BulletProof Security Forum

If you want to check your site to make sure nothing legitimate is being blocked then see this Video Tutorial link below.
http://forum.ait-pro.com/video-tutorials/#security-log-firewall

The 403.php logging template file will display as the Request URI depending on how a spambot attempts to auto-post to your login page. This is a known chinese spammer network:  broad.hz.zj.dynamic.163data.com.cn Server Protocol HTTP/1.0 is being used so this is a confirmed spambot.

I believe the part of the Query String that is causing the 403 error is the parenthesis/round bracket code characters  in the phone number:  ….Phone=(919)477-8874….

To test if this is the only thing that is being blocked, edit this security filter in your root .htaccess file and remove the parenthesis/round bracket filter characters.

Before editing the security filter
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]

After editing the security filter
RewriteCond %{QUERY_STRING} ^.*(<|>|%3c|%3e).* [NC,OR]

Let me know if this is the only thing that is being blocked and I will then post BPS Custom Code steps for you to save this code modification permanently.

Do these steps below to permanently save this modifed code to BPS Custom Code.  The angle brackets < and > protect against script attacks so you want to keep them in that security filter.

1. Copy the entire section of BPS Query String Exploits code from your Root .htaccess file to this Custom Code text box:  CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS: Modify Query String Exploit code here
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker.
.....
.....
.....
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]
# END BPSQSE BPS QUERY STRING EXPLOITS

2 things indicate that this is either a blocked Spammer or a blocked hacker.  This is a typical Brute Force Login page probe/attack. The first thing that tells you this is a spammer or hacker is the Server Protocol is HTTP/1.0 instead of HTTP/1.1. The second thing that tells you this is a spammer or hacker is the User Agent is blank. And of course the Request URI is your login page.

@ George Bxcode777 – your post has been manually moved to this relevant Topic.  Previously what was being blocked was the round bracket code characters.  Did you copy the BPS Query String Exploits code to BPS Custom Code?  Did you remove the round bracket coding characters from the code in Custom Code.  I do not see anything else that would be blocked in the Query String, but for testing comment out the SQL Injection security filter in your root .htaccess file by adding a # sign in front of the security filter as shown below.

#RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]

This is a typical blocked Brute Force Login page probe/attack. The first thing that tells you this is a spammer or hacker is the Server Protocol is HTTP/1.0 instead of HTTP/1.1. The HTTP Referer site is “supposedly” where this bot came from, but I assume that the Referer is faked since that page does not actually exist on that website. Since the attack was blocked and logged by BPS then you do not need to do anything.  We see around 300,000 of these blocked Brute Force attacks / attempts per month on our sites.