403 GET|HEAD Request Log Entries

Home Forums BulletProof Security Pro 403 GET|HEAD Request Log Entries

Viewing 15 posts - 16 through 30 (of 95 total)
  • Author
    Posts
  • #10178
    jan
    Participant

    I am trying to understand how you determine what is what so i can parse these log files easier myself and not worry that legit traffic is getting 403’s.  Is it the GET requests that set off 403’s; does that imply a HEAD request?

    If not, here are 4 examples:

    >>>>>>>>>>> 403 GET or HEAD Request Error Logged - September 25, 2013 - 5:29 am <<<<<<<<<<<
    REMOTE_ADDR: 74.86.112.83
    Host Name: hostsrv02.torxmedia.com
    SERVER_PROTOCOL: HTTP/1.1
    (HTTP_CLIENT_IP:    -   HTTP_FORWARDED:    -   HTTP_X_FORWARDED_FOR:    -   HTTP_X_CLUSTER_CLIENT_IP: )
    REQUEST_METHOD: GET
    HTTP_REFERER: http: //uprevent.mckesson.com
    REQUEST_URI: /on-the-cuspstop-cauti/toolkits-and-resources/on-the-cusp-stop-cauti-implementation-guide/
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
    A traceroute of the IP lands me at that host name. The referrer is a legit one. The URL is valid. How did this end up as a 403?
    
    = = = =
    
    Similarly, how did this one get a 403:
    >>>>>>>>>>> 403 GET or HEAD Request Error Logged - September 24, 2013 - 12:26 am <<<<<<<<<<<
    REMOTE_ADDR: 174.132.16.36
    Host Name: springy02.springshare.com
    SERVER_PROTOCOL: HTTP/1.1
    (HTTP_CLIENT_IP:    -   HTTP_FORWARDED:    -   HTTP_X_FORWARDED_FOR:    -   HTTP_X_CLUSTER_CLIENT_IP: )
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /on-the-cuspstop-bsi/toolkits-and-resources/
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 (.NET CLR 3.5.30729)
    = = = =
    
    Kudos to you, but how do you know that most anything from "airtelbroadband.in" is spam? Is it the agent?
    >>>>>>>>>>> 403 GET or HEAD Request Error Logged - September 24, 2013 - 8:17 am <<<<<<<<<<<
    REMOTE_ADDR: 122.183.183.102
    Host Name: telemedia-smb-102.183.183.122.airtelbroadband.in
    SERVER_PROTOCOL: HTTP/1.1
    (HTTP_CLIENT_IP:   -  HTTP_FORWARDED:   -  HTTP_X_FORWARDED_FOR:   -  HTTP_X_CLUSTER_CLIENT_IP: )
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /on-the-cuspstop-cauti/toolkits-and-resources/on-the-cusp-stop-cauti-implementation-guide
    QUERY_STRING:
    HTTP_USER_AGENT: hverify/1.0
    = = = =
    
    Finally, the agent seems odd. Is that what you use?
    
    >>>>>>>>>>> 403 GET or HEAD Request Error Logged - September 24, 2013 - 10:18 am <<<<<<<<<<<
    REMOTE_ADDR: 174.132.33.114
    Host Name: 72.21.84ae.static.theplanet.com
    SERVER_PROTOCOL: HTTP/1.1
    (HTTP_CLIENT_IP:   -  HTTP_FORWARDED:   -  HTTP_X_FORWARDED_FOR:   -  HTTP_X_CLUSTER_CLIENT_IP: )
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /on-the-cuspstop-bsi/toolkits-and-resources/
    QUERY_STRING:
    HTTP_USER_AGENT: Springy Reference Verifier

    Thanks for any insight.

    #10179
    AITpro Admin
    Keymaster

    The general idea is this:  You would check the Request URI yourself to see if you get a 403 error when going to the URL.  Some spammer, hacker, scraper, harvester Requests are obvious in the logged error message.  Some appear to be completely legitimate since what is logged does not show what type of script the spammer, hacker, scraper, harvester used against your website that was blocked.

    When you see a User Agent field with a User Agent/Bot name displayed like hverify/1.0 or Springy Reference Verifier then these are most likely Bots making a HEAD Request.  Check the bot to see if it is a good bot or bad bot.  In general it is fine to allow HEAD Requests on your website.  This is a nuisance filter to filter out all the junk and nuisance bots, but if a good bot is being blocked from making HEAD Requests to your website then you would do the steps in the link below to allow HEAD Requests on your website.

    http://forum.ait-pro.com/forums/topic/broken-link-checker-plugin-403-error/#post-2017

    #10183
    AITpro Admin
    Keymaster

    If you want to check your site to make sure nothing legitimate is being blocked then see this Video Tutorial link below.
    http://forum.ait-pro.com/video-tutorials/#security-log-firewall

    #10624
    Krzysztof
    Participant

    Today I got something that looks like on a specific attck on BPS Pro to me:

    REMOTE_ADDR: 60.176.108.126
    Host Name: 126.108.176.60.broad.hz.zj.dynamic.163data.com.cn
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: POST
    HTTP_REFERER: http: //www.infolotnicze.pl/wp-login.php
    REQUEST_URI: /wp-content/plugins/bulletproof-security/403.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/0.2.153.1 Safari/525.19
    #10632
    AITpro Admin
    Keymaster

    The 403.php logging template file will display as the Request URI depending on how a spambot attempts to auto-post to your login page. This is a known chinese spammer network:  broad.hz.zj.dynamic.163data.com.cn Server Protocol HTTP/1.0 is being used so this is a confirmed spambot.

    #11070
    George Bxcode777
    Participant
    I am getting the below 403 error when using ajax to to process a form.
    >>>>>>>>>>> 403 GET or Other Request Error Logged - November 10, 2013 - 5:59 am <<<<<<<<<<<
    REMOTE_ADDR: 50.105.0.41
    Host Name: 50.105.0.41
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http: //members.durhamkennelclub.com/wp-content/www-dkc/obedience/index.php
    REQUEST_URI: /wp-content/www-dkc/obedience/ObedienceRallyForm.php5?ClubMeeting=&Service1Date=&Activity1=&Service2Date=&Activity2=&MemberType=Instructor&OwnerName=George+Beglane&Address=8318+South+Lowell+Rd&City=Bahama&State=NC&Zip=27503&Phone=(919)477-8874&EmailAddress=beglane%40mindspring.com&Handler=George&Under18=12&DogsName=Abby&Breed=Lab&Sex=F&AgeBirthday=6%2F03%2F2008&FirstChoice=Fall2013-3wk-CGC-Tuesday-6%3A30pm&Aggression=Yes&AggressionExplain=Test1&ExcusedDKCClass=Yes&ExcusedDKCClassExplain=Test2&BasicDogManners=Yes&Where=DKC&WhereDate=2013&HearDKC=Web+Site&IAgree=yes&OwnerSig=George+Beglane&SignDate=11%2F10%2F2013&submit_check=1
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
    #11074
    AITpro Admin
    Keymaster

    I believe the part of the Query String that is causing the 403 error is the parenthesis/round bracket code characters  in the phone number:  ….Phone=(919)477-8874….

    To test if this is the only thing that is being blocked, edit this security filter in your root .htaccess file and remove the parenthesis/round bracket filter characters.

    Before editing the security filter
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    
    After editing the security filter
    RewriteCond %{QUERY_STRING} ^.*(<|>|%3c|%3e).* [NC,OR]

    Let me know if this is the only thing that is being blocked and I will then post BPS Custom Code steps for you to save this code modification permanently.

    #11083
    George Bxcode777
    Participant

    This fix did indeed fix the problem, Your email said to change it to. Does it make any difference with the < or > in the file ?

    RewriteCond %{QUERY_STRING} ^.*(<|>|%3c|%3e).* [NC,OR]
    I notice your say to change it to
    RewriteCond %{QUERY_STRING} ^.*(<|>|%3c|%3e).* [NC,OR]
    #11086
    AITpro Admin
    Keymaster

    Do these steps below to permanently save this modifed code to BPS Custom Code.  The angle brackets < and > protect against script attacks so you want to keep them in that security filter.

    1. Copy the entire section of BPS Query String Exploits code from your Root .htaccess file to this Custom Code text box:  CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS: Modify Query String Exploit code here
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker.
    .....
    .....
    .....
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F,L]
    # END BPSQSE BPS QUERY STRING EXPLOITS
    #11167
    Mark McRae
    Participant

    I have received a number of these 403 errors:
    Can you shed some light on what is happening? Thanks in advance for your assistance.

    >>>>>>>>>>> 403 GET or Other Request Error Logged - November 4, 2013 - 1:31 am <<<<<<<<<<<
    REMOTE_ADDR: 5.77.33.107
    Host Name: alfine.alfinegroup.com
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-login.php
    QUERY_STRING:
    HTTP_USER_AGENT:
    #11177
    AITpro Admin
    Keymaster

    2 things indicate that this is either a blocked Spammer or a blocked hacker.  This is a typical Brute Force Login page probe/attack. The first thing that tells you this is a spammer or hacker is the Server Protocol is HTTP/1.0 instead of HTTP/1.1. The second thing that tells you this is a spammer or hacker is the User Agent is blank. And of course the Request URI is your login page.

    #11435
    AITpro Admin
    Keymaster

    Duplicate or very similar post manually copied here

    Getting many 403 errors when submitting  a form for processing using the jQuery.load() method to pass data below are two examples

    >>>>>>>>>>> 403 GET or Other Request Error Logged - November 24, 2013 - 4:15 pm <<<<<<<<<<<
    REMOTE_ADDR: 71.65.213.240
    Host Name: cpe-071-065-213-240.nc.res.rr.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://members.durhamkennelclub.com/obedience-class-home-page/
    REQUEST_URI: /wp-content/themes/www-dkc/obedience/ObedienceRallyForm.php5?ClubMeeting=September%2C+2013&Service1Date=August+9&Activity1=show+and+go&Service2Date=August+10&Activity2=show+and+go&MemberType=Member&OwnerName=Vanna+Condax&Address=750+Weaver+Dairy+Road+%231103&City=Chapel+Hill&State=NC&Zip=27514&Phone=(919)+918-3544&EmailAddress=Condax%40gmail.com&Handler=self&Under18=&DogsName=Darwyn&Breed=border+collie&Sex=dog&AgeBirthday=April+24%2C+2011&FirstChoice=Winter2014-6wk-Introduction-To-Rally-Tuesday-6%3A30pm&Aggression=No&AggressionExplain=&ExcusedDKCClass=No&ExcusedDKCClassExplain=&BasicDogManners=Yes&Where=DKC&WhereDate=ongoing&HearDKC=&IAgree=yes&OwnerSig=Vanna+Condax&SignDate=11%2F24%2F2013&submit_check=1
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
    
    >>>>>>>>>>> 403 GET or Other Request Error Logged - November 24, 2013 - 4:55 pm <<<<<<<<<<<
    REMOTE_ADDR: 50.105.0.41
    Host Name: 50.105.0.41
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://members.durhamkennelclub.com/obedience-class-home-page/
    REQUEST_URI: /wp-content/themes/www-dkc/obedience/ObedienceRallyForm.php5?ClubMeeting=&Service1Date=&Activity1=&Service2Date=&Activity2=&MemberType=Instructor&OwnerName=George+Beglane&Address=8318+South+Lowell+Rd.&City=Bahama&State=NC&Zip=27503&Phone=(919)47788874&EmailAddress=beglane%40mindspring.com&Handler=George&Under18=&DogsName=Abby&Breed=Lab&Sex=F&AgeBirthday=6%2F3%2F2008&FirstChoice=SELECT+CLASS&Aggression=No&AggressionExplain=&ExcusedDKCClass=No&ExcusedDKCClassExplain=&BasicDogManners=Yes&Where=&WhereDate=&HearDKC=&IAgree=yes&OwnerSig=George+Beglane&SignDate=11%2F24%2F2013&submit_check=1
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
    #11438
    AITpro Admin
    Keymaster

    @ George Bxcode777 – your post has been manually moved to this relevant Topic.  Previously what was being blocked was the round bracket code characters.  Did you copy the BPS Query String Exploits code to BPS Custom Code?  Did you remove the round bracket coding characters from the code in Custom Code.  I do not see anything else that would be blocked in the Query String, but for testing comment out the SQL Injection security filter in your root .htaccess file by adding a # sign in front of the security filter as shown below.

    #RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    #11485
    AITpro Admin
    Keymaster

    Response from:  George Bxcode777 manually copied from orphaned Topic:
    Changing my form method from GET to POST resolver the issue with the the open and closed parentheses

    #11797
    AITpro Admin
    Keymaster

    This is a typical blocked Brute Force Login page probe/attack. The first thing that tells you this is a spammer or hacker is the Server Protocol is HTTP/1.0 instead of HTTP/1.1. The HTTP Referer site is “supposedly” where this bot came from, but I assume that the Referer is faked since that page does not actually exist on that website. Since the attack was blocked and logged by BPS then you do not need to do anything.  We see around 300,000 of these blocked Brute Force attacks / attempts per month on our sites.

Viewing 15 posts - 16 through 30 (of 95 total)
  • You must be logged in to reply to this topic.