Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl

bloatedstoat

Well-Known Member
Jun 14, 2012
183
24
68
Victoria, Australia
cPanel Access Level
Root Administrator
Hello,

Could someone advise what this message means, it appears in
/usr/local/cpanel/logs/error_log and there are a whole raft of them.

This is appearing on multiple servers.

Is it benign?

Thank you!

Code:
[2017-02-14 12:09:31 +1100] warn [cpaneld] (XID tu6qs9) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761.
   cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373
   cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001
   cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849
   cpanel::cpsrvd::script() called at cpsrvd.pl line 319
 
Last edited:

dvk01uk

Member
Oct 20, 2007
13
0
51
I am also getting this
it started on my server on 12 February 22.15 UTC and is intermittent in my logs
Code:
2017-02-14 11:05:15 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761.

            cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373

            cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001

            cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849

            cpanel::cpsrvd::script() called at cpsrvd.pl line 319

[2017-02-14 11:05:27 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761.

            cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373

            cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001

            cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849

            cpanel::cpsrvd::script() called at cpsrvd.pl line 319

[2017-02-14 11:05:32 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761.

            cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373

            cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001

            cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849

            cpanel::cpsrvd::script() called at cpsrvd.pl line 319

[2017-02-14 11:05:38 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761.

            cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373

            cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001

            cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849

            cpanel::cpsrvd::script() called at cpsrvd.pl line 319

[2017-02-14 11:05:45 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761.

            cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373

            cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001

            cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849

            cpanel::cpsrvd::script() called at cpsrvd.pl line 319

[2017-02-14 11:05:50 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761.

            cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373

            cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001

            cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849

            cpanel::cpsrvd::script() called at cpsrvd.pl line 319

[2017-02-14 11:05:56 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761.

            cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373

            cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001

            cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849

            cpanel::cpsrvd::script() called at cpsrvd.pl line 319

[2017-02-14 11:05:58 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761.

            cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373

            cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001

            cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849

            cpanel::cpsrvd::script() called at cpsrvd.pl line 319
it does seem to coincide with what looks like an attack against the server
Code:
- - - [02/14/2017:11:04:54 -0000] "-" 301 0 "-" "-" "-" "-" 2082
- - - [02/14/2017:11:04:56 -0000] "-" 301 0 "-" "-" "-" "-" 2082
- - - [02/14/2017:11:04:56 -0000] "-" 301 0 "-" "-" "-" "-" 2082
- - - [02/14/2017:11:04:58 -0000] "-" 301 0 "-" "-" "-" "-" 2082
- - - [02/14/2017:11:04:59 -0000] "-" 301 0 "-" "-" "-" "-" 2082
- - - [02/14/2017:11:05:01 -0000] "-" 301 0 "-" "-" "-" "-" 2082
- - - [02/14/2017:11:05:01 -0000] "-" 301 0 "-" "-" "-" "-" 2082
- - - [02/14/2017:11:05:03 -0000] "-" 301 0 "-" "-" "-" "-" 2082
- - - [02/14/2017:11:05:04 -0000] "-" 301 0 "-" "-" "-" "-" 2082
- - - [02/14/2017:11:05:04 -0000] "-" 301 0 "-" "-" "-" "-" 2082
- - - [02/14/2017:11:05:05 -0000] "-" 301 0 "-" "-" "-" "-" 2082
- - - [02/14/2017:11:05:05 -0000] "-" 301 0 "-" "-" "-" "-" 2082
- - - [02/14/2017:11:05:07 -0000] "-" 301 0 "-" "-" "-" "-" 2082
- - - [02/14/2017:11:05:07 -0000] "-" 301 0 "-" "-" "-" "-" 2082
104.237.132.64 - - [02/14/2017:11:05:10 -0000] "\#ST" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:12 -0000] "<soap:Envelope xmlns:xsd="XML Schema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><operationID>00000001-00000001</operationID></soap:Header><soap:Body><RetrieveServiceContent xmlns="urn:internalvim25"><_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this></RetrieveServiceContent></soap:Body></soap:Envelope>" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:14 -0000] "nbe" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:15 -0000] "" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:18 -0000] "GET / HTTP/1.0" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:19 -0000] "OPTIONS / HTTP/1.0" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:20 -0000] "OPTIONS / RTSP/1.0" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:21 -0000] "�(r����|" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:23 -0000] "versionbind" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:25 -0000] "" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:27 -0000] "HELP" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:29 -0000] "SO?G��,�`~�{�Ֆ���<=��(" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:31 -0000] "ieU��ndom1random2random3random4/" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:33 -0000] "qj�n0�k��" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:35 -0000] "��[email protected]@�PC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1.2X002SambaNT LANMAN 1.0NT LM 0.12" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:37 -0000] "l" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:39 -0000] "GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:39 -0000] "default" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:41 -0000] "0�-c�$" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:43 -0000] "0`�" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:45 -0000] "OPTIONS sip:nm SIP/2.0" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:46 -0000] "TNMPTNME" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:48 -0000] "�" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:50 -0000] "DmdT��" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:52 -0000] ":/@=/@" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:54 -0000] "�MMS�NSPlayer/9...98; {AA-A-a-AAA-AAAAA}�_" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:56 -0000] "Z6,� :�(CONNECT_DATA=(COMMAND=version))" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:05:58 -0000] "" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:06:00 -0000] "GIOP$abcdefget" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:06:02 -0000] "MQTTbe" 401 0 "-" "-" "-" "-" 2087
104.237.132.64 - - [02/14/2017:11:06:04 -0000] "�+<M��nonebe" 401 0 "-" "-" "-" "-" 2087
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,220
463
Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761.
Hello,

This is a warning message that appears in the cPanel error log when someone tries to utilize an invalid URI to access cPanel. You can reproduce that message by accessing a URL such as:

Code:
hxxps://1.2.3.4:2087/cpsess1234567/logout/%0A%22
You may want to review /usr/local/cpanel/logs/access_log when this happens to verify which IP is making the request to determine if it should be blocked in your firewall.

Thank you.
 
  • Like
Reactions: bloatedstoat

dvk01uk

Member
Oct 20, 2007
13
0
51
seems strange that in nearly 10 years of running Cpanel servers, I have never seen this in error logs ( or access logs) until 2 days ago. I suppose that I could have been lucky and never had a previous attack, but suddenly to get them over the last 2 days, every few hours, from different IP numbers ( all Linode) just seems to much of a coincidence

Also only 1 hit in google for the term "Documents are not permitted to contain null characters, or new lines" I really would have thought that if it was a common attack, Google would have something about it
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,220
463
seems strange that in nearly 10 years of running Cpanel servers, I have never seen this in error logs ( or access logs) until 2 days ago.
There was a recent change with the URI handling with cpsrvd included with cPanel version 60:

Fixed case CPANEL-7803: Reorganize and rework cpsrvd URI parsing.

Thank you.
 

migandroid

Member
Feb 14, 2020
7
1
3
Portugal
cPanel Access Level
Website Owner
Today i have this error to, i have to take any countermeasures to protect against this?


/usr/local/cpanel/logs/error_log

Use of uninitialized value in index at /usr/local/cpanel/Cpanel/Server/Response.pm line 135.
[2020-03-27 10:13:57 +0000] warn [whostmgrd] (XID gw6h7g) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 3209.
cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1745
cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1279
cpanel::cpsrvd::handle_one_connection(6) called at cpsrvd.pl line 1109
cpanel::cpsrvd::script() called at cpsrvd.pl line 429
Use of uninitialized value $document in index at /usr/local/cpanel/Cpanel/Server/Response.pm line 276.



/usr/local/cpanel/logs/access_log

- - - [03/27/2020:10:13:00 -0000] "-" 301 0 "-" "-" "-" "-" 2082
- - - [03/27/2020:10:13:01 -0000] "-" 301 0 "-" "-" "-" "-" 2082
- - - [03/27/2020:10:13:03 -0000] "-" 301 0 "-" "-" "-" "-" 2082
- - - [03/27/2020:10:13:04 -0000] "-" 301 0 "-" "-" "-" "-" 2082
- - - [03/27/2020:10:13:06 -0000] "-" 301 0 "-" "-" "-" "-" 2082
XX.XXX.XX.XXX - - [03/27/2020:10:13:09 -0000] "#ST" 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:12 -0000] " n beio" 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:14 -0000] " " 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:16 -0000] "GET / HTTP/1.0" 200 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:18 -0000] "OPTIONS / HTTP/1.0" 200 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:19 -0000] "OPTIONS / RTSP/1.0" 200 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:20 -0000] " (rþ | " 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:22 -0000] " versionbind " 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:24 -0000] " " 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:26 -0000] "HELP" 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:28 -0000] " S O ?G׷º,`~{¹Ֆȷ愛<=ۯ ( " 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:30 -0000] " *%ࠠ Cookie: mstshash=beio" 200 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:32 -0000] " i eU§䲡ndom1random2random3random4 / " 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:34 -0000] " qjn0k¡¢" 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:36 -0000] " ¤ÿSMBr @ @ PC NETWORK PROGRAM 1.0 MICROSOFT NETWORKS 1.03 MICROSOFT NETWORKS 3.0 LANMAN1.0 LM1.2X002 Samba NT LANMAN 1.0 NT LM 0.12 " 200 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:37 -0000] "l " 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:39 -0000] "GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0" 200 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:41 -0000] "default" 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:42 -0000] "0 -c $ " 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:44 -0000] "0` " 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:46 -0000] "OPTIONS sip:nm SIP/2.0" 200 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:47 -0000] "TNMP TNME " 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:49 -0000] " ࠠ " 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:50 -0000] "DmdT ÿÿ" 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:52 -0000] ": / @ = / @ " 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:54 -0000] "JRMI K" 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:56 -0000] " ýκ° MMS N S P l a y e r / 9 . . . 9 8 ; { A A - A - a - A A A - A A A A A } ୟ_" 401 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:57 -0000] " Z 6, ÿ : 栠 (CONNECT_DATA=(COMMAND=version))" 401 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:13:59 -0000] " 4 ( ÿ U MSSQLServer H " 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:14:01 -0000] " " 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:14:03 -0000] "GIOP $ abcdef get " 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:14:04 -0000] " +<M ÿÿ none beio " 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:14:06 -0000] " " 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:14:08 -0000] " [email protected] 7 InitiatorName=iqn.1991-05.com.microsoft:beio-iscsi-probe SessionType=Discovery AuthMethod=None " 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:14:10 -0000] " ͠ ANY-SCP FINDSCU 1.2.840.10008.3.1.1.1 . 0 [email protected] 1.2.840.10008.1.2P :Q @ R 1.2.826.0.1.3680043.2.1396.999U CharruaVista" 401 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:14:11 -0000] " ,'ࠠ Cookie: mstshash=Administrator" 200 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:14:13 -0000] " " 400 0 "-" "-" "-" "-" 2087
XX.XXX.XX.XXX - - [03/27/2020:10:14:15 -0000] "I20100" 400 0 "-" "-" "-" "-" 2087
127.0.0.1 - - [03/27/2020:10:20:54 -0000] "GET /.__cpanel__service__check__./serviceauth?sendkey=__HIDDEN__&version=1.2 HTTP/1.0" 200 0 "-" "-" "-" "-" 2086
127.0.0.1 - - [03/27/2020:10:30:55 -0000] "GET /.__cpanel__service__check__./serviceauth?sendkey=__HIDDEN__&version=1.2 HTTP/1.0" 200 0 "-" "-" "-" "-" 2086
127.0.0.1 - - [03/27/2020:10:35:55 -0000] "GET /.__cpanel__service__check__./serviceauth?sendkey=__HIDDEN__&version=1.2 HTTP/1.0" 200 0 "-" "-" "-" "-" 2086


 
Thread starter Similar threads Forum Replies Date
M Operating Systems 2