Topic: 403 GET|HEAD Request Log Entries | BulletProof Security Forum

403 GET|HEAD Request Log Entries

Tagged: 403 error, CAPTCHA, captcha log entries

This topic has 95 replies, 20 voices, and was last updated 2 months, 3 weeks ago by x.

Viewing 15 posts - 31 through 45 (of 96 total)

← 1 2 3 4 5 6 7 →

Author

Posts
April 25, 2014 at 6:11 am #15043
AITpro Admin
Keymaster
[Topic was manually moved/merged into this Topic]
Hi. New here. Please be gentle! I just got my first BPS log. I’m getting lots of 403s from seemingly innocent requests referred by Google. They are all requests for JPEGs. Can anyone explain why I’m getting these, and if it’s a good thing / by design? I am using an edited copy of the BPS hotlinking blocker, but I’m not sure if this is the cause.
```
[403 GET / HEAD Request: 25th April, 2014 - 1.08am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 211.253.60.18
Host Name: mail3.seoul.go.kr
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: https://www.google.com/
REQUEST_URI: /wp-content/uploads/2011/09/f-stops2.gif
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36

I also just noticed that some of the errors are from the web server itself...

[403 GET / HEAD Request: 25th April, 2014 - 8.12am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: A.B.C.D
Host Name: server.domain.com
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-content/uploads/2010/12/tree-explanada-alicante.jpg
QUERY_STRING: 
HTTP_USER_AGENT: WordPress/3.9; http://mydomain.co.uk

Before you ask, here's my hotlinking blocking code...("mydomain" used as placeholder for real name)

# CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
# BLOCK HOTLINKING TO IMAGES
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?mydomain\.co\.uk [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpeg|jpg|gif|bmp|png)$ - [F]
```
April 25, 2014 at 6:19 am #15045
AITpro Admin
Keymaster

Replace the older Hotlink protection code with the newer Hotlink protection code here: http://forum.ait-pro.com/forums/topic/hotlink-protection-do-not-block-google-bing-or-yahoo/

Manually physically check that your images are are loading correctly by going to the image URL’s and viewing the images. The second log entry you posted shows that SERVER_PROTOCOL: HTTP/1.0 was used. If you are using the Brute Force protection code that blocks Server Protocol HTTP/1.0 then you may not be able to use that code on your particular website/server. Server Protocol HTTP/1.0 may be used in older Proxy software that you have installed on your particular server.
April 25, 2014 at 7:15 am #15046
Keith
Participant

Thanks for the suggestion.

I still don’t understand what’s happening though. If I clear my browser’s cache, and google the image myself, I can see the preview and larger version fine in Google Images. So what’s happening to the other hosts?
April 25, 2014 at 7:32 am #15047
AITpro Admin
Keymaster

Maybe your site is being scraped or something like that in the first log entry. The second log entry shows Server Protocol HTTP/1.0 which was phased out in 1999 – 15 years ago. The new Server Protocol is HTTP/1.1. If your server has an old Proxy software installed then it may be using the old Server protocol. Try using the newer Hotlink protection code and see what happens.

The general rule of thumb is if everything is actually working fine after checking things then you can assume that the log entries are being created because of some shady activity. Unfortunately the log entries cannot tell you exactly what that shady activity is. For example when someone is trying to scrape your website you will see your own domain name listed in the log entry. That is just the nature of scraping and mirroring.
July 11, 2014 at 4:26 pm #16184
Gary M. Gordon
Participant
[Topic Merged into this relevant Topic]
k4-nagios.servint.net -BFHS – Blocked/Forbidden Hacker or Spammer
The below code appeared in my Security Log. I was just curious if you can tell what this is and if I need to be concerned. It indicates the host name is from k4-nagios.servint.net My hosting company is Servint.net. I don’t have a plugin installed on my WordPress site for Nagios. I was curious if you could tell (from what I provided) if this is anything to be concerned about since it says “Hacker/Spammer”. What (if anything) might you recommend I do (or not do).
```
[403 GET / HEAD Request: July 11, 2014 - 3:18 pm]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 209.50.225.135
Host Name: k4-nagios.servint.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /
QUERY_STRING: 
HTTP_USER_AGENT: check_http/v1.4.15 (nagios-plugins 1.4.15)
```
Thanks,
Gary
July 11, 2014 at 5:01 pm #16188
AITpro Admin
Keymaster

Nagios looks like a legitimate monitoring service. A logical guess would be that your Host has installed Nagios to monitor websites. If Nagios is making a HEAD Request then the Nagios bot will be blocked. I guess check with ServInt to see what they say.
July 11, 2014 at 5:06 pm #16189
Gary M. Gordon
Participant

Thanks for your clarification .. oh wise one. 🙂
Gary
July 31, 2014 at 1:04 pm #16491
Terry Thornton
Participant
I am seeing some 403 errors in the log and I am seeing the 403 Forbidden page even though I am logged into the site as admin. See below. This example was generated when I tried to trash a comment in my forum. The REMOTE_ADDR: 71.236.214.5 value is my ip.
```
[403 GET / HEAD Request: July 31, 2014 - 12:45]
Event Code: WPADMIN-SBR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 71.236.214.5
Host Name: c-71-236-214-5.hsd1.or.comcast.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://www.cleanreach.com/wp-admin/edit.php?post_type=reply
REQUEST_URI: /wp-admin/post.php?post=1926&action=trash&_wpnonce=55f6b6b491&_wp_http_referer=http://www.cleanreach.com/wp-admin/edit.php?post_type=reply
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
```
July 31, 2014 at 1:17 pm #16495
AITpro Admin
Keymaster

The solution is here: http://forum.ait-pro.com/forums/topic/bbpress-sending-a-topic-to-trash-gives-403/#post-6442 You need to add a wp-admin skip/bypass rule for the post.php file.
July 31, 2014 at 2:50 pm #16505
Terry Thornton
Participant
Now that I have your attention 🙂 I am seeing some other possible false blocks. The REMOTE_ADDR: 162.251.84.188 is my site’s IP
```
[403 GET / HEAD Request: July 31, 2014 - 11:47]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 162.251.84.188
Host Name: vps.cleanreach.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://www.cleanreach.com
REQUEST_URI: /?p=1799
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
```
July 31, 2014 at 4:47 pm #16507
AITpro Admin
Keymaster
When I use the shortlink I am redirected to your /forums/forum/general/ page without seeing any errors.
```
/?p=1799 is the shortlink for your /forums/forum/general/ page
```
October 23, 2014 at 5:52 am #18657
Guillermo
Participant
Hello,

One of my sites is getting bombarded by this brute force attack at a rate of about 50-60 attempts per minute for the past 8 hours. I know the logs mean that the plugin is working, but is there anything else I can do other that just watch them keep trying? I added a deny entry to my htaccess file with the IP below (it is not changing.)

50-60 ATTEMPTS PER MINUTE FOR OVER 8 HOURS!!!
```
[403 GET / HEAD Request: October 23, 2014 - 5:40 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 189.28.177.50
Host Name: ns1.lancaperfume.com.br
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 189.28.177.50
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-login.php
QUERY_STRING:
HTTP_USER_AGENT:
```
October 23, 2014 at 9:11 am #18666
AITpro Admin
Keymaster

The Security Log is a plain text file that requires an insignificant amount of website/server resources to log attacks. Blocking and logging attacks does not slow down your website since your WordPress database is not involved and database Queries are not being used. WordPress database queries are expensive and will slow down a website if excessive queries are being made. 50-60 attacks per minute is a bit high, but is nowhere near a DoS/DDoS attack so you should not be seeing any slowness whatsoever due to these attacks.

BPS is doing its job so you do not need to do anything else. FYI – by denying/blocking IP addresses you will see those blocked IP addresses in your BPS Security Log. The thing to remember is the Security Log is just a plain text log file just like your Host Server’s log file that logs activity. The log is just logging things.
November 8, 2014 at 2:48 am #18990
Marty
Participant
Whenever I create a post designed to generate traffic from the site of the post to my primary site I get thousands of the following BPS error log entries:
The abc.com site is the site containing the post which has only links to the primary site. This error log entry is from the primary site. Is BPS blocking blocking this inbound traffic which we desperately want because there is absolutely no reason for it to be doing so? I would whitelist the posting sites we use but there are hundreds of subdomains. Is there any acceptable use of a wildcard in this situation ex. http://*.abc.com ?
```
>>>>>>>>>>> 403 GET or Other Request Error Logged – November 7, 2014 9:36 pm <<<<<<<<<<<
REMOTE_ADDR: 198.101.10.154
Host Name: 198.101.10.154
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /quantum-super-food/
QUERY_STRING:
HTTP_USER_AGENT: WordPress/3.8.3; http:/abc.com
```
November 8, 2014 at 8:53 am #18994
AITpro Admin
Keymaster

I see that the Server Protocol is HTTP/1.0 which is normally used by hackers and spammers since it allows them to do things that they cannot do with the new Server Protocol HTTP/1.1 which was started back in 1999 – 15 years ago. So I think that should be looked at first. If your server is using outdated Proxy software then that may be where the old Server Protocol is coming from or this may just me a typical blocked hacker, spammer, scraper, miner, bad bot, etc etc etc. We get around 500,000 blocked hackers/spammers logged in our Security Log file per month and this is just what is nowadays on the Internet. I see that IP Address 198.101.10.154 is in the CIDR block for CLOUD-SOUTH – Cloud South,US: http://whois.domaintools.com/198.101.10.154 Is this your server’s IP address?

It may be that there is not really any sort of problem going on and just the normal stuff is being blocked. I don’t have enough information to make that kind of assessment. If you do not want to post your domain name in the forum then send it to info at ait-pro dot com and we will check your website to see if there are any problems.
Author

Posts