The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl

Discussion in 'General Discussion' started by bloatedstoat, Feb 13, 2017.

Tags:
  1. bloatedstoat

    bloatedstoat Well-Known Member

    Joined:
    Jun 14, 2012
    Messages:
    98
    Likes Received:
    8
    Trophy Points:
    8
    Location:
    Victoria, Australia
    cPanel Access Level:
    Root Administrator
    Hello,

    Could someone advise what this message means, it appears in
    /usr/local/cpanel/logs/error_log and there are a whole raft of them.

    This is appearing on multiple servers.

    Is it benign?

    Thank you!

    Code:
    [2017-02-14 12:09:31 +1100] warn [cpaneld] (XID tu6qs9) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761.
       cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373
       cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001
       cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849
       cpanel::cpsrvd::script() called at cpsrvd.pl line 319
     
    #1 bloatedstoat, Feb 13, 2017
    Last edited: Feb 13, 2017
  2. dvk01uk

    dvk01uk Member

    Joined:
    Oct 20, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    51
    I am also getting this
    it started on my server on 12 February 22.15 UTC and is intermittent in my logs
    Code:
    2017-02-14 11:05:15 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761.
    
                cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373
    
                cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001
    
                cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849
    
                cpanel::cpsrvd::script() called at cpsrvd.pl line 319
    
    [2017-02-14 11:05:27 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761.
    
                cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373
    
                cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001
    
                cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849
    
                cpanel::cpsrvd::script() called at cpsrvd.pl line 319
    
    [2017-02-14 11:05:32 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761.
    
                cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373
    
                cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001
    
                cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849
    
                cpanel::cpsrvd::script() called at cpsrvd.pl line 319
    
    [2017-02-14 11:05:38 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761.
    
                cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373
    
                cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001
    
                cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849
    
                cpanel::cpsrvd::script() called at cpsrvd.pl line 319
    
    [2017-02-14 11:05:45 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761.
    
                cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373
    
                cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001
    
                cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849
    
                cpanel::cpsrvd::script() called at cpsrvd.pl line 319
    
    [2017-02-14 11:05:50 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761.
    
                cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373
    
                cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001
    
                cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849
    
                cpanel::cpsrvd::script() called at cpsrvd.pl line 319
    
    [2017-02-14 11:05:56 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761.
    
                cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373
    
                cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001
    
                cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849
    
                cpanel::cpsrvd::script() called at cpsrvd.pl line 319
    
    [2017-02-14 11:05:58 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761.
    
                cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373
    
                cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001
    
                cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849
    
                cpanel::cpsrvd::script() called at cpsrvd.pl line 319
    
    
    it does seem to coincide with what looks like an attack against the server
    Code:
    - - - [02/14/2017:11:04:54 -0000] "-" 301 0 "-" "-" "-" "-" 2082
    - - - [02/14/2017:11:04:56 -0000] "-" 301 0 "-" "-" "-" "-" 2082
    - - - [02/14/2017:11:04:56 -0000] "-" 301 0 "-" "-" "-" "-" 2082
    - - - [02/14/2017:11:04:58 -0000] "-" 301 0 "-" "-" "-" "-" 2082
    - - - [02/14/2017:11:04:59 -0000] "-" 301 0 "-" "-" "-" "-" 2082
    - - - [02/14/2017:11:05:01 -0000] "-" 301 0 "-" "-" "-" "-" 2082
    - - - [02/14/2017:11:05:01 -0000] "-" 301 0 "-" "-" "-" "-" 2082
    - - - [02/14/2017:11:05:03 -0000] "-" 301 0 "-" "-" "-" "-" 2082
    - - - [02/14/2017:11:05:04 -0000] "-" 301 0 "-" "-" "-" "-" 2082
    - - - [02/14/2017:11:05:04 -0000] "-" 301 0 "-" "-" "-" "-" 2082
    - - - [02/14/2017:11:05:05 -0000] "-" 301 0 "-" "-" "-" "-" 2082
    - - - [02/14/2017:11:05:05 -0000] "-" 301 0 "-" "-" "-" "-" 2082
    - - - [02/14/2017:11:05:07 -0000] "-" 301 0 "-" "-" "-" "-" 2082
    - - - [02/14/2017:11:05:07 -0000] "-" 301 0 "-" "-" "-" "-" 2082
    104.237.132.64 - - [02/14/2017:11:05:10 -0000] "\#ST" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:12 -0000] "<soap:Envelope xmlns:xsd="XML Schema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><operationID>00000001-00000001</operationID></soap:Header><soap:Body><RetrieveServiceContent xmlns="urn:internalvim25"><_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this></RetrieveServiceContent></soap:Body></soap:Envelope>" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:14 -0000] "nbe" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:15 -0000] "" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:18 -0000] "GET / HTTP/1.0" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:19 -0000] "OPTIONS / HTTP/1.0" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:20 -0000] "OPTIONS / RTSP/1.0" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:21 -0000] "�(r����|" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:23 -0000] "versionbind" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:25 -0000] "" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:27 -0000] "HELP" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:29 -0000] "SO?G��,�`~�{�Ֆ���<=��(" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:31 -0000] "ieU��ndom1random2random3random4/" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:33 -0000] "qj�n0�k��" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:35 -0000] "��SMBr@@�PC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1.2X002SambaNT LANMAN 1.0NT LM 0.12" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:37 -0000] "l" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:39 -0000] "GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:39 -0000] "default" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:41 -0000] "0�-c�$" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:43 -0000] "0`�" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:45 -0000] "OPTIONS sip:nm SIP/2.0" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:46 -0000] "TNMPTNME" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:48 -0000] "�" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:50 -0000] "DmdT��" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:52 -0000] ":/@=/@" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:54 -0000] "�MMS�NSPlayer/9...98; {AA-A-a-AAA-AAAAA}�_" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:56 -0000] "Z6,� :�(CONNECT_DATA=(COMMAND=version))" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:05:58 -0000] "" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:06:00 -0000] "GIOP$abcdefget" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:06:02 -0000] "MQTTbe" 401 0 "-" "-" "-" "-" 2087
    104.237.132.64 - - [02/14/2017:11:06:04 -0000] "�+<M��nonebe" 401 0 "-" "-" "-" "-" 2087
    
     
  3. dvk01uk

    dvk01uk Member

    Joined:
    Oct 20, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    51
    I have attached error log & access log that shows all the examples. looks like a new attack and I don't know how they are doing it

    - Mod Note: Removed No Need For a Zip File Here -
    Please see: Guide To Opening An Effective Forums Thread
     
    #3 dvk01uk, Feb 14, 2017
    Last edited by a moderator: Feb 14, 2017
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,995
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    This is a warning message that appears in the cPanel error log when someone tries to utilize an invalid URI to access cPanel. You can reproduce that message by accessing a URL such as:

    Code:
    hxxps://1.2.3.4:2087/cpsess1234567/logout/%0A%22
    You may want to review /usr/local/cpanel/logs/access_log when this happens to verify which IP is making the request to determine if it should be blocked in your firewall.

    Thank you.
     
    bloatedstoat likes this.
  5. dvk01uk

    dvk01uk Member

    Joined:
    Oct 20, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    51
    seems strange that in nearly 10 years of running Cpanel servers, I have never seen this in error logs ( or access logs) until 2 days ago. I suppose that I could have been lucky and never had a previous attack, but suddenly to get them over the last 2 days, every few hours, from different IP numbers ( all Linode) just seems to much of a coincidence

    Also only 1 hit in google for the term "Documents are not permitted to contain null characters, or new lines" I really would have thought that if it was a common attack, Google would have something about it
     
    #5 dvk01uk, Feb 14, 2017
    Last edited by a moderator: Feb 14, 2017
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,995
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    There was a recent change with the URI handling with cpsrvd included with cPanel version 60:

    Fixed case CPANEL-7803: Reorganize and rework cpsrvd URI parsing.

    Thank you.
     
    bloatedstoat and dvk01uk like this.
Loading...

Share This Page