Security Log File Size exceeds 500KB every day

[Steve]

I read a few posts on the forum, but didn’t find an answer.  In the last few months I’ve had to delete my security log file nearly every day, which is extremely tedious as well as concerning.

Many of the entries concern a web font (that is displaying correctly on the page):

>>>>>>>>>>> 403 GET or Other Request Error Logged - March 19, 2013 - 8:55 pm <<<<<<<<<<<
REMOTE_ADDR: 5.26.68.164
Host Name: 5.26.68.164
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http: //foo.com/2013/02/first-drive-review-volvo-v40-t5-cross-country/
REQUEST_URI: /wp-content/themes/themename/assets/css/fonts/HelveticaNeue.eot?\')%20format(\'eot\'),%20url(\'/wp-content/themes/themename/assets/css/fonts/HelveticaNeue.woff\')%20format(\'woff\'),%20url(\'/wp-content/themes/themename/assets/css/fonts/HelveticaNeue.ttf\')%20format(\'truetype\'),%20url(\'/wp-content/themes/themename/assets/css/fonts/HelveticaNeue.svg
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET4.0C)

Others refer to scripts that no longer exist on the server (such as timthumb, which was removed more than a year ago):

>>>>>>>>>>> 403 GET or Other Request Error Logged - March 19, 2013 - 9:21 pm <<<<<<<<<<<
REMOTE_ADDR: 184.106.221.215
Host Name: mail.foo.com
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/themes/ePhoto/timthumb.php?src=http://www.foo.com/wp-content/uploads/2009/08/DS3_4.jpg&h=167&w=250&zc=1
QUERY_STRING:
HTTP_USER_AGENT: Serf/0.7.2 mod_pagespeed/1.0.22.7-2003

The errors appear random since I have many other web fonts located in the same folder, none of which cause errors.  Also, are there any known issues between BPS and mod_pagespeed?

[AITpro Admin]

Security Log Entry 1:

The first error is caused by 2 coding issues/problems with your Theme and possibly a php directive (php.ini) setting as well.  Both the the rounded brackets “(” and “)” and the single quote ” ‘ ” coding characters are unsafe to use in Query Strings and URI’s.  Since backslashes “\” are showing up in the URI when they should not be then this means that most likely the code was created with the PHP/php.ini magic_quotes_gpc directive turned On on the website/PHP Server where this Theme code was created or this is just a coding mistake in the actual Theme code itself.  The backslashes should NOT be displayed in the outputted URI or Query Strings and are designed to be used for escaping unsafe coding characters – the single quote coding character.

magic_quotes_gpc:  Allow or Disallow magic quotes. A preprocessing feature of PHP where PHP will attempt to escape (slashes) any character sequences in GET, POST, COOKIE and ENV data which might otherwise corrupt data being placed in resources such as databases before making that data available to you. This feature has been deprecated as of PHP 5.3.0 and is scheduled for removal in PHP 6.

You need to contact the author of this Theme and send him/her a link to this Forum Topic.  I do not recommend adding a skip/bypass rule or commenting out some of your BPS security filters because this would leave your website exposed to some very dangerous hacking methods.

Security Log Entry 2:

If the event is being logged then the timthumb.php file exists and is being requested – /wp-content/themes/ePhoto/timthumb.php.  If the file did not exist then you would be seeing a 404 File Not Found logged error and NOT a 403 Forbidden error so the file does exist and is being requested on your website.

I have seen on a couple of Themes where the typical methods of creating skip/bypass rules for the BPS Timthumb and MISC filter does not work correctly for some odd reason.  An alternative method to skip/bypass the timthumb.php file for Themes is to add this skip/bypass rule to BPS Custom Code in the – CUSTOM CODE PLUGIN FIXES text box, save your custom code, go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button. In your case it sounds like you are no longer using this Theme on your website and you should just delete the Theme from your website if you are not using it.

# Theme TimThumb skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/themes/add-the-theme-folder-name-here/timthumb\.php(.*)$ [NC]
RewriteRule . - [S=13]

Regarding mod_pagespeed:

No one has ever reported a mod_pagespeed issue/problem so I do not believe that there are any issues/conflicts with BPS and mod_pagespeed.  Since mod_pagespeed focuses more on compression and minifying and BPS htaccess code does not do anything in these areas then there should not be any sort of issues/conflicts.

[Steve]

Thanks very much for your prompt reply.  There is no theme author, I built the site from scratch, so I just need to take a closer look at the way I’ve configured php.ini (although I’ve been running a dozen sites on this server for several years).  I will dig a little deeper and then come back and update this thread with what I find.

The declaration in Log Entry 1 arise from a font-face statement embedded in a css file, although I can’t see why this particular font would cause an error when there are 7 other fonts, declared in the same file (using the same curly brackets and single quote characters) that don’t cause a problem..

magic_quotes_gpc are ‘Off’, which is the way I’ve always run my PHP-based sites.

The timthumb.php issue must be related to pagespeed, since if I grep or try and locate the script it’s no longer in any of the theme folders, but it must still be sitting on the server’s pagespeed cache.  I’ll take a look at how this was configured, because that’s one hell of a long expires header that I really don’t need.

Thanks for all your help so far.

 

[AITpro Admin]

The coding characters – ‘ and ( and )  themselves should not be in that URL String.  I could very easily hack a website (in order to combat your enemy your must know how to use your enemies tools/weapons) if these coding characters were allowed on the site.  😉

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

Yep, I believe you are correct about the file being in cache somewhere.  😉

[Steve]

You’ve already been very helpful, so I feel guilty bothering you any further, but just in case you’ve got a few seconds – you say “this means that most likely the code was created with the PHP/php.ini magic_quotes_gpc directive turned On on the website/PHP Server where this Theme code was created”

I’ve been racking my brains trying to figure out what difference this would make.  Surely it ‘only’ matters if the magic_quotes_gpc is switched On or Off on the server where the theme is running?

In the case of this particular issue (Server Log Entry 1), the original font-face declaration is within the theme’s main stylesheet:

@font-face {
font-family: 'vbNEPRbjSP';
src: url('/wp-content/themes/themename/assets/css/fonts/vbNEPRbjSP.eot?') format('eot'), url('/wp-content/themes/themename/assets/css/fonts/vbNEPRbjSP.woff') format('woff'), url('/wp-content/themes/themename/assets/css/fonts/vbNEPRbjSP.ttf') format('truetype'), url('/wp-content/themes/themename/assets/css/fonts/vbNEPRbjSP.svg#webfontbm0eCY9c') format('svg');
font-weight: normal;
font-style: normal;
}

And this is called within header.php by

<link rel="stylesheet" href="/wp-content/themes/themename/style.css" type="text/css" media="screen" />

All pretty standard stuff.  Clearly I need to figure out why escape characters are being added, but magic_quotes_gpc and magic_quotes_runtime are both set to off (which I checked by running phpinfo.php).

I’m sure I’ll figure it out, otherwise let me know if I’m missing something ‘really’ obvious.Thanks

[AITpro Admin]

Yes and No depending on what the code is doing.  Let’s say the code is simply performing some function that has nothing to do with inputting data into a database – no problem will result.  Now let’s say you are doing some coding work on a Server that has magic_quotes_gpc On.  Any code that needs to be escaped will be automatically escaped – still no problem.  Now here is the problem – let’s say you create some code that is inputting data into your database and the backslashes are also inputted into your database tables and someone installs your plugin or theme on a Server that has magic_quotes_gpc turned Off – those backslashes will be outputted in the query and not automatically removed during rendering/outputting.

It is very strange that anything related to CSS is showing up in your error log at all.  BPS does not even look at CSS code because it is pretty much zero risk.  The tags around the CSS code are another case altogether.

Backslashes used to escape coding characters should not be displayed in the outputted/rendered code.  The backslashes should be “invisible” since the job in the case of escaping coding characters with backslashes is to display or process code safely.

I know very little about @font-face so maybe there is something going on that I would not even be aware of.  You should do some research/Google searches regarding @font-face in relation to .htaccess files.

Example:  @font-face .htaccess code problem, etc.

 

[Steve]

Ok, two things I’ve discovered that other users need to bear in mind:

Firstly, my font-face declaration was triggering the 403 error (Security Log Entry 1) for visitors viewing on IE8 browsers.  The correct way to fix this is by using the following construct (exactly):

@font-face {
font-family: 'FontName';
src: url('/wp-content/themes/foo/assets/css/fonts/FontName.eot');
src: url('/wp-content/themes/foo/assets/css/fonts/FontName.eot?#iefix') format('embedded-opentype'),
url('/wp-content/themes/foo/assets/css/fonts/FontName.woff') format('woff'),
url('/wp-content/themes/foo/assets/css/fonts/FontName.ttf') format('truetype'),
url('/wp-content/themes/foo/assets/css/fonts/FontName.svg#FontName') format('svg');
font-weight: normal;
font-style: normal;
}

And Secondly (Security Log Entry 2), there is an issue that occurs when running BPS and mod_pagespeed that will have you chasing your tail – as I’ve been.  It’s not a conflict, but 403 errors are being thrown on the mod_pagespeed cache folder even when the cache entry has been deleted.

Bear with me on this.  Initially I was able to find a cache entry which correlated with the 403 error, so I upgraded mod_pagespeed to the latest version, changed the location of the cache in pagespeed.conf and then deleted (rm -fR) the folder from the server.  That still didn’t work, so I reduced the  ModPagespeedFileCacheCleanIntervalMs setting down to just a few ms and repeated the procedure – shutting down the server in order to delete the cache folder.

Now when I search the server (using ‘locate’), there’s no sign of timthumb.php, but I’m still seeing the following 403 error in my BPS Error Log.

>>>>>>>>>>> 403 GET or Other Request Error Logged - March 22, 2013 - 12:20 pm <<<<<<<<<<<
REMOTE_ADDR: 125.764.763.836
Host Name: mail.foo.com
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/themes/blackaperture/timthumb.php?src=http://www.foo.com/wp-content/uploads/2009/10/OrangeExchCase-study-1.jpg&w=250&h=167&zc=1&q=95
QUERY_STRING:
HTTP_USER_AGENT: Serf/1.1.0 mod_pagespeed/1.3.25.4-2630

I’ll wait another 24 hours and see if they’re still showing in the log, but I’m absolutely sure the cache entry no longer exists.

Strangely, this and many other 403 errors are from the same remote address – namely my server’s IP address, which leads me to believe that something in the (upgraded) mod_pagespeed configuration is now throwing these errors.

I’m no expert on mod_pagespeed (although maybe I need to try and become one), but anyone who’s running it (along with BPS) may find themselves chasing their tail like I am.

[AITpro Admin]

Ok i just thought of a possible reason why you are getting a 403 error even when this timthumb file does not really exist (if it does not really exist somewhere).   The reason would be this.  Technically you should be seeing a 404 error since the file does not exist, but if the 403 error occurs first since this Request URI is simulating a common RFI hacking method against your website then instead of a 404 error being logged you are seeing a 403 error because this is seen as a hacking attempt/or hacking recon/probing by BPS and it may actually be a random hacker probe/recon.  IP Addresses, Host names and User Agents are all easily faked and also the Referer will sometimes show your own website’s IP, hostname and UA depending on how the recon/probe is done.

Thank you for posting all the other excellent information about font-face and mod_pagespeed.

[Steve]

Thanks, I’ll explore that idea a little further.

Although time consuming, I must add the BPS Log provides an excellent window on server activity and makes it far easier to spot hacking attempts and all the unwelcome bot access which can then be trimmed (or ignored).

Thanks for creating such a great plugin.

[Author]

Posts