Topic: 403 GET|HEAD Request Log Entries | BulletProof Security Forum

403 GET|HEAD Request Log Entries

Tagged: 403 error, CAPTCHA, captcha log entries

This topic has 94 replies, 19 voices, and was last updated 5 years, 7 months ago by Amit.

Viewing 15 posts - 1 through 15 (of 95 total)

1 2 3 … 5 6 7 →

Author

Posts

July 15, 2013 at 1:58 am #9268

AITpro Admin

Keymaster

If you are seeing 403 log entries or CAPTCHA log entries and want to know what they mean then post them in this Forum Topic. Typically most 403 errors will be blocked hacking/recon attempts, blocked spammers, blocked scrapers, etc, but the BPS Security log is also designed to log HTTP website errors as well as blocked hacking attempts, etc.

July 15, 2013 at 1:58 am #7640

Krzysztof

Participant

EDIT: This Reply was orphaned and has been restored to this Topic

Both of these are bot probes/recons looking for something. Neither of them are legitimate Requests and they can be ignored as a typical spammer/hacker recon/probe on your website.

Howdy I have received two strange error logs:

>>>>>>>>>>> 403 GET or Other Request Error Logged - 15/07/2013 - 10:58 <<<<<<<<<<<
REMOTE_ADDR: 109.68.166.34
Host Name: server202.engagor.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /?p=45327
QUERY_STRING:
HTTP_USER_AGENT:

>>>>>>>>>>> 403 GET or Other Request Error Logged - 15/07/2013 - 10:58 <<<<<<<<<<<
REMOTE_ADDR: 23.29.122.222
Host Name: 23-29-122-222-customer-incero.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /?p=45327
QUERY_STRING:
HTTP_USER_AGENT: MetaURI API/2.0 +metauri.com

July 15, 2013 at 7:53 am #7667

AITpro Admin

Keymaster

[post Manually Moved]

I am getting many log entries reporting this error with the Host Name being the same top level domain (sw.biz.rr.com). The only changes from these entries is the IP address. Is there anything in BPS to identify the actual request that generated the error.

>>>>>>>>>>> 403 GET or Other Request Error Logged - April 18, 2013 - 12:13 pm <<<<<<<<<<<
REMOTE_ADDR: 97.79.223.52
Host Name: rrcs-97-79-223-52.sw.biz.rr.com
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /
QUERY_STRING:
HTTP_USER_AGENT:

July 15, 2013 at 7:55 am #7668

AITpro Admin

Keymaster

This is either a spammer or a hacker. If this were a respectable bot or human then the User Agent would not be blank. Since it is blank then this is a spammer or hacker.

You can block or ignore this error log entry. If you want to block this by IP address then you can use IP blocking .htaccess code shown in this Forum link: http://forum.ait-pro.com/forums/topic/htaccess-block-ip-address-block-access-to-files-by-ip-address

July 15, 2013 at 7:56 am #7669

AITpro Admin

Keymaster

Email Question:[post Manually Moved]
My log has something like this: Does this mean that someone was searching an image on google went to my site and got a 403 error?

>>>>>>>>>>> 403 GET or Other Request Error Logged - 15/05/2013 - 23:29 <<<<<<<<<<<
REMOTE_ADDR: 83.30.227.10
Host Name: cfz10.neoplus.adsl.tpnet.pl
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https: //www.google.pl/blank.html
REQUEST_URI: /wp-content/uploads/2012/09/NightHawk1.jpg
QUERY_STRING:
HTTP_USER_AGENT: Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.15

July 15, 2013 at 7:56 am #7670

AITpro Admin

Keymaster

This is a spammer or hacker doing something shady. What gives that away is the Referer entry. blank.html is not a legitimate google.pl file that could actually be a Referer. This was some sort of spoof by 83.30.227.10.

July 15, 2013 at 7:57 am #7671

AITpro Admin

Keymaster

[post Manually Moved]

As I understand BPS PRO takes care of people like this? I also have things like this: This google link looks ok – I have even checked it. The picture displays ok in google so the question is why there is an error?

>>>>>>>>>>> 403 GET or Other Request Error Logged - 16/05/2013 - 11:41 <<<<<<<<<<<
REMOTE_ADDR: 85.221.163.243
Host Name: c163-243.icpnet.pl
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http: //www.google.pl/search?q=pa%C5%82ac+w+rogalinie&client=ms-android-sonymobile&hl=pl&source=android-launcher-widget&v=141400000&tbm=isch&tbo=u&source=univ&sa=X&ei=fqiUUal6hsG1BpyXgfgN&ved=0CC0QsAQ&biw=320&bih=492&sei=haiUUeXvEMeqtAbjy4HQDA
REQUEST_URI: /wp-content/uploads/2013/04/Palac-w-Rogalinie.jpg
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Linux; U; Android 4.0.4; pl-pl; SonyST26i Build/11.0.A.7.5) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

July 15, 2013 at 7:58 am #7672

AITpro Admin

Keymaster

I do not see anything in the Query String that is “bad” so my guess is that however this Android device is trying to get your images files is what is triggering the 403 error. The images may still be displayed correctly on the Android device even though a 403 error is being generated due to the GET method that is being used by the Android device. If you want to ignore these errors and not log them then use the Security Log Add User Agents/Bots to Ignore/Not Log tool.

You would use Android as the User Agent to ignore

July 15, 2013 at 8:08 am #7680

AITpro Admin

Keymaster

@ Krzysztof – The first error log entry has a blank User Agent.

This is either a spammer or a hacker. If this were a respectable bot or human then the User Agent would not be blank. Since it is blank then this is a spammer or hacker. You can block or ignore this error log entry. If you want to block this by IP address then you can use IP blocking .htaccess code shown in this Forum link: http://forum.ait-pro.com/forums/topic/htaccess-block-ip-address-block-access-to-files-by-ip-address The second log entry shows the User Agent as the MetaURI bot, which I believe is related to Amazon. I am not sure is this is a good bot or bad bot and of cource the bot / User Agent could be faked. What you should look at is page ID 45327 on your website to see if there is something unusual about that page. Most likely these are just random probes/scans on your website that are being blocked.

September 3, 2013 at 6:26 am #9275

AITpro Admin

Keymaster

[post Manually Moved]

The site is generating loads of 403 errors. I have found lots of request of file .zip that dont exist. Here are some examples: (is it possibile to be a malware?)

>>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 20:48 <<<<<<<<<<<
REMOTE_ADDR: 113.12.155.218
Host Name: 113.12.155.218
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /admin/fckeditor/editor/filemanager/connectors/test.html
QUERY_STRING:
HTTP_USER_AGENT:

>>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 21:16 <<<<<<<<<<<
REMOTE_ADDR: 113.12.155.218
Host Name: 113.12.155.218
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /web.rar
QUERY_STRING:
HTTP_USER_AGENT:

>>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 21:24 <<<<<<<<<<<
REMOTE_ADDR: 113.12.155.218
Host Name: 113.12.155.218
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /web.zip
QUERY_STRING:
HTTP_USER_AGENT:

>>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 21:32 <<<<<<<<<<<
REMOTE_ADDR: 113.12.155.218
Host Name: 113.12.155.218
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /db.rar
QUERY_STRING:
HTTP_USER_AGENT:

>>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 21:49 <<<<<<<<<<<
REMOTE_ADDR: 113.12.155.218
Host Name: 113.12.155.218
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /fdsa.rar
QUERY_STRING:
HTTP_USER_AGENT:

>>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 21:56 <<<<<<<<<<<
REMOTE_ADDR: 113.12.155.218
Host Name: 113.12.155.218
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /fdsa.zip
QUERY_STRING:
HTTP_USER_AGENT:

>>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 22:21 <<<<<<<<<<<
REMOTE_ADDR: 113.12.155.218
Host Name: 113.12.155.218
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /admin.rar
QUERY_STRING:
HTTP_USER_AGENT:

>>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 22:45 <<<<<<<<<<<
REMOTE_ADDR: 113.12.155.218
Host Name: 113.12.155.218
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /data.zip
QUERY_STRING:
HTTP_USER_AGENT:

>>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 22:53 <<<<<<<<<<<
REMOTE_ADDR: 113.12.155.218
Host Name: 113.12.155.218
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /flashfxp.zip
QUERY_STRING:
HTTP_USER_AGENT:

>>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 23:18 <<<<<<<<<<<
REMOTE_ADDR: 113.12.155.218
Host Name: 113.12.155.218
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /site.rar
QUERY_STRING:
HTTP_USER_AGENT:

>>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 23:26 <<<<<<<<<<<
REMOTE_ADDR: 113.12.155.218
Host Name: 113.12.155.218
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /www.surfvarazze.it.rar
QUERY_STRING:
HTTP_USER_AGENT:

>>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 23:34 <<<<<<<<<<<
REMOTE_ADDR: 113.12.155.218
Host Name: 113.12.155.218
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /www.surfvarazze.it.zip
QUERY_STRING:
HTTP_USER_AGENT:

>>>>>>>>>>> 403 GET or Other Request Error Logged - 3 settembre 2013 - 00:03 <<<<<<<<<<<
REMOTE_ADDR: 113.12.155.218
Host Name: 113.12.155.218
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wwwsurfvarazzeit.zip
QUERY_STRING:
HTTP_USER_AGENT:

thanx for your support
SIMone

September 3, 2013 at 6:37 am #9280

AITpro Admin

Keymaster

The first clue that the Requests are bad/malicious activity is that the User Agent string is blank. Any legitimate bot or human will NOT have a blank User Agent string. The IP address is a known Chinese spammer/hacker IP subnet. You do not need to take any action since BPS is already blocking/forbidding whatever this hacker or spammer is doing.

Or you can block this IP address subnet if you want. Here is some experimental code that you can try out. This code is still in the experimental stages so use it cautiously.
http://forum.ait-pro.com/forums/topic/buddypress-spam-registration-buddypress-anti-spam-registration/

September 19, 2013 at 12:29 pm #9936

AITpro Admin

Keymaster

Email Question:

Hello, I’m new to BPS and I’m trying to understand how the log file works. I’m trying to decipher what it is telling me and if there are actions I need to take to make my website more secure.
This is one of the logs from most recent file: So is this a bad entity that is trying to spam me? What actions can I take?

>>>>>>>>>>> 403 GET or Other Request Error Logged - September 19, 2013 - 3:33am <<<<<<<<<<<
REMOTE_ADDR: 72.167.191.6
Host Name: [removed for privacy].secureserver.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /contact.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3

Thank you,

September 19, 2013 at 12:39 pm #9937

AITpro Admin

Keymaster

This is the Go Daddy Website Protection scanner bot so it is legitimate. I believe it is being blocked because these User Agent security filters block “scan” or “scanner”.

RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]

1. Copy the code below (scan has been removed already from this code below) to this BPS Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS: Modify Query String Exploit code here
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
Note: For good measure clear your Browser cache and if you are using a caching plugin clear your caching plugin cache.

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]
# END BPSQSE BPS QUERY STRING EXPLOITS

September 24, 2013 at 9:11 am #10088

jan

Participant

sorry if this is a stupid question but i assume if entries exist in my 403 log, that those users got a generic 403-forbidden message instead of the actual URL they requested? if so, do you have any idea why some of these occur? In many below, the referrer appears to be legit and they asked for legit url’s. I am just worried that legit users are getting errors after i have up’ed the security on this site. i deleted the lines in the log without ANY content/values:

BPS PRO SECURITY / HTTP ERROR LOG
=================================
=================================

======= 403 GET or HEAD Request Error Logged - September 20, 2013 - 1:30 am =======
REMOTE_ADDR: 64.74.215.113 
Host Name: 64.74.215.113
SERVER_PROTOCOL: 
HTTP/1.1 
REQUEST_METHOD: GET
REQUEST_URI: /
HTTP_USER_AGENT: \'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)\'

======= 403 GET or HEAD Request Error Logged - September 20, 2013 - 3:40 am =======
REMOTE_ADDR: 67.192.46.7 
Host Name: fw-n01.wc2.dfw1.stabletransit.com
SERVER_PROTOCOL: HTTP/1.1 
REQUEST_METHOD: GET
HTTP_REFERER: http: //www.qsource.org
REQUEST_URI: /
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

======= 403 GET or HEAD Request Error Logged - September 20, 2013 - 3:42 am =======
REMOTE_ADDR: 67.192.46.8 
Host Name: fw-n01.wc2.dfw1.stabletransit.com
SERVER_PROTOCOL: HTTP/1.1 
REQUEST_METHOD: GET
HTTP_REFERER: http: //www.qsource.org
REQUEST_URI: /on-the-cuspstop-cauti/toolkits-and-resources/
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

======= 403 GET or HEAD Request Error Logged - September 20, 2013 - 9:33 pm =======
REMOTE_ADDR: 204.236.226.210 
Host Name: ec2-204-236-226-210.compute-1.amazonaws.com
SERVER_PROTOCOL: HTTP/1.0 
REQUEST_METHOD: GET
REQUEST_URI: /wp-admin
HTTP_USER_AGENT: ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler alexa.com)

======= 403 GET or HEAD Request Error Logged - September 21, 2013 - 1:23 am =======
REMOTE_ADDR: 81.27.127.177 
Host Name: host-81-27-127-177.teledata-fttx.de
SERVER_PROTOCOL: HTTP/1.0 
REQUEST_METHOD: GET
REQUEST_URI: /on-the-cuspstop-bsi
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/18.6.872.0 Safari/535.2 UNTRUSTED/1.0 3gpp-gba UNTRUSTED/1.0

======= 403 GET or HEAD Request Error Logged - September 21, 2013 - 3:49 pm =======
REMOTE_ADDR: 94.23.45.14 
Host Name: ks206255.kimsufi.com
SERVER_PROTOCOL: HTTP/1.0 
REQUEST_METHOD: GET
REQUEST_URI: /
HTTP_USER_AGENT:

======= 403 GET or HEAD Request Error Logged - September 22, 2013 - 3:40 am =======
REMOTE_ADDR: 67.192.46.6 
Host Name: fw-n01.wc2.dfw1.stabletransit.com
SERVER_PROTOCOL: HTTP/1.1 
REQUEST_METHOD: GET
HTTP_REFERER: http: //www.qsource.org
REQUEST_URI: /
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

======= 403 GET or HEAD Request Error Logged - September 22, 2013 - 3:58 am =======
REMOTE_ADDR: 74.86.112.83 
Host Name: hostsrv02.torxmedia.com
SERVER_PROTOCOL: HTTP/1.1 
REQUEST_METHOD: GET
HTTP_REFERER: http: //uprevent.mckesson.com
REQUEST_URI: /on-the-cuspstop-cauti/toolkits-and-resources/on-the-cusp-stop-cauti-implementation-guide/
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

======= 403 GET or HEAD Request Error Logged - September 22, 2013 - 4:11 am =======
REMOTE_ADDR: 174.132.33.114 
Host Name: 72.21.84ae.static.theplanet.com
SERVER_PROTOCOL: HTTP/1.1 
REQUEST_METHOD: GET
REQUEST_URI: /on-the-cuspstop-bsi/toolkits-and-resources/
HTTP_USER_AGENT: Springy Reference Verifier

======= 403 GET or HEAD Request Error Logged - September 22, 2013 - 9:42 am =======
REMOTE_ADDR: 67.192.46.6 
Host Name: fw-n01.wc2.dfw1.stabletransit.com
SERVER_PROTOCOL: HTTP/1.1 
REQUEST_METHOD: GET
HTTP_REFERER: http: //www.qsource.org
REQUEST_URI: /
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

======= 403 GET or HEAD Request Error Logged - September 23, 2013 - 2:09 am =======
REMOTE_ADDR: 173.254.28.108 
Host Name: just108.justhost.com
SERVER_PROTOCOL: HTTP/1.1 
REQUEST_METHOD: GET
HTTP_REFERER: http: //haifocus.com
REQUEST_URI: /on-the-cuspstop-bsi/
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

======= 403 GET or HEAD Request Error Logged - September 23, 2013 - 3:42 am =======
REMOTE_ADDR: 67.192.46.13 
Host Name: fw-n01.wc2.dfw1.stabletransit.com
SERVER_PROTOCOL: HTTP/1.1 
REQUEST_METHOD: GET
HTTP_REFERER: http: //www.qsource.org
REQUEST_URI: /
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

======= 403 GET or HEAD Request Error Logged - September 23, 2013 - 5:40 am =======
REMOTE_ADDR: 67.192.46.11 
Host Name: fw-n01.wc2.dfw1.stabletransit.com
SERVER_PROTOCOL: HTTP/1.1 
REQUEST_METHOD: GET
HTTP_REFERER: http: //www.qsource.org
REQUEST_URI: /on-the-cuspstop-cauti/toolkits-and-resources/
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

======= 403 GET or HEAD Request Error Logged - September 23, 2013 - 3:50 pm =======
REMOTE_ADDR: 202.104.149.113 
Host Name: 202.104.149.113
SERVER_PROTOCOL: HTTP/1.0 
REQUEST_METHOD: GET
REQUEST_URI: /
HTTP_USER_AGENT:

======= 403 GET or HEAD Request Error Logged - September 23, 2013 - 3:50 pm =======
REMOTE_ADDR: 202.104.149.113 Host Name: 202.104.149.113
SERVER_PROTOCOL: HTTP/1.0 
REQUEST_METHOD: GET
REQUEST_URI: /
HTTP_USER_AGENT:

======= 403 GET or HEAD Request Error Logged - September 23, 2013 - 9:58 pm =======
REMOTE_ADDR: 173.208.133.226 
Host Name: 173.208.133.226
SERVER_PROTOCOL: HTTP/1.1 
REQUEST_METHOD: GET
REQUEST_URI: /wp-content/plugins/user-meta/framework/helper/
HTTP_USER_AGENT:

======= 403 GET or HEAD Request Error Logged - September 23, 2013 - 9:58 pm =======
REMOTE_ADDR: 173.208.133.226 Host Name: 173.208.133.226
SERVER_PROTOCOL: HTTP/1.1 
REQUEST_METHOD: GET
REQUEST_URI: /wp-content/plugins/topquark/lib/js/fancyupload/showcase/batch/
HTTP_USER_AGENT:

======= 403 GET or HEAD Request Error Logged - September 24, 2013 - 12:26 am =======
REMOTE_ADDR: 174.132.16.36 
Host Name: springy02.springshare.com
SERVER_PROTOCOL: HTTP/1.1 
REQUEST_METHOD: GET
REQUEST_URI: /on-the-cuspstop-bsi/toolkits-and-resources/
HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 (.NET CLR 3.5.30729)

======= 403 GET or HEAD Request Error Logged - September 24, 2013 - 4:07 am =======
REMOTE_ADDR: 5.45.64.228 
Host Name: 5.45.64.228
SERVER_PROTOCOL: HTTP/1.1 
REQUEST_METHOD: GET
REQUEST_URI: /wp-content/uploads/2012/03/Assertion-Content-Call.ppt
HTTP_USER_AGENT: User-Agent:Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36

======= 403 GET or HEAD Request Error Logged - September 24, 2013 - 8:17 am =======
REMOTE_ADDR: 122.183.183.102 
Host Name: telemedia-smb-102.183.183.122.airtelbroadband.in
SERVER_PROTOCOL: HTTP/1.1 
REQUEST_METHOD: GET
REQUEST_URI: /
HTTP_USER_AGENT: hverify/1.0

======= 403 GET or HEAD Request Error Logged - September 24, 2013 - 8:17 am =======
REMOTE_ADDR: 122.183.183.102 
Host Name: telemedia-smb-102.183.183.122.airtelbroadband.in
SERVER_PROTOCOL: HTTP/1.1 
REQUEST_METHOD: GET
REQUEST_URI: /on-the-cuspstop-cauti/toolkits-and-resources/on-the-cusp-stop-cauti-implementation-guide
HTTP_USER_AGENT: hverify/1.0

======= 403 GET or HEAD Request Error Logged - September 24, 2013 - 8:18 am =======
REMOTE_ADDR: 122.183.183.102 
Host Name: telemedia-smb-102.183.183.122.airtelbroadband.in
SERVER_PROTOCOL: HTTP/1.1 
REQUEST_METHOD: GET
REQUEST_URI: /on-the-cuspstop-cauti/toolkits-and-resources/on-the-cusp-stop-cauti-implementation-guide/
HTTP_USER_AGENT: hverify/1.0

======= 403 GET or HEAD Request Error Logged - September 24, 2013 - 10:18 am =======
REMOTE_ADDR: 174.132.33.114 
Host Name: 72.21.84ae.static.theplanet.com
SERVER_PROTOCOL: HTTP/1.1 
REQUEST_METHOD: GET
REQUEST_URI: /on-the-cuspstop-bsi/toolkits-and-resources/
HTTP_USER_AGENT: Springy Reference Verifier

September 24, 2013 at 9:36 am #10097

AITpro Admin

Keymaster

Your Topic post has been moved to this relevant Forum Topic regarding what 403 errors mean in general.

All log entries where you see: SERVER_PROTOCOL: HTTP/1.0 and a blank User Agent: HTTP_USER_AGENT: are hackers or spammers. The majority of the other log entries appear to be bots making HEAD Requests. I do not see anything legitimate being blocked in your log entries. The ppt log entry is ok. The ppt is viewable/downloadable, but an additional 403 error will occur when viewing, clicking or downloading Microsoft based docs, ppt, xlt, etc. If you would like to allow this then see this Forum Topic link below.
http://forum.ait-pro.com/forums/topic/broken-link-checker-plugin-403-error/#post-2017

Author

Posts

Viewing 15 posts - 1 through 15 (of 95 total)

1 2 3 … 5 6 7 →

You must be logged in to reply to this topic.

BulletProof Security Forum

403 GET|HEAD Request Log Entries

Search Forums

Topic Tags