

Our IDS picked up this request against one of our webservers and I
couldn't find a reference to it via a quick google search:
 
GET /scripts/boo.bat/..%C1%9C..%C1%9C..%C1%9C..%C1%9C.%C1%9C..%C1%
9C..%C1%9Cwinnt/system32/cmd.exe?/c+echo+MinhaNossaSenhoraDoPe
rpetuoSocorro HTTP/1.0 Host: 216.12.X.X User-Agent:
TurnitinBot/2.0
http://www.turnitin.com/robot/crawlerinfo.html..Accept:
text/html, text/plain, application/pdf
 
Ok, well, yeah, there's a fairly typical code-red type
cmd.exe get thing. No big deal. But it attempts to exploit
(ancient) web-server vulnerabilities and echo this
"MinhaNossaSenhoraDoPerpetuoSocorro" phrase? Why does it
include a url to turnitin.com in the exploit attempt? Have they had an
intrusion?
 
 
siglitehornet:~$ host 64.140.49.68
68.49.140.64.in-addr.arpa domain name pointer cr4.turnitin.com.
siglitehornet:~$ host cr4.turnitin.com
cr4.turnitin.com has address 64.140.49.68
 
Well, the host resolves both ways to cr4.turnitin.com.

From www.turnitin.com/robot/crawlerinfo.html:
 
"Chances are that you are reading this because you found a
reference to this web page from your web server logs. This
reference was left by Turnitin.com's web crawling robot, also
known as TurnitinBot. This robot collects content from the
Internet for the sole purpose of helping educational
institutions prevent plagiarism. In particular, we compare
student papers against the content we find on the Internet to
see if we can find similarities. For more information on this
service, please visit www.turnitin.com"

From www.turnitin.com:

"Recognized worldwide as the standard in online plagiarism
prevention, Turnitin helps educators and students take full
advantage of the Internet's educational potential. Used by
thousands of institutions in over fifty countries, Turnitin's
products promote originality in student work, improve student
writing and research skills, encourage collaborative
learning, and save valuable instructor time."

I fail to see how exploitation of old webserver
vulnerabilities, and the execution of a "boo.bat" file serves
the purposes they're listing above. So exactly what kind of
crawler is this? An exploit crawler? Are we going to see it
hitting SSL sites next? Building a database of vulnerable
servers? Are they running a rudimentary sploitbot?
I emailed them directly but failed to receive a response.
That was last week sometime. Figured I'd give the list a heads-up.

**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or the
sender immediately and do not disclose the contents to anyone or make copies.

** this message has been scanned for viruses, vandals and malicious content **
**************************************************************************************************

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040517
----------------------------------------------------------------------------