Re: Turnitinbot exploits webserver vulnerabilities?

From: Lanny Trager (lanny_at_cybernex.net)
Date: 05/21/04

  • Next message: Patrick Kremer: "Re: Turnitinbot exploits webserver vulnerabilities?" 
    To: incidents@securityfocus.com
Date: Fri, 21 May 2004 10:19:31 -0400

    On Thursday 20 May 2004 16:36, Keith T. Morgan wrote:
    > Our IDS picked up this request against one of our webservers and I
    > couldn't find a reference to it via a quick google search:
    >
    > GET /scripts/boo.bat/..%C1%9C..%C1%9C..%C1%9C..%C1%9C.%C1%9C..%C1%
    > 9C..%C1%9Cwinnt/system32/cmd.exe?/c+echo+MinhaNossaSenhoraDoPe
    > rpetuoSocorro HTTP/1.0 Host: 216.12.X.X User-Agent:
    > TurnitinBot/2.0
    > http://www.turnitin.com/robot/crawlerinfo.html..Accept:
    > text/html, text/plain, application/pdf
    >
    > Ok, well, yeah, there's a fairly typical code-red type
    > cmd.exe get thing. No big deal. But it attempts to exploit
    > (ancient) web-server vulnerabilities and echo this
    > "MinhaNossaSenhoraDoPerpetuoSocorro" phrase? Why does it
    > include a url to turnitin.com in the exploit attempt? Have they had an
    > intrusion?
    >
    >
    > siglite@hornet:~$ host 64.140.49.68
    > 68.49.140.64.in-addr.arpa domain name pointer cr4.turnitin.com.
    > siglite@hornet:~$ host cr4.turnitin.com
    > cr4.turnitin.com has address 64.140.49.68
    >
    > Well, the host resolves both ways to cr4.turnitin.com.
    >
    > From www.turnitin.com/robot/crawlerinfo.html:
    >
    > "Chances are that you are reading this because you found a
    > reference to this web page from your web server logs. This
    > reference was left by Turnitin.com's web crawling robot, also
    > known as TurnitinBot. This robot collects content from the
    > Internet for the sole purpose of helping educational
    > institutions prevent plagiarism. In particular, we compare
    > student papers against the content we find on the Internet to
    > see if we can find similarities. For more information on this
    > service, please visit www.turnitin.com"
    >
    > From www.turnitin.com:
    >
    > "Recognized worldwide as the standard in online plagiarism
    > prevention, Turnitin helps educators and students take full
    > advantage of the Internet's educational potential. Used by
    > thousands of institutions in over fifty countries, Turnitin's
    > products promote originality in student work, improve student
    > writing and research skills, encourage collaborative
    > learning, and save valuable instructor time."
    >
    > I fail to see how exploitation of old webserver
    > vulnerabilities, and the execution of a "boo.bat" file serves
    > the purposes they're listing above. So exactly what kind of
    > crawler is this? An exploit crawler? Are we going to see it
    > hitting SSL sites next? Building a database of vulnerable
    > servers? Are they running a rudimentary sploitbot?
    > I emailed them directly but failed to receive a response.
    > That was last week sometime. Figured I'd give the list a heads-up.
    >
    Keith,

    It looks like you got scanned by a vulnerability scanner called iis_promisc
    v2.0, it can be obtained from SecuriTeam.com.

    If you confine your Google search term to "GET /scripts/boo.bat/" you'll get
    some results. The third result down is a GCIA practical that explains it in
    detail. Click on the view as HTML for ease and when you get to the page
    search it for boo.bat. That should answer everything for you.

    Lanny

    ---------------------------------------------------------------------------
    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security

    Protect your network against hackers, viruses, spam and other risks with Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost of
    ownership.

    Download your free trial at
    http://www.securityfocus.com/sponsor/Astaro_incidents_040517
    ----------------------------------------------------------------------------

  • Next message: Patrick Kremer: "Re: Turnitinbot exploits webserver vulnerabilities?"

    Relevant Pages

    • Re: AD forest layout recommendations
      ... we are implementing separate network level ... > protections in order to directly address security issues. ... > from student machines. ... >> A) GCs will authenticate for any domain in the forest, ...
      (microsoft.public.windows.server.active_directory)
    • Re: The hardest question on the written test
      ... What educators forget is that their job is to raise the average ... CFI cannot tailor his lesson to the individual student at hand. ... That said, I do agree with "a series of corrective actions", and I think ...
      (rec.aviation.student)
    • Re: AD forest layout recommendations
      ... Regardless of AD security, we are implementing separate network level ... from student machines. ...
      (microsoft.public.windows.server.active_directory)
    • Re: AD forest layout recommendations
      ... >> Regardless of AD security, we are implementing separate network level ... >> from student machines. ... we are going to keep the student machines separated ... >> through a portal, not windows logon based. ...
      (microsoft.public.windows.server.active_directory)
    • Re: Training Lab Question
      ... I would say always make them 'sudo', as its just a good overall practice. ... Also, check out Trinux, a RAM based version that is security specific, has many ... I'm in the process of setting up a Pen Testing training lab. ... The student workstations running Slackware 8.x. ...
      (Pen-Test)