Security Incidents mailing list archives
Re: Turnitinbot exploits webserver vulnerabilities?
From: "James C. Slora Jr." <Jim.Slora () phra com>
Date: Fri, 21 May 2004 07:10:54 -0400
Keith T. Morgan wrote Thursday, May 20, 2004 4:36 PM
Our IDS picked up this request against one of our webservers and I couldn't find a reference to it via a quick google search:
GET /scripts/boo.bat/..%C1%9C..%C1%9C..%C1%9C..%C1%9C.%C1%9C..% C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+echo+MinhaNossaSenhoraDoPe rpetuoSocorro HTTP/1.0 Host: 216.12.X.X User-Agent: TurnitinBot/2.0 http://www.turnitin.com/robot/crawlerinfo.html..Accept: text/html, text/plain, application/pdf
Boo.bat does not need to exist on the target - it is just being used as the base for a directory traversal vulnerability. The scanner script that contains the Portuguese string you saw (and the DT probe too) was discussed at incidents.org in 2001 and a few other places and times - search for the string and you'll find plenty of references. http://seclists.org/incidents/2001/Jul/0014.html The original vulnerability scanner script: http://www.securiteam.com/tools/5FP0N0K4AY.html It looks like someone is abusing a legitimate crawler. Someone might have used the script to generate a public page containing hyperlinks in the format you captured. The crawler visits the hostile page as part of its routine crawlings then sees the link and goes to check it out, resulting in a probe against your IIS. If your server were vulnerable, the crawler would find the "page" and possibly add it to its cache. The attacker then could use the crawler's search engine to look for hosts that were successfully scanned, and would know who to attack. I believe turnitin.com is a legitimate service - it might be worthwhile to notify them that their crawler is possibly being abused. Apparently turnitin.com's crawler might not have checks to prevent these scans. --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040517 ----------------------------------------------------------------------------
Current thread:
- Turnitinbot exploits webserver vulnerabilities? Keith T. Morgan (May 20)
- RE: Turnitinbot exploits webserver vulnerabilities? Rob Shein (May 21)
- Re: Turnitinbot exploits webserver vulnerabilities? Patrick Kremer (May 21)
- RE: Turnitinbot exploits webserver vulnerabilities? James C Slora Jr (May 25)
- Re: Turnitinbot exploits webserver vulnerabilities? Patrick Kremer (May 21)
- Re: Turnitinbot exploits webserver vulnerabilities? James C. Slora Jr. (May 21)
- Re: Turnitinbot exploits webserver vulnerabilities? Lanny Trager (May 21)
- <Possible follow-ups>
- RE: Turnitinbot exploits webserver vulnerabilities? Keith T. Morgan (May 21)
- RE: Turnitinbot exploits webserver vulnerabilities? Rob Shein (May 21)