Security Incidents mailing list archives
RE: Turnitinbot exploits webserver vulnerabilities?
From: "Rob Shein" <shoten () starpower net>
Date: Thu, 20 May 2004 19:36:34 -0400
Doing a little digging, I saw this as the whois information for turnitin.com: ============================================================= Registrant: iParadigms Inc. (TURNITIN-DOM) 1624 Franklin St., Suite 818 Oakland, CA 94612 US Domain Name: TURNITIN.COM Administrative Contact: Barrie, John (JB14996) jbarrie () IPARADIGMS COM iParadigms 1624 Franklin St. Suite 818 Oakland, CA 94612 US (510) 287-9727 Technical Contact: Briand, Emmanuel (EB4361) ebriand () IPARADIGMS COM iParadigms, Inc. 1624 FRANKLIN ST STE 818 OAKLAND, CA 94612-2823 US 510-287-9729 Record expires on 25-Jun-2008. Record created on 25-Jun-1999. Database last updated on 20-May-2004 19:17:51 EDT. Domain servers in listed order: NS1.IPARADIGMS.COM 64.140.48.2 NS2.IPARADIGMS.COM 64.140.48.3 ============================================================= Looking at iParadigm's website, the following text describes them: "iParadigms is a pioneer in the rapidly expanding field of digital information tracking. The Internet, though an invaluable resource for services and information, is unfortunately also an unparalleled environment for all varieties of intellectual property theft. We have developed a suite of advanced tracking tools to combat the piracy of intellectual property and ensure the originality of written work. These tools have already been adopted and successfully implemented for thousands of institutional clients all over the world." While I doubt that there are actually thousands of clients, it does seem that this is more than just some kind of a front for a black hat effort. Googling "iParadigm" shows turnitin.com as being used by California State University, among others; a budgeting document of some sort for the purchase is among the top hits. So I can only think of another possibility. How do you know, aside from the copious references within the logs themselves, that it actually was one of turnitin.com's servers that did it? Did you do a reverse lookup on the offending host's IP? What's the IP block allocation? I'm as curious as you are at this point.
-----Original Message----- From: Keith T. Morgan [mailto:keith.morgan () terradon com] Sent: Thursday, May 20, 2004 4:37 PM To: incidents () securityfocus com Subject: Turnitinbot exploits webserver vulnerabilities? Our IDS picked up this request against one of our webservers and I couldn't find a reference to it via a quick google search: GET /scripts/boo.bat/..%C1%9C..%C1%9C..%C1%9C..%C1%9C.%C1%9C..%C1% 9C..%C1%9Cwinnt/system32/cmd.exe?/c+echo+MinhaNossaSenhoraDoPe rpetuoSocorro HTTP/1.0 Host: 216.12.X.X User-Agent: TurnitinBot/2.0 http://www.turnitin.com/robot/crawlerinfo.html..Accept: text/html, text/plain, application/pdf Ok, well, yeah, there's a fairly typical code-red type cmd.exe get thing. No big deal. But it attempts to exploit (ancient) web-server vulnerabilities and echo this "MinhaNossaSenhoraDoPerpetuoSocorro" phrase? Why does it include a url to turnitin.com in the exploit attempt? Have they had an intrusion? siglite@hornet:~$ host 64.140.49.68 68.49.140.64.in-addr.arpa domain name pointer cr4.turnitin.com. siglite@hornet:~$ host cr4.turnitin.com cr4.turnitin.com has address 64.140.49.68 Well, the host resolves both ways to cr4.turnitin.com. From www.turnitin.com/robot/crawlerinfo.html: "Chances are that you are reading this because you found a reference to this web page from your web server logs. This reference was left by Turnitin.com's web crawling robot, also known as TurnitinBot. This robot collects content from the Internet for the sole purpose of helping educational institutions prevent plagiarism. In particular, we compare student papers against the content we find on the Internet to see if we can find similarities. For more information on this service, please visit www.turnitin.com" From www.turnitin.com: "Recognized worldwide as the standard in online plagiarism prevention, Turnitin helps educators and students take full advantage of the Internet's educational potential. Used by thousands of institutions in over fifty countries, Turnitin's products promote originality in student work, improve student writing and research skills, encourage collaborative learning, and save valuable instructor time." I fail to see how exploitation of old webserver vulnerabilities, and the execution of a "boo.bat" file serves the purposes they're listing above. So exactly what kind of crawler is this? An exploit crawler? Are we going to see it hitting SSL sites next? Building a database of vulnerable servers? Are they running a rudimentary sploitbot? I emailed them directly but failed to receive a response. That was last week sometime. Figured I'd give the list a heads-up. ************************************************************** ************************************ The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. ** this message has been scanned for viruses, vandals and malicious content ** ************************************************************** ************************************ -------------------------------------------------------------- ------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_in> cidents_040517 -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040517 ----------------------------------------------------------------------------
Current thread:
- Turnitinbot exploits webserver vulnerabilities? Keith T. Morgan (May 20)
- RE: Turnitinbot exploits webserver vulnerabilities? Rob Shein (May 21)
- Re: Turnitinbot exploits webserver vulnerabilities? Patrick Kremer (May 21)
- RE: Turnitinbot exploits webserver vulnerabilities? James C Slora Jr (May 25)
- Re: Turnitinbot exploits webserver vulnerabilities? Patrick Kremer (May 21)
- Re: Turnitinbot exploits webserver vulnerabilities? James C. Slora Jr. (May 21)
- Re: Turnitinbot exploits webserver vulnerabilities? Lanny Trager (May 21)
- <Possible follow-ups>
- RE: Turnitinbot exploits webserver vulnerabilities? Keith T. Morgan (May 21)
- RE: Turnitinbot exploits webserver vulnerabilities? Rob Shein (May 21)