1
bobwva
Protector - absurd number of "reports"
  • 2010/4/30 15:49

  • bobwva

  • Friend of XOOPS

  • Posts: 17

  • Since: 2007/4/1 1


On one of my xoops site, I ma getting an absurd number of logged "NullByte" reports (attacks?) - on theorder of magnitude of 500-1000 per day
NullByte Injecting Null-byte '../../../../../../../../../../../../../../../etc/passwd ' found.
or
Injecting Null-byte '../../../../../../../../../../../../../../../proc/self/environ ' found.

In each case, the logged IP addresses seem to originate from outside the US (ARINIC and APNIC)

In lieu of a "browser" the log indicates these attacks are from:
libwww-perl/5.65
libwww-perl/5.79
libwww-perl/5.803
libwww-perl/5.805
libwww-perl/5.808
libwww-perl/5.810
libwww-perl/5.811
libwww-perl/5.812
libwww-perl/5.813
libwww-perl/5.816
libwww-perl/5.820
libwww-perl/5.825
libwww-perl/5.831
libwww-perl/5.834

Are these genuine attacks, or is there a bug somewhere in my software server?


2
Peekay
Re: Protector - absurd number of "reports"
  • 2010/4/30 16:38

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


No, these are genuine attacks from a malicious robot utilising a Perl library script. It's looking for vulnerabilities.

No matter what anyone says about lib perl, I recommend you block it and it's troublesome associates in .htaccess:

RewriteEngine on
Options 
+FollowSymLinks

SetEnvIfNoCase user
-agent "(libwww-perl|curl|pycurl)" getout
<Limit GET POST>
 
Order Allow,Deny
 Allow from all
 Deny from env
=getout
Limit>


This will not block robots with spoofed user-agents, but it should reduce the problem dramatically.
A thread is for life. Not just for Christmas.

Login

Who's Online

338 user(s) are online (274 user(s) are browsing Support Forums)


Members: 0


Guests: 338


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits