Security Incidents mailing list archives

Re: Turnitinbot exploits webserver vulnerabilities?

From: "James C. Slora Jr." <Jim.Slora () phra com>
Date: Fri, 21 May 2004 07:10:54 -0400

Keith T. Morgan wrote Thursday, May 20, 2004 4:36 PM

Our IDS picked up this request against one of our webservers and I
couldn't find a reference to it via a quick google search:

GET /scripts/boo.bat/..%C1%9C..%C1%9C..%C1%9C..%C1%9C.%C1%9C..%
C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+echo+MinhaNossaSenhoraDoPe
rpetuoSocorro HTTP/1.0 Host: 216.12.X.X  User-Agent:
TurnitinBot/2.0
http://www.turnitin.com/robot/crawlerinfo.html..Accept:
text/html, text/plain, application/pdf


Boo.bat does not need to exist on the target - it is just being used as the
base for a directory traversal vulnerability.

The scanner script that contains the Portuguese string you saw (and the DT
probe too) was discussed at incidents.org in 2001 and a few other places and
times - search for the string and you'll find plenty of references.
http://seclists.org/incidents/2001/Jul/0014.html

The original vulnerability scanner script:
http://www.securiteam.com/tools/5FP0N0K4AY.html

It looks like someone is abusing a legitimate crawler. Someone might have
used the script to generate a public page containing hyperlinks in the
format you captured. The crawler visits the hostile page as part of its
routine crawlings then sees the link and goes to check it out, resulting in
a probe against your IIS. If your server were vulnerable, the crawler would
find the "page" and possibly add it to its cache. The attacker then could
use the crawler's search engine to look for hosts that were successfully
scanned, and would know who to attack.

I believe turnitin.com is a legitimate service - it might be worthwhile to
notify them that their crawler is possibly being abused. Apparently
turnitin.com's crawler might not have checks to prevent these scans.



---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040517
----------------------------------------------------------------------------

Current thread:

Turnitinbot exploits webserver vulnerabilities? Keith T. Morgan (May 20)
- RE: Turnitinbot exploits webserver vulnerabilities? Rob Shein (May 21)
  - Re: Turnitinbot exploits webserver vulnerabilities? Patrick Kremer (May 21)
    - RE: Turnitinbot exploits webserver vulnerabilities? James C Slora Jr (May 25)
- Re: Turnitinbot exploits webserver vulnerabilities? James C. Slora Jr. (May 21)
- Re: Turnitinbot exploits webserver vulnerabilities? Lanny Trager (May 21)
- <Possible follow-ups>
- RE: Turnitinbot exploits webserver vulnerabilities? Keith T. Morgan (May 21)