On one of my xoops site, I ma getting an absurd number of logged "NullByte" reports (attacks?) - on theorder of magnitude of 500-1000 per day
NullByte Injecting Null-byte '../../../../../../../../../../../../../../../etc/passwd ' found.
or
Injecting Null-byte '../../../../../../../../../../../../../../../proc/self/environ ' found.

In each case, the logged IP addresses seem to originate from outside the US (ARINIC and APNIC)

In lieu of a "browser" the log indicates these attacks are from:
libwww-perl/5.65
libwww-perl/5.79
libwww-perl/5.803
libwww-perl/5.805
libwww-perl/5.808
libwww-perl/5.810
libwww-perl/5.811
libwww-perl/5.812
libwww-perl/5.813
libwww-perl/5.816
libwww-perl/5.820
libwww-perl/5.825
libwww-perl/5.831
libwww-perl/5.834

Are these genuine attacks, or is there a bug somewhere in my software server?

No, these are genuine attacks from a malicious robot utilising a Perl library script. It's looking for vulnerabilities.

No matter what anyone says about lib perl, I recommend you block it and it's troublesome associates in .htaccess:



This will not block robots with spoofed user-agents, but it should reduce the problem dramatically.