Turnitinbot exploits webserver vulnerabilities?

From: Keith T. Morgan (keith.morgan_at_terradon.com)
Date: 05/20/04

  • Next message: Rob Shein: "RE: Turnitinbot exploits webserver vulnerabilities?" 
    Date: Thu, 20 May 2004 16:36:44 -0400
To: <incidents@securityfocus.com>

    Our IDS picked up this request against one of our webservers and I
    couldn't find a reference to it via a quick google search:
     
    GET /scripts/boo.bat/..%C1%9C..%C1%9C..%C1%9C..%C1%9C.%C1%9C..%C1%
    9C..%C1%9Cwinnt/system32/cmd.exe?/c+echo+MinhaNossaSenhoraDoPe
    rpetuoSocorro HTTP/1.0 Host: 216.12.X.X User-Agent:
    TurnitinBot/2.0
    http://www.turnitin.com/robot/crawlerinfo.html..Accept:
    text/html, text/plain, application/pdf
     
    Ok, well, yeah, there's a fairly typical code-red type
    cmd.exe get thing. No big deal. But it attempts to exploit
    (ancient) web-server vulnerabilities and echo this
    "MinhaNossaSenhoraDoPerpetuoSocorro" phrase? Why does it
    include a url to turnitin.com in the exploit attempt? Have they had an
    intrusion?
     
     
    siglite@hornet:~$ host 64.140.49.68
    68.49.140.64.in-addr.arpa domain name pointer cr4.turnitin.com.
    siglite@hornet:~$ host cr4.turnitin.com
    cr4.turnitin.com has address 64.140.49.68
     
    Well, the host resolves both ways to cr4.turnitin.com.

    From www.turnitin.com/robot/crawlerinfo.html:
     
    "Chances are that you are reading this because you found a
    reference to this web page from your web server logs. This
    reference was left by Turnitin.com's web crawling robot, also
    known as TurnitinBot. This robot collects content from the
    Internet for the sole purpose of helping educational
    institutions prevent plagiarism. In particular, we compare
    student papers against the content we find on the Internet to
    see if we can find similarities. For more information on this
    service, please visit www.turnitin.com"

    From www.turnitin.com:

    "Recognized worldwide as the standard in online plagiarism
    prevention, Turnitin helps educators and students take full
    advantage of the Internet's educational potential. Used by
    thousands of institutions in over fifty countries, Turnitin's
    products promote originality in student work, improve student
    writing and research skills, encourage collaborative
    learning, and save valuable instructor time."

    I fail to see how exploitation of old webserver
    vulnerabilities, and the execution of a "boo.bat" file serves
    the purposes they're listing above. So exactly what kind of
    crawler is this? An exploit crawler? Are we going to see it
    hitting SSL sites next? Building a database of vulnerable
    servers? Are they running a rudimentary sploitbot?
    I emailed them directly but failed to receive a response.
    That was last week sometime. Figured I'd give the list a heads-up.

    **************************************************************************************************
    The contents of this email and any attachments are confidential.
    It is intended for the named recipient(s) only.
    If you have received this email in error please notify the system manager or the
    sender immediately and do not disclose the contents to anyone or make copies.

    ** this message has been scanned for viruses, vandals and malicious content **
    **************************************************************************************************

    ---------------------------------------------------------------------------
    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security

    Protect your network against hackers, viruses, spam and other risks with Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost of
    ownership.

    Download your free trial at
    http://www.securityfocus.com/sponsor/Astaro_incidents_040517
    ----------------------------------------------------------------------------

  • Next message: Rob Shein: "RE: Turnitinbot exploits webserver vulnerabilities?"

    Relevant Pages

    • Re: Difference between nullable class and nullable<> structure
      ... Page 313 (Understanding Value Types and Reference Types): ... a .NET data type may be value-based or ... the heap and the stack is, at a minimum, bound to fall short of precision, ... If the student already understand planetary orbital ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: Bank of America: Train your replacement or no severance pay
      ... leftists [reference given]. ... multi-party democracy came to power in 1994. ... It will not be the indians that benefit, ... Student visas are not taxpayer funded. ...
      (sci.research.careers)
    • RE: Auto shutdown for inactivity in Excel
      ... "Patrick Molloy" wrote: ... Not you need to reference "Windows ... Host Object Model"). ... Sub Auto_Open ...
      (microsoft.public.excel.programming)
    • Re: causal system, ??? plz hlp
      ... It is not a good thing when the instructor/superviser/tutor tells a student what he knows is irrelevant, which often is interpreted by the student as "useless". ... Causality rules out t> NOW. ... When, for convenience, we mean t> [what-the-hell reference] and give it the same name, that makes trouble. ... engineer. ...
      (comp.dsp)
    • Re: iptables and port scan
      ... >I have a site, referenced, ... Why is TCP/80 privileged over all other ports, ... >ask references removal in engines, ... offered to the internet by a given host. ...
      (comp.security.firewalls)
    • Quantcast