RE: Turnitinbot exploits webserver vulnerabilities?

["Rob Shein" <shoten () starpower net>]

Doing a little digging, I saw this as the whois information for
turnitin.com:

=============================================================
Registrant:
iParadigms Inc. (TURNITIN-DOM)
   1624 Franklin St., Suite 818
   Oakland, CA 94612
   US

   Domain Name: TURNITIN.COM

   Administrative Contact:
      Barrie, John  (JB14996)  jbarrie () IPARADIGMS COM
      iParadigms
      1624 Franklin St. Suite 818
      Oakland, CA 94612
      US
      (510) 287-9727

   Technical Contact:
      Briand, Emmanuel  (EB4361)  ebriand () IPARADIGMS COM
      iParadigms, Inc.
      1624 FRANKLIN ST STE 818
      OAKLAND, CA 94612-2823
      US
      510-287-9729

   Record expires on 25-Jun-2008.
   Record created on 25-Jun-1999.
   Database last updated on 20-May-2004 19:17:51 EDT.

   Domain servers in listed order:

   NS1.IPARADIGMS.COM           64.140.48.2
   NS2.IPARADIGMS.COM           64.140.48.3

=============================================================

Looking at iParadigm's website, the following text describes them:

"iParadigms is a pioneer in the rapidly expanding field of digital
information tracking. The Internet, though an invaluable resource for
services and information, is unfortunately also an unparalleled environment
for all varieties of intellectual property theft. We have developed a suite
of advanced tracking tools to combat the piracy of intellectual property and
ensure the originality of written work. These tools have already been
adopted and successfully implemented for thousands of institutional clients
all over the world."

While I doubt that there are actually thousands of clients, it does seem
that this is more than just some kind of a front for a black hat effort.
Googling "iParadigm" shows turnitin.com as being used by California State
University, among others; a budgeting document of some sort for the purchase
is among the top hits.  

So I can only think of another possibility.  How do you know, aside from the
copious references within the logs themselves, that it actually was one of
turnitin.com's servers that did it?  Did you do a reverse lookup on the
offending host's IP?  What's the IP block allocation?  I'm as curious as you
are at this point.


> -----Original Message-----
> From: Keith T. Morgan [mailto:keith.morgan () terradon com] 
> Sent: Thursday, May 20, 2004 4:37 PM
> To: incidents () securityfocus com
> Subject: Turnitinbot exploits webserver vulnerabilities?
>
>
>
> Our IDS picked up this request against one of our webservers 
> and I couldn't find a reference to it via a quick google search:
>  
> GET /scripts/boo.bat/..%C1%9C..%C1%9C..%C1%9C..%C1%9C.%C1%9C..%C1%
> 9C..%C1%9Cwinnt/system32/cmd.exe?/c+echo+MinhaNossaSenhoraDoPe
> rpetuoSocorro HTTP/1.0 Host: 216.12.X.X  User-Agent: 
> TurnitinBot/2.0 
> http://www.turnitin.com/robot/crawlerinfo.html..Accept: 
> text/html, text/plain, application/pdf
>  
> Ok, well, yeah, there's a fairly typical code-red type 
> cmd.exe get thing.  No big deal.  But it attempts to exploit 
> (ancient) web-server vulnerabilities and echo this 
> "MinhaNossaSenhoraDoPerpetuoSocorro" phrase?  Why does it 
> include a url to turnitin.com in the exploit attempt? Have 
> they had an intrusion?
>  
>  
> siglite@hornet:~$ host 64.140.49.68
> 68.49.140.64.in-addr.arpa domain name pointer 
> cr4.turnitin.com. siglite@hornet:~$ host cr4.turnitin.com 
> cr4.turnitin.com has address 64.140.49.68
>  
> Well, the host resolves both ways to cr4.turnitin.com.
>
> From www.turnitin.com/robot/crawlerinfo.html:
>  
> "Chances are that you are reading this because you found a 
> reference to this web page from your web server logs. This 
> reference was left by Turnitin.com's web crawling robot, also 
> known as TurnitinBot. This robot collects content from the 
> Internet for the sole purpose of helping educational 
> institutions prevent plagiarism. In particular, we compare 
> student papers against the content we find on the Internet to 
> see if we can find similarities. For more information on this 
> service, please visit www.turnitin.com"
>
> From www.turnitin.com:
>
> "Recognized worldwide as the standard in online plagiarism 
> prevention, Turnitin helps educators and students take full 
> advantage of the Internet's educational potential. Used by 
> thousands of institutions in over fifty countries, Turnitin's 
> products promote originality in student work, improve student 
> writing and research skills, encourage collaborative 
> learning, and save valuable instructor time."
>
> I fail to see how exploitation of old webserver 
> vulnerabilities, and the execution of a "boo.bat" file serves 
> the purposes they're listing above.  So exactly what kind of 
> crawler is this?  An exploit crawler?  Are we going to see it 
> hitting SSL sites next?  Building a database of vulnerable 
> servers?  Are they running a rudimentary sploitbot? 
> I emailed them directly but failed to receive a response.  
> That was last week sometime.  Figured I'd give the list a heads-up.
>
>
>
> **************************************************************
> ************************************
> The contents of this email and any attachments are 
> confidential. It is intended for the named recipient(s) only. 
> If you have received this email in error please notify the 
> system manager or  the 
> sender immediately and do not disclose the contents to anyone 
> or make copies.
>
> ** this message has been scanned for viruses, vandals and 
> malicious content **
> **************************************************************
> ************************************
>
> --------------------------------------------------------------
> -------------
> Free 30-day trial: firewall with virus/spam protection, URL 
> filtering, VPN, wireless security
>
> Protect your network against hackers, viruses, spam and other 
> risks with Astaro Security Linux, the comprehensive security 
> solution that combines six applications in one software 
> solution for ease of use and lower total cost of ownership.
>
> Download your free trial at 
> http://www.securityfocus.com/sponsor/Astaro_in> cidents_040517
>
>
> --------------------------------------------------------------
> --------------


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040517
----------------------------------------------------------------------------