403 GET|HEAD Request Security Log error

Home Forums BulletProof Security Free 403 GET|HEAD Request Security Log error

Tagged: ,

Viewing 12 posts - 16 through 27 (of 27 total)
1 2
  • Author
    Posts
  • February 19, 2015 at 10:01 pm #21006
    AITpro Admin
    Keymaster

    It looks like a common Joomla hacker recon/probe/attack trying to exploit that Joomla plugin if it exists.  This is probably a completely random probe/recon/attack.  You can ignore the Security log entry.  If you want to know what a lot of blocked hacking, spamming, bad bots, other deviant stuff is then around 500,000 blocked hacking, spamming, bad bots, other deviant stuff per month logged in the BPS Security Log would be considered a lot.  I believe this forum site gets around 500,000 blocked deviant things logged per month.

    March 17, 2015 at 8:32 am #21442
    WayneM
    Participant

    [Topic has been merged into this relevant Topic]

    Looks like I might need a SBR for the “Event List” plugin https://wordpress.org/plugins/event-list/ Got a 403 error. Trying to add a new event to the event list, when the event has an apostrophe in the name, it returns the 403 error. Here’s the pertinent Security Log entry:

    [403 GET / HEAD Request: March 17, 2015 - 11:13 am]
Event Code: WPADMIN-SBR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 72.70.232.170
Host Name: pool-72-70-232-170.spfdma.east.verizon.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://moosemaplebooks.com/wp-admin/admin.php?page=el_admin_main&action=added&title=Test+Event&id=15
REQUEST_URI: /wp-admin/admin.php?page=el_admin_main&action=modified&title=Test+Event%5C%27s&id=15
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0

    I’m getting more familer with your great plugin, but still do not feel confident trying to create my own SBRs.
    Thanks again for your plugin and wonderful support.
    -Wayne

    March 17, 2015 at 9:46 am #21448
    AITpro Admin
    Keymaster

    The 403 error is being caused by the URL encoded apostrophe/single quote code character:  %27
    You can either not use apostrophe’s/single quote code characters in Query Strings or use the Custom Code whitelisting steps in this forum topic to allow/whitelist single quote code characters used in strings/Query Strings:  http://forum.ait-pro.com/forums/topic/apostrophe-single-quote-code-character/#post-6939

    March 18, 2015 at 5:44 am #21454
    WayneM
    Participant

    Thanks for your reply.

    I did as instructed in the post you linked to. However, when trying to save the Root htaccess custom code, I get a 403 error. I’m wondering if the fix needs to be applied to the wp-admin htaccess instead. My security log indicated “Event Code: WPADMIN-SBR”. Also wondering, is the original error the result of bad plugin coding of the query string? Maybe the Event List plugin author needs make changes to clean up the query?

    March 18, 2015 at 8:19 am #21462
    AITpro Admin
    Keymaster

    Oops sorry about that.  Yes.  You are correct.  The wp-admin Custom Code solution is here:  http://forum.ait-pro.com/forums/topic/search-string-403-error/#post-14372

    Well personally, technically and using best security practices I would not allow a single quote code character (or the URL encoded %27, which is the same thing) in a Query String if I was the creator of that plugin. By default WordPress strips out single quote code characters from any/all Post or Page URL’s|URI’s when you save any/all Posts or Pages. And that is exactly what I would do as well if I was the creator of that plugin, but most likely people would complain about that.  So my guess is that apostrophe’s|single quote code characters are not being stripped out in that plugin for that reason. 😉

    May 16, 2015 at 5:19 am #22697
    Pablo Parrado
    Participant

    Hi,

    I’m having this alert in the security log and if it’s not a big threat I would like to ignore/not-to-log since it comes every day. However there is no web link as shown in the help documentation so I don’t know what to add of the HTTP USER AGENT. Again, if it’s safe to ignore, please let me know how to ignore…

    [Login Form - POST Request Logged: March 11, 2015 - 16:25]
CAPTCHA Entered:
BOT/HUMAN: Most Likely a SpamBot
REMOTE_ADDR: 178.190.239.25
Host Name: 178-190-239-25.adsl.highway.telekom.at
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: POST
HTTP_REFERER: http://www.mywebsiteurl.com/wp-login.php
REQUEST_URI: /wp-login.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4
    May 16, 2015 at 10:12 am #22707
    AITpro Admin
    Keymaster

    @ Pablo Parrado – This is a blocked Spambot or hackerbot login attempt that is being logged in your Security Log.  No further action is required by you.  If you do not want to see Security Log alerts or any other alerts displayed in your Dashboard then turn them off in S-Monitor (see Note below).  The BPS Security Log is the same concept as your Server log.  Things are logged to keep track of what is being blocked in case something legitimate is being blocked – you would want to see a log entry of what is being blocked.

    Note:  This BPS Pro question was posted in the BPS free forum.  BPS free does not have the S-Monitor Alerting Core.

    June 12, 2015 at 4:03 pm #23272
    elnaz
    Participant

    i have wp and vbuletion both and all is okay but one secetion on froum when i click show this 403 Forbidden Error Page If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you. IP Address: xxx.xxx.xxx and its system log from wp

    [403 GET / HEAD Request: June 12, 2015 9:55 pm]
Event Code: BFHS – Blocked/Forbidden Hacker or Spammer
Solution: N/A – Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: xxxxxxxxxxxxxxxxxxxxx
Host Name: xxxxxxxxxxxxxxxxxxx
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 2.147.122.36
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://mysite.com/myqu/forum.php
REQUEST_URI: /myqu/forumdisplay.php?4-my-Software-(-Paid-)
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36
    June 12, 2015 at 4:19 pm #23277
    AITpro Admin
    Keymaster

    Either post a link/URL to the website page that is showing the 403 error or send the link/URL to info at ait-pro dot com.

    June 12, 2015 at 4:46 pm #23283
    elnaz
    Participant

    thanks i sended email check please

    June 12, 2015 at 4:57 pm #23284
    AITpro Admin
    Keymaster

    Oh ok I see the problem:  the round bracket code characters/parenthesis ( and ) in the forum URL|URI:  4-my-Software-(-Paid-) are what are causing the 403 error.  To allow/whitelist round bracket code characters/parenthesis see this forum topic: http://forum.ait-pro.com/forums/topic/allowing-parentheses-in-query-strings/#post-10589

    June 12, 2015 at 5:15 pm #23287
    elnaz
    Participant

    thanks you brother worked.

  • Author
    Posts
Viewing 12 posts - 16 through 27 (of 27 total)
1 2
  • You must be logged in to reply to this topic.