403 GET|HEAD Request Log Entries

Home Forums BulletProof Security Pro 403 GET|HEAD Request Log Entries

  • This topic has 95 replies, 20 voices, and was last updated 2 months ago by x.
Viewing 15 posts - 1 through 15 (of 96 total)
  • Author
    Posts
  • #9268
    AITpro Admin
    Keymaster

    If you are seeing 403 log entries or CAPTCHA log entries and want to know what they mean then post them in this Forum Topic.  Typically most 403 errors will be blocked hacking/recon attempts, blocked spammers, blocked scrapers, etc, but the BPS Security log is also designed to log HTTP website errors as well as blocked hacking attempts, etc.

    #7640
    Krzysztof
    Participant

    EDIT:  This Reply was orphaned and has been restored to this Topic

    Both of these are bot probes/recons looking for something.  Neither of them are legitimate Requests and they can be ignored as a typical spammer/hacker recon/probe on your website.

    Howdy I have received two strange error logs:

    >>>>>>>>>>> 403 GET or Other Request Error Logged - 15/07/2013 - 10:58 <<<<<<<<<<<
    REMOTE_ADDR: 109.68.166.34
    Host Name: server202.engagor.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /?p=45327
    QUERY_STRING:
    HTTP_USER_AGENT:
    
    >>>>>>>>>>> 403 GET or Other Request Error Logged - 15/07/2013 - 10:58 <<<<<<<<<<<
    REMOTE_ADDR: 23.29.122.222
    Host Name: 23-29-122-222-customer-incero.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /?p=45327
    QUERY_STRING:
    HTTP_USER_AGENT: MetaURI API/2.0 +metauri.com
    #7667
    AITpro Admin
    Keymaster

    [post Manually Moved]

    I am getting many log entries reporting this error with the Host Name being the same top level domain (sw.biz.rr.com). The only changes from these entries is the IP address. Is there anything in BPS to identify the actual request that generated the error.

    >>>>>>>>>>> 403 GET or Other Request Error Logged - April 18, 2013 - 12:13 pm <<<<<<<<<<<
    REMOTE_ADDR: 97.79.223.52
    Host Name: rrcs-97-79-223-52.sw.biz.rr.com
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /
    QUERY_STRING:
    HTTP_USER_AGENT:

     

    #7668
    AITpro Admin
    Keymaster

    This is either a spammer or a hacker.  If this were a respectable bot or human then the User Agent would not be blank.  Since it is blank then this is a spammer or hacker.

    You can block or ignore this error log entry.  If you want to block this by IP address then you can use IP blocking .htaccess code shown in this Forum link:  http://forum.ait-pro.com/forums/topic/htaccess-block-ip-address-block-access-to-files-by-ip-address

    #7669
    AITpro Admin
    Keymaster

    Email Question:[post Manually Moved]
    My log has something like this: Does this mean that someone was searching an image on google went to my site and got a 403 error?

    >>>>>>>>>>> 403 GET or Other Request Error Logged - 15/05/2013 - 23:29 <<<<<<<<<<<
    REMOTE_ADDR: 83.30.227.10
    Host Name: cfz10.neoplus.adsl.tpnet.pl
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https: //www.google.pl/blank.html
    REQUEST_URI: /wp-content/uploads/2012/09/NightHawk1.jpg
    QUERY_STRING:
    HTTP_USER_AGENT: Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.15
    #7670
    AITpro Admin
    Keymaster

    This is a spammer or hacker doing something shady.  What gives that away is the Referer entry.  blank.html is not a legitimate google.pl file that could actually be a Referer.  This was some sort of spoof by 83.30.227.10.

    #7671
    AITpro Admin
    Keymaster

    [post Manually Moved]

    As I understand BPS PRO takes care of people like this? I also have things like this: This google link looks ok – I have even checked it. The picture displays ok in google so the question is why there is an error?

    >>>>>>>>>>> 403 GET or Other Request Error Logged - 16/05/2013 - 11:41 <<<<<<<<<<<
    REMOTE_ADDR: 85.221.163.243
    Host Name: c163-243.icpnet.pl
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http: //www.google.pl/search?q=pa%C5%82ac+w+rogalinie&client=ms-android-sonymobile&hl=pl&source=android-launcher-widget&v=141400000&tbm=isch&tbo=u&source=univ&sa=X&ei=fqiUUal6hsG1BpyXgfgN&ved=0CC0QsAQ&biw=320&bih=492&sei=haiUUeXvEMeqtAbjy4HQDA
    REQUEST_URI: /wp-content/uploads/2013/04/Palac-w-Rogalinie.jpg
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Linux; U; Android 4.0.4; pl-pl; SonyST26i Build/11.0.A.7.5) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
    #7672
    AITpro Admin
    Keymaster

    I do not see anything in the Query String that is “bad” so my guess is that however this Android device is trying to get your images files is what is triggering the 403 error. The images may still be displayed correctly on the Android device even though a 403 error is being generated due to the GET method that is being used by the Android device. If you want to ignore these errors and not log them then use the Security Log Add User Agents/Bots to Ignore/Not Log tool.

    You would use Android as the User Agent to ignore

    #7680
    AITpro Admin
    Keymaster

    @ Krzysztof – The first error log entry has a blank User Agent.

    This is either a spammer or a hacker.  If this were a respectable bot or human then the User Agent would not be blank.  Since it is blank then this is a spammer or hacker. You can block or ignore this error log entry.  If you want to block this by IP address then you can use IP blocking .htaccess code shown in this Forum link:  http://forum.ait-pro.com/forums/topic/htaccess-block-ip-address-block-access-to-files-by-ip-address The second log entry shows the User Agent as the MetaURI bot, which I believe is related to Amazon.  I am not sure is this is a good bot or bad bot and of cource the bot / User Agent could be faked. What you should look at is page ID 45327 on your website to see if there is something unusual about that page.  Most likely these are just random probes/scans on your website that are being blocked.

    #9275
    AITpro Admin
    Keymaster

    [post Manually Moved]

    The site is generating loads of 403 errors. I have found lots of request of file .zip that dont exist. Here are some examples: (is it possibile to be a malware?)

    >>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 20:48 <<<<<<<<<<<
    REMOTE_ADDR: 113.12.155.218
    Host Name: 113.12.155.218
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /admin/fckeditor/editor/filemanager/connectors/test.html
    QUERY_STRING:
    HTTP_USER_AGENT:
    
    >>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 21:16 <<<<<<<<<<<
    REMOTE_ADDR: 113.12.155.218
    Host Name: 113.12.155.218
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /web.rar
    QUERY_STRING:
    HTTP_USER_AGENT:
    
    >>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 21:24 <<<<<<<<<<<
    REMOTE_ADDR: 113.12.155.218
    Host Name: 113.12.155.218
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /web.zip
    QUERY_STRING:
    HTTP_USER_AGENT:
    
    >>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 21:32 <<<<<<<<<<<
    REMOTE_ADDR: 113.12.155.218
    Host Name: 113.12.155.218
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /db.rar
    QUERY_STRING:
    HTTP_USER_AGENT:
    
    >>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 21:49 <<<<<<<<<<<
    REMOTE_ADDR: 113.12.155.218
    Host Name: 113.12.155.218
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /fdsa.rar
    QUERY_STRING:
    HTTP_USER_AGENT:
    
    >>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 21:56 <<<<<<<<<<<
    REMOTE_ADDR: 113.12.155.218
    Host Name: 113.12.155.218
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /fdsa.zip
    QUERY_STRING:
    HTTP_USER_AGENT:
    
    >>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 22:21 <<<<<<<<<<<
    REMOTE_ADDR: 113.12.155.218
    Host Name: 113.12.155.218
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /admin.rar
    QUERY_STRING:
    HTTP_USER_AGENT:
    
    >>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 22:45 <<<<<<<<<<<
    REMOTE_ADDR: 113.12.155.218
    Host Name: 113.12.155.218
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /data.zip
    QUERY_STRING:
    HTTP_USER_AGENT:
    
    >>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 22:53 <<<<<<<<<<<
    REMOTE_ADDR: 113.12.155.218
    Host Name: 113.12.155.218
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /flashfxp.zip
    QUERY_STRING:
    HTTP_USER_AGENT:
    
    >>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 23:18 <<<<<<<<<<<
    REMOTE_ADDR: 113.12.155.218
    Host Name: 113.12.155.218
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /site.rar
    QUERY_STRING:
    HTTP_USER_AGENT:
    
    >>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 23:26 <<<<<<<<<<<
    REMOTE_ADDR: 113.12.155.218
    Host Name: 113.12.155.218
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /www.surfvarazze.it.rar
    QUERY_STRING:
    HTTP_USER_AGENT:
    
    >>>>>>>>>>> 403 GET or Other Request Error Logged - 2 settembre 2013 - 23:34 <<<<<<<<<<<
    REMOTE_ADDR: 113.12.155.218
    Host Name: 113.12.155.218
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /www.surfvarazze.it.zip
    QUERY_STRING:
    HTTP_USER_AGENT:
    
    >>>>>>>>>>> 403 GET or Other Request Error Logged - 3 settembre 2013 - 00:03 <<<<<<<<<<<
    REMOTE_ADDR: 113.12.155.218
    Host Name: 113.12.155.218
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wwwsurfvarazzeit.zip
    QUERY_STRING:
    HTTP_USER_AGENT:

    thanx for your support
    SIMone

    #9280
    AITpro Admin
    Keymaster

    The first clue that the Requests are bad/malicious activity is that the User Agent string is blank.  Any legitimate bot or human will NOT have a blank User Agent string.  The IP address is a known Chinese spammer/hacker IP subnet.  You do not need to take any action since BPS is already blocking/forbidding whatever this hacker or spammer is doing.

    Or you can block this IP address subnet if you want.  Here is some experimental code that you can try out.  This code is still in the experimental stages so use it cautiously.
    http://forum.ait-pro.com/forums/topic/buddypress-spam-registration-buddypress-anti-spam-registration/

    #9936
    AITpro Admin
    Keymaster

    Email Question:

    Hello, I’m new to BPS and I’m trying to understand how the log file works. I’m trying to decipher what it is telling me and if there are actions I need to take to make my website more secure.
    This is one of the logs from most recent file: So is this a bad entity that is trying to spam me? What actions can I take?

    >>>>>>>>>>> 403 GET or Other Request Error Logged - September 19, 2013 - 3:33am <<<<<<<<<<<
    REMOTE_ADDR: 72.167.191.6
    Host Name: [removed for privacy].secureserver.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /contact.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3

    Thank you,

    #9937
    AITpro Admin
    Keymaster

    This is the Go Daddy Website Protection scanner bot so it is legitimate.  I believe it is being blocked because these User Agent security filters block “scan” or “scanner”.

    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR] 
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]

    1.  Copy the code below (scan has been removed already from this code below) to this BPS Custom Code text box:  CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS: Modify Query String Exploit code here
    2.  Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
    Note: For good measure clear your Browser cache and if you are using a caching plugin clear your caching plugin cache.

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker. 
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F,L]
    # END BPSQSE BPS QUERY STRING EXPLOITS
    #10088
    jan
    Participant

    sorry if this is a stupid question but i assume if entries exist in my 403 log, that those users got a generic 403-forbidden message instead of the actual URL they requested?  if so, do you have any idea why some of these occur? In many below, the referrer appears to be legit and they asked for legit url’s.  I am just worried that legit users are getting errors after i have up’ed the security on this site. i deleted the lines in the log without ANY content/values:

    BPS PRO SECURITY / HTTP ERROR LOG
    =================================
    =================================
    
    ======= 403 GET or HEAD Request Error Logged - September 20, 2013 - 1:30 am =======
    REMOTE_ADDR: 64.74.215.113 
    Host Name: 64.74.215.113
    SERVER_PROTOCOL: 
    HTTP/1.1 
    REQUEST_METHOD: GET
    REQUEST_URI: /
    HTTP_USER_AGENT: \'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)\'
    
    ======= 403 GET or HEAD Request Error Logged - September 20, 2013 - 3:40 am =======
    REMOTE_ADDR: 67.192.46.7 
    Host Name: fw-n01.wc2.dfw1.stabletransit.com
    SERVER_PROTOCOL: HTTP/1.1 
    REQUEST_METHOD: GET
    HTTP_REFERER: http: //www.qsource.org
    REQUEST_URI: /
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
    
    ======= 403 GET or HEAD Request Error Logged - September 20, 2013 - 3:42 am =======
    REMOTE_ADDR: 67.192.46.8 
    Host Name: fw-n01.wc2.dfw1.stabletransit.com
    SERVER_PROTOCOL: HTTP/1.1 
    REQUEST_METHOD: GET
    HTTP_REFERER: http: //www.qsource.org
    REQUEST_URI: /on-the-cuspstop-cauti/toolkits-and-resources/
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
    
    ======= 403 GET or HEAD Request Error Logged - September 20, 2013 - 9:33 pm =======
    REMOTE_ADDR: 204.236.226.210 
    Host Name: ec2-204-236-226-210.compute-1.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.0 
    REQUEST_METHOD: GET
    REQUEST_URI: /wp-admin
    HTTP_USER_AGENT: ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler alexa.com)
    
    ======= 403 GET or HEAD Request Error Logged - September 21, 2013 - 1:23 am =======
    REMOTE_ADDR: 81.27.127.177 
    Host Name: host-81-27-127-177.teledata-fttx.de
    SERVER_PROTOCOL: HTTP/1.0 
    REQUEST_METHOD: GET
    REQUEST_URI: /on-the-cuspstop-bsi
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/18.6.872.0 Safari/535.2 UNTRUSTED/1.0 3gpp-gba UNTRUSTED/1.0
    
    ======= 403 GET or HEAD Request Error Logged - September 21, 2013 - 3:49 pm =======
    REMOTE_ADDR: 94.23.45.14 
    Host Name: ks206255.kimsufi.com
    SERVER_PROTOCOL: HTTP/1.0 
    REQUEST_METHOD: GET
    REQUEST_URI: /
    HTTP_USER_AGENT:
    
    ======= 403 GET or HEAD Request Error Logged - September 22, 2013 - 3:40 am =======
    REMOTE_ADDR: 67.192.46.6 
    Host Name: fw-n01.wc2.dfw1.stabletransit.com
    SERVER_PROTOCOL: HTTP/1.1 
    REQUEST_METHOD: GET
    HTTP_REFERER: http: //www.qsource.org
    REQUEST_URI: /
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
    
    ======= 403 GET or HEAD Request Error Logged - September 22, 2013 - 3:58 am =======
    REMOTE_ADDR: 74.86.112.83 
    Host Name: hostsrv02.torxmedia.com
    SERVER_PROTOCOL: HTTP/1.1 
    REQUEST_METHOD: GET
    HTTP_REFERER: http: //uprevent.mckesson.com
    REQUEST_URI: /on-the-cuspstop-cauti/toolkits-and-resources/on-the-cusp-stop-cauti-implementation-guide/
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
    
    ======= 403 GET or HEAD Request Error Logged - September 22, 2013 - 4:11 am =======
    REMOTE_ADDR: 174.132.33.114 
    Host Name: 72.21.84ae.static.theplanet.com
    SERVER_PROTOCOL: HTTP/1.1 
    REQUEST_METHOD: GET
    REQUEST_URI: /on-the-cuspstop-bsi/toolkits-and-resources/
    HTTP_USER_AGENT: Springy Reference Verifier
    
    ======= 403 GET or HEAD Request Error Logged - September 22, 2013 - 9:42 am =======
    REMOTE_ADDR: 67.192.46.6 
    Host Name: fw-n01.wc2.dfw1.stabletransit.com
    SERVER_PROTOCOL: HTTP/1.1 
    REQUEST_METHOD: GET
    HTTP_REFERER: http: //www.qsource.org
    REQUEST_URI: /
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
    
    ======= 403 GET or HEAD Request Error Logged - September 23, 2013 - 2:09 am =======
    REMOTE_ADDR: 173.254.28.108 
    Host Name: just108.justhost.com
    SERVER_PROTOCOL: HTTP/1.1 
    REQUEST_METHOD: GET
    HTTP_REFERER: http: //haifocus.com
    REQUEST_URI: /on-the-cuspstop-bsi/
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
    
    ======= 403 GET or HEAD Request Error Logged - September 23, 2013 - 3:42 am =======
    REMOTE_ADDR: 67.192.46.13 
    Host Name: fw-n01.wc2.dfw1.stabletransit.com
    SERVER_PROTOCOL: HTTP/1.1 
    REQUEST_METHOD: GET
    HTTP_REFERER: http: //www.qsource.org
    REQUEST_URI: /
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
    
    ======= 403 GET or HEAD Request Error Logged - September 23, 2013 - 5:40 am =======
    REMOTE_ADDR: 67.192.46.11 
    Host Name: fw-n01.wc2.dfw1.stabletransit.com
    SERVER_PROTOCOL: HTTP/1.1 
    REQUEST_METHOD: GET
    HTTP_REFERER: http: //www.qsource.org
    REQUEST_URI: /on-the-cuspstop-cauti/toolkits-and-resources/
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
    
    ======= 403 GET or HEAD Request Error Logged - September 23, 2013 - 3:50 pm =======
    REMOTE_ADDR: 202.104.149.113 
    Host Name: 202.104.149.113
    SERVER_PROTOCOL: HTTP/1.0 
    REQUEST_METHOD: GET
    REQUEST_URI: /
    HTTP_USER_AGENT:
    
    ======= 403 GET or HEAD Request Error Logged - September 23, 2013 - 3:50 pm =======
    REMOTE_ADDR: 202.104.149.113 Host Name: 202.104.149.113
    SERVER_PROTOCOL: HTTP/1.0 
    REQUEST_METHOD: GET
    REQUEST_URI: /
    HTTP_USER_AGENT:
    
    ======= 403 GET or HEAD Request Error Logged - September 23, 2013 - 9:58 pm =======
    REMOTE_ADDR: 173.208.133.226 
    Host Name: 173.208.133.226
    SERVER_PROTOCOL: HTTP/1.1 
    REQUEST_METHOD: GET
    REQUEST_URI: /wp-content/plugins/user-meta/framework/helper/
    HTTP_USER_AGENT:
    
    ======= 403 GET or HEAD Request Error Logged - September 23, 2013 - 9:58 pm =======
    REMOTE_ADDR: 173.208.133.226 Host Name: 173.208.133.226
    SERVER_PROTOCOL: HTTP/1.1 
    REQUEST_METHOD: GET
    REQUEST_URI: /wp-content/plugins/topquark/lib/js/fancyupload/showcase/batch/
    HTTP_USER_AGENT:
    
    ======= 403 GET or HEAD Request Error Logged - September 24, 2013 - 12:26 am =======
    REMOTE_ADDR: 174.132.16.36 
    Host Name: springy02.springshare.com
    SERVER_PROTOCOL: HTTP/1.1 
    REQUEST_METHOD: GET
    REQUEST_URI: /on-the-cuspstop-bsi/toolkits-and-resources/
    HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 (.NET CLR 3.5.30729)
    
    ======= 403 GET or HEAD Request Error Logged - September 24, 2013 - 4:07 am =======
    REMOTE_ADDR: 5.45.64.228 
    Host Name: 5.45.64.228
    SERVER_PROTOCOL: HTTP/1.1 
    REQUEST_METHOD: GET
    REQUEST_URI: /wp-content/uploads/2012/03/Assertion-Content-Call.ppt
    HTTP_USER_AGENT: User-Agent:Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
    
    ======= 403 GET or HEAD Request Error Logged - September 24, 2013 - 8:17 am =======
    REMOTE_ADDR: 122.183.183.102 
    Host Name: telemedia-smb-102.183.183.122.airtelbroadband.in
    SERVER_PROTOCOL: HTTP/1.1 
    REQUEST_METHOD: GET
    REQUEST_URI: /
    HTTP_USER_AGENT: hverify/1.0
    
    ======= 403 GET or HEAD Request Error Logged - September 24, 2013 - 8:17 am =======
    REMOTE_ADDR: 122.183.183.102 
    Host Name: telemedia-smb-102.183.183.122.airtelbroadband.in
    SERVER_PROTOCOL: HTTP/1.1 
    REQUEST_METHOD: GET
    REQUEST_URI: /on-the-cuspstop-cauti/toolkits-and-resources/on-the-cusp-stop-cauti-implementation-guide
    HTTP_USER_AGENT: hverify/1.0
    
    ======= 403 GET or HEAD Request Error Logged - September 24, 2013 - 8:18 am =======
    REMOTE_ADDR: 122.183.183.102 
    Host Name: telemedia-smb-102.183.183.122.airtelbroadband.in
    SERVER_PROTOCOL: HTTP/1.1 
    REQUEST_METHOD: GET
    REQUEST_URI: /on-the-cuspstop-cauti/toolkits-and-resources/on-the-cusp-stop-cauti-implementation-guide/
    HTTP_USER_AGENT: hverify/1.0
    
    ======= 403 GET or HEAD Request Error Logged - September 24, 2013 - 10:18 am =======
    REMOTE_ADDR: 174.132.33.114 
    Host Name: 72.21.84ae.static.theplanet.com
    SERVER_PROTOCOL: HTTP/1.1 
    REQUEST_METHOD: GET
    REQUEST_URI: /on-the-cuspstop-bsi/toolkits-and-resources/
    HTTP_USER_AGENT: Springy Reference Verifier
    #10097
    AITpro Admin
    Keymaster

    Your Topic post has been moved to this relevant Forum Topic regarding what 403 errors mean in general.

    All log entries where you see:  SERVER_PROTOCOL: HTTP/1.0 and a blank User Agent:  HTTP_USER_AGENT:  are hackers or spammers.  The majority of the other log entries appear to be bots making HEAD Requests.  I do not see anything legitimate being blocked in your log entries.  The ppt log entry is ok.  The ppt is viewable/downloadable, but an additional 403 error will occur when viewing, clicking or downloading Microsoft based docs, ppt, xlt, etc.  If you would like to allow this then see this Forum Topic link below.
    http://forum.ait-pro.com/forums/topic/broken-link-checker-plugin-403-error/#post-2017

Viewing 15 posts - 1 through 15 (of 96 total)
  • You must be logged in to reply to this topic.