Home › Forums › BulletProof Security Pro › 403 GET|HEAD Request Log Entries
Tagged: 403 error, CAPTCHA, captcha log entries
- This topic has 95 replies, 20 voices, and was last updated 3 months, 2 weeks ago by x.
-
AuthorPosts
-
janParticipant
I am trying to understand how you determine what is what so i can parse these log files easier myself and not worry that legit traffic is getting 403’s. Is it the GET requests that set off 403’s; does that imply a HEAD request?
If not, here are 4 examples:
>>>>>>>>>>> 403 GET or HEAD Request Error Logged - September 25, 2013 - 5:29 am <<<<<<<<<<< REMOTE_ADDR: 74.86.112.83 Host Name: hostsrv02.torxmedia.com SERVER_PROTOCOL: HTTP/1.1 (HTTP_CLIENT_IP: - HTTP_FORWARDED: - HTTP_X_FORWARDED_FOR: - HTTP_X_CLUSTER_CLIENT_IP: ) REQUEST_METHOD: GET HTTP_REFERER: http: //uprevent.mckesson.com REQUEST_URI: /on-the-cuspstop-cauti/toolkits-and-resources/on-the-cusp-stop-cauti-implementation-guide/ QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) A traceroute of the IP lands me at that host name. The referrer is a legit one. The URL is valid. How did this end up as a 403? = = = = Similarly, how did this one get a 403: >>>>>>>>>>> 403 GET or HEAD Request Error Logged - September 24, 2013 - 12:26 am <<<<<<<<<<< REMOTE_ADDR: 174.132.16.36 Host Name: springy02.springshare.com SERVER_PROTOCOL: HTTP/1.1 (HTTP_CLIENT_IP: - HTTP_FORWARDED: - HTTP_X_FORWARDED_FOR: - HTTP_X_CLUSTER_CLIENT_IP: ) REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /on-the-cuspstop-bsi/toolkits-and-resources/ QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 (.NET CLR 3.5.30729) = = = = Kudos to you, but how do you know that most anything from "airtelbroadband.in" is spam? Is it the agent? >>>>>>>>>>> 403 GET or HEAD Request Error Logged - September 24, 2013 - 8:17 am <<<<<<<<<<< REMOTE_ADDR: 122.183.183.102 Host Name: telemedia-smb-102.183.183.122.airtelbroadband.in SERVER_PROTOCOL: HTTP/1.1 (HTTP_CLIENT_IP: - HTTP_FORWARDED: - HTTP_X_FORWARDED_FOR: - HTTP_X_CLUSTER_CLIENT_IP: ) REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /on-the-cuspstop-cauti/toolkits-and-resources/on-the-cusp-stop-cauti-implementation-guide QUERY_STRING: HTTP_USER_AGENT: hverify/1.0 = = = = Finally, the agent seems odd. Is that what you use? >>>>>>>>>>> 403 GET or HEAD Request Error Logged - September 24, 2013 - 10:18 am <<<<<<<<<<< REMOTE_ADDR: 174.132.33.114 Host Name: 72.21.84ae.static.theplanet.com SERVER_PROTOCOL: HTTP/1.1 (HTTP_CLIENT_IP: - HTTP_FORWARDED: - HTTP_X_FORWARDED_FOR: - HTTP_X_CLUSTER_CLIENT_IP: ) REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /on-the-cuspstop-bsi/toolkits-and-resources/ QUERY_STRING: HTTP_USER_AGENT: Springy Reference Verifier
Thanks for any insight.
AITpro AdminKeymasterThe general idea is this: You would check the Request URI yourself to see if you get a 403 error when going to the URL. Some spammer, hacker, scraper, harvester Requests are obvious in the logged error message. Some appear to be completely legitimate since what is logged does not show what type of script the spammer, hacker, scraper, harvester used against your website that was blocked.
When you see a User Agent field with a User Agent/Bot name displayed like hverify/1.0 or Springy Reference Verifier then these are most likely Bots making a HEAD Request. Check the bot to see if it is a good bot or bad bot. In general it is fine to allow HEAD Requests on your website. This is a nuisance filter to filter out all the junk and nuisance bots, but if a good bot is being blocked from making HEAD Requests to your website then you would do the steps in the link below to allow HEAD Requests on your website.
http://forum.ait-pro.com/forums/topic/broken-link-checker-plugin-403-error/#post-2017
AITpro AdminKeymasterIf you want to check your site to make sure nothing legitimate is being blocked then see this Video Tutorial link below.
http://forum.ait-pro.com/video-tutorials/#security-log-firewallKrzysztofParticipantToday I got something that looks like on a specific attck on BPS Pro to me:
REMOTE_ADDR: 60.176.108.126 Host Name: 126.108.176.60.broad.hz.zj.dynamic.163data.com.cn SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: POST HTTP_REFERER: http: //www.infolotnicze.pl/wp-login.php REQUEST_URI: /wp-content/plugins/bulletproof-security/403.php QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/0.2.153.1 Safari/525.19
AITpro AdminKeymasterThe 403.php logging template file will display as the Request URI depending on how a spambot attempts to auto-post to your login page. This is a known chinese spammer network: broad.hz.zj.dynamic.163data.com.cn Server Protocol HTTP/1.0 is being used so this is a confirmed spambot.
George Bxcode777ParticipantI am getting the below 403 error when using ajax to to process a form. >>>>>>>>>>> 403 GET or Other Request Error Logged - November 10, 2013 - 5:59 am <<<<<<<<<<< REMOTE_ADDR: 50.105.0.41 Host Name: 50.105.0.41 SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: http: //members.durhamkennelclub.com/wp-content/www-dkc/obedience/index.php REQUEST_URI: /wp-content/www-dkc/obedience/ObedienceRallyForm.php5?ClubMeeting=&Service1Date=&Activity1=&Service2Date=&Activity2=&MemberType=Instructor&OwnerName=George+Beglane&Address=8318+South+Lowell+Rd&City=Bahama&State=NC&Zip=27503&Phone=(919)477-8874&EmailAddress=beglane%40mindspring.com&Handler=George&Under18=12&DogsName=Abby&Breed=Lab&Sex=F&AgeBirthday=6%2F03%2F2008&FirstChoice=Fall2013-3wk-CGC-Tuesday-6%3A30pm&Aggression=Yes&AggressionExplain=Test1&ExcusedDKCClass=Yes&ExcusedDKCClassExplain=Test2&BasicDogManners=Yes&Where=DKC&WhereDate=2013&HearDKC=Web+Site&IAgree=yes&OwnerSig=George+Beglane&SignDate=11%2F10%2F2013&submit_check=1 QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
AITpro AdminKeymasterI believe the part of the Query String that is causing the 403 error is the parenthesis/round bracket code characters in the phone number: ….Phone=(919)477-8874….
To test if this is the only thing that is being blocked, edit this security filter in your root .htaccess file and remove the parenthesis/round bracket filter characters.
Before editing the security filter RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR] After editing the security filter RewriteCond %{QUERY_STRING} ^.*(<|>|%3c|%3e).* [NC,OR]
Let me know if this is the only thing that is being blocked and I will then post BPS Custom Code steps for you to save this code modification permanently.
George Bxcode777ParticipantThis fix did indeed fix the problem, Your email said to change it to. Does it make any difference with the < or > in the file ?
RewriteCond %{QUERY_STRING} ^.*(<|>|%3c|%3e).* [NC,OR] I notice your say to change it to RewriteCond %{QUERY_STRING} ^.*(<|>|%3c|%3e).* [NC,OR]
AITpro AdminKeymasterDo these steps below to permanently save this modifed code to BPS Custom Code. The angle brackets < and > protect against script attacks so you want to keep them in that security filter.
1. Copy the entire section of BPS Query String Exploits code from your Root .htaccess file to this Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS: Modify Query String Exploit code here
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.# BEGIN BPSQSE BPS QUERY STRING EXPLOITS # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too. # Good sites such as W3C use it for their W3C-LinkChecker. ..... ..... ..... RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR] RewriteCond %{QUERY_STRING} (sp_executesql) [NC] RewriteRule ^(.*)$ - [F,L] # END BPSQSE BPS QUERY STRING EXPLOITS
Mark McRaeParticipantI have received a number of these 403 errors:
Can you shed some light on what is happening? Thanks in advance for your assistance.>>>>>>>>>>> 403 GET or Other Request Error Logged - November 4, 2013 - 1:31 am <<<<<<<<<<< REMOTE_ADDR: 5.77.33.107 Host Name: alfine.alfinegroup.com SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-login.php QUERY_STRING: HTTP_USER_AGENT:
AITpro AdminKeymaster2 things indicate that this is either a blocked Spammer or a blocked hacker. This is a typical Brute Force Login page probe/attack. The first thing that tells you this is a spammer or hacker is the Server Protocol is HTTP/1.0 instead of HTTP/1.1. The second thing that tells you this is a spammer or hacker is the User Agent is blank. And of course the Request URI is your login page.
AITpro AdminKeymasterDuplicate or very similar post manually copied here
Getting many 403 errors when submitting a form for processing using the jQuery.load() method to pass data below are two examples
>>>>>>>>>>> 403 GET or Other Request Error Logged - November 24, 2013 - 4:15 pm <<<<<<<<<<< REMOTE_ADDR: 71.65.213.240 Host Name: cpe-071-065-213-240.nc.res.rr.com SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: http://members.durhamkennelclub.com/obedience-class-home-page/ REQUEST_URI: /wp-content/themes/www-dkc/obedience/ObedienceRallyForm.php5?ClubMeeting=September%2C+2013&Service1Date=August+9&Activity1=show+and+go&Service2Date=August+10&Activity2=show+and+go&MemberType=Member&OwnerName=Vanna+Condax&Address=750+Weaver+Dairy+Road+%231103&City=Chapel+Hill&State=NC&Zip=27514&Phone=(919)+918-3544&EmailAddress=Condax%40gmail.com&Handler=self&Under18=&DogsName=Darwyn&Breed=border+collie&Sex=dog&AgeBirthday=April+24%2C+2011&FirstChoice=Winter2014-6wk-Introduction-To-Rally-Tuesday-6%3A30pm&Aggression=No&AggressionExplain=&ExcusedDKCClass=No&ExcusedDKCClassExplain=&BasicDogManners=Yes&Where=DKC&WhereDate=ongoing&HearDKC=&IAgree=yes&OwnerSig=Vanna+Condax&SignDate=11%2F24%2F2013&submit_check=1 QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) >>>>>>>>>>> 403 GET or Other Request Error Logged - November 24, 2013 - 4:55 pm <<<<<<<<<<< REMOTE_ADDR: 50.105.0.41 Host Name: 50.105.0.41 SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: http://members.durhamkennelclub.com/obedience-class-home-page/ REQUEST_URI: /wp-content/themes/www-dkc/obedience/ObedienceRallyForm.php5?ClubMeeting=&Service1Date=&Activity1=&Service2Date=&Activity2=&MemberType=Instructor&OwnerName=George+Beglane&Address=8318+South+Lowell+Rd.&City=Bahama&State=NC&Zip=27503&Phone=(919)47788874&EmailAddress=beglane%40mindspring.com&Handler=George&Under18=&DogsName=Abby&Breed=Lab&Sex=F&AgeBirthday=6%2F3%2F2008&FirstChoice=SELECT+CLASS&Aggression=No&AggressionExplain=&ExcusedDKCClass=No&ExcusedDKCClassExplain=&BasicDogManners=Yes&Where=&WhereDate=&HearDKC=&IAgree=yes&OwnerSig=George+Beglane&SignDate=11%2F24%2F2013&submit_check=1 QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
AITpro AdminKeymaster@ George Bxcode777 – your post has been manually moved to this relevant Topic. Previously what was being blocked was the round bracket code characters. Did you copy the BPS Query String Exploits code to BPS Custom Code? Did you remove the round bracket coding characters from the code in Custom Code. I do not see anything else that would be blocked in the Query String, but for testing comment out the SQL Injection security filter in your root .htaccess file by adding a # sign in front of the security filter as shown below.
#RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
AITpro AdminKeymasterResponse from: George Bxcode777 manually copied from orphaned Topic:
Changing my form method from GET to POST resolver the issue with the the open and closed parenthesesAITpro AdminKeymasterThis is a typical blocked Brute Force Login page probe/attack. The first thing that tells you this is a spammer or hacker is the Server Protocol is HTTP/1.0 instead of HTTP/1.1. The HTTP Referer site is “supposedly” where this bot came from, but I assume that the Referer is faked since that page does not actually exist on that website. Since the attack was blocked and logged by BPS then you do not need to do anything. We see around 300,000 of these blocked Brute Force attacks / attempts per month on our sites.
-
AuthorPosts
- You must be logged in to reply to this topic.