403 GET|HEAD Request Security Log error

Home Forums BulletProof Security Free 403 GET|HEAD Request Security Log error

This topic contains 26 replies, has 9 voices, and was last updated by  elnaz 3 years ago.

Viewing 15 posts - 1 through 15 (of 27 total)
  • Author
    Posts
  • #19530

    John
    Participant

    WORKING WITH: WordPress version: 4.0 & Bulletproof Security Version .51

    I am working on a website which has fetch functionality (like pinterest.com’s add pin functionality) and
    I am getting following error while fetching YouTube video:
    mysite.com 403 Forbidden Error Page
    If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.

    [403 GET / HEAD Request: November 26, 2014 - 8:37 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: xx.xx.xxx.xxx
    Host Name: xx-xx-xxx-xxx.xxxxxxxxxx.xxxxxx.xxxxxxxxx.xxx
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://mysite.com/itm-settings/
    REQUEST_URI: /itm-settings/?m=bm&imgsrc=%3A%2F%2Fimg.youtube.com%2Fvi%2Fsr8eOeVWK1k%2F0.jpg&source=%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3Dsr8eOeVWK1k&title=Illustrator%20Tutorial%20-%20Flat%20Design%20Summer%20Wallpaper%20(Google%20Now)%20-%20YouTube&video=1
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.65 Safari/537.36
    #7296

    silas88
    Participant

    I have finally made my site open to search engine bots and I find that I am getting entries in my bps error log. After reading your readme on the error logs it’s my understanding that the Googlebot entries are information logs rather than being errors. Is that correct? If my understanding is correct I don’t believe I have any problem here, it’s just flagging that Googlebot has been by. I don’t know why I have the entry for /new-slider although I deleted several plugins that I wasn’t using and there were a couple of slider plugins included. Your comments would be greatly appreciated.

    >>>>>>>>>>> 404 GET or Other Request Error Logged - 30 June 2013 - 06:29 <<<<<<<<<<<
    REMOTE_ADDR: 66.249.72.39
    Host Name: crawl-66-249-72-39.googlebot.com
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 66.249.72.39
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /support/
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
    
    >>>>>>>>>>> 404 GET or Other Request Error Logged - 30 June 2013 - 21:27 <<<<<<<<<<<
    REMOTE_ADDR: 198.58.XX.XXX
    Host Name: stats.mywebhost.com
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 198.58.XX.XXX
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /new-slider/
    QUERY_STRING:
    HTTP_USER_AGENT: WordPress/3.5.2; http: //mydomain.com
    
    >>>>>>>>>>> 404 GET or Other Request Error Logged - 30 June 2013 - 22:46 <<<<<<<<<<<
    REMOTE_ADDR: 66.249.72.39
    Host Name: crawl-66-249-72-39.googlebot.com
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 66.249.72.39
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /sitemmap.xml
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
    #7300

    silas88
    Participant

    Hmm, well I just had a look at Google webmaster tools and the 404 error for /support/ is valid as no page existed at the time but there was a link to it in the footer. The /sitemmap.xml is also valid as that’s a typo (two m’s), I think that was a SEO submission from a cpanel tool (Attracta) which was my mistake. So, I’m left with /new-slider/ which is probably due to an old plugin but I’ll keep an eye on that to see if it turns up again in the logs.

    #7310

    AITpro Admin
    Keymaster

    Just in case someone else comes across this Forum topic and is not exactly sure what a 404 HTTP Status Code Response means.
    http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

    404 Not Found
    The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.

    #19533

    AITpro Admin
    Keymaster

    The round bracket code characters ( and ) are being blocked in the Query String.  See this forum topic link below for the solution to whitelist this by adding modified BPS Query String Exploits code to BPS Custom Code and saving that code permanently.
    http://forum.ait-pro.com/forums/topic/mailchimp-tracking-code-causing-403/#post-13778

    #19548

    John
    Participant

    I just updated wordpress to version 4.0.1 & Bulletproof Security Plugin to version .51.3. so can I still use the same steps from above link?

    #19549

    AITpro Admin
    Keymaster

    Yes.  BPS and BPS Pro are coded to work with WP 4.0, 4.0.1 and WP 4.1, which will be released in a couple to a few weeks.  The BPS Custom Code steps are universal and the basic concept and usage will never change.  BPS htaccess Security filters/code may change in the future and each/every forum topic that has older code is updated with newer code if/when new code/filters are created.  BPS also automatically updates htaccess files/code/filters during BPS upgrades, but does change or alter any Custom Code that you have added.

    #19552

    John
    Participant

    I did steps , 2 & 3 but wondering do I click select wp-admin Folder BulletProof Mode & Activate it? as a last step?  or I shouldn’t do it? I had this message: IMPORTANT! BulletProof Mode for the wp-admin folder MUST also be activated when you have BulletProof Mode activated for the Root folder.

    #19554

    AITpro Admin
    Keymaster

    Yes, do all of the Custom Code setup steps and no the wp-admin BulletProof message is just a reminder so you can do that additional step, but it is not necessary to do that additional step.  The steps are also listed in the Read Me help button on the Custom Code page or you can click the Custom Code video tutorial link to see what to do visually.

    #19556

    John
    Participant

    yes I did all custom code setup steps as described. Thank you for your help.

    #19620

    Simone
    Participant

    Hi,

    I receive this error after I click “Save” ….
    “****mysite****.com 403 Forbidden Error Page
    If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.
    IP Address: 93.**.***.213”
    What is that? … Thank you! 🙂

    #19624

    AITpro Admin
    Keymaster

    Check your BPS Security Log file and post the Security Log entry for that 403 error.

    #20445

    addicted
    Participant

    Should I be worried? do something?

    BPS SECURITY LOG
    =================
    =================
    
    [403 GET / HEAD Request: 9 januari 2015 - 14:40]
    Event Code: WPADMIN-SBR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 92.63.87.11
    Host Name: ip87-11.mwtv.lv
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.100 Safari/534.30
    
    [403 GET / HEAD Request: 9 januari 2015 - 14:40]
    Event Code: WPADMIN-SBR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 92.63.87.11
    Host Name: ip87-11.mwtv.lv
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-admin/admin-ajax.php?action=getfile&/../../wp-config.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (X11; CrOS i686 1660.57.0) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.46 Safari/535.19
    
    [403 GET / HEAD Request: 9 januari 2015 - 14:40]
    Event Code: PSBR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 92.63.87.11
    Host Name: ip87-11.mwtv.lv
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /$wp-content$/plugins/wp-filemanager/incl/libfile.php?&path=../../&filename=wp-config.php&action=download
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.43 Safari/534.24
    
    [403 GET / HEAD Request: 9 januari 2015 - 14:40]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 92.63.87.11
    Host Name: ip87-11.mwtv.lv
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /$wp-content$/themes/parallelus-mingle/framework/utilities/download/getfile.php?file=../../../../../../wp-config.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.113 Safari/534.30
    
    [403 GET / HEAD Request: 9 januari 2015 - 14:40]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 92.63.87.11
    Host Name: ip87-11.mwtv.lv
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /$wp-content$/themes/parallelus-salutation/framework/utilities/download/getfile.php?file=../../../../../../wp-config.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.65 Safari/535.11
    #20448

    AITpro Admin
    Keymaster

    @ addicted – Those are all blocked hacking recons/probes/attempts so no nothing to worry about since BPS already blocked them.

    #21001

    Lyle
    Participant

    [Topic has been merged into this relevant Topic]

    Howdy,

    New BPS Free user here.

    As per the title, BPS is doing a fine job of sending the security logs from this hosting account where there was previously a Joomla! 1.5.x install that was compromised. Sucuri did the site clean up and successfully removed the malware and has submitted the request to SiteAdvisor  to remove the Blacklisting. I installed the latest WP 4.1 (now updated to 4.1.1) and the latest BPS Free and rebuilt the site. All seemed well until I started receiving the numerous security logs. Checking the hosting account (shared Linux at Go Daddy), I noticed the resources being heavily used (for the low traffic volume this site gets) and the Access Logs were relatively ‘huge’. My question is, is there anything I can set in BPS to stop these requests or is this something that has to be accomplished by another means.

    Here is one of many entries from one of the most recent the BPS Security Logs:

    [403 GET / HEAD Request: February 19, 2015 - 8:28 pm]
    Event Code: PSBR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 178.32.58.65
    Host Name: 178.32.58.65
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=www.soapboxrotations.com
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0

    Cheers!
    Lyle

Viewing 15 posts - 1 through 15 (of 27 total)

You must be logged in to reply to this topic.