403 GET|HEAD Request Log Entries

Home Forums BulletProof Security Pro 403 GET|HEAD Request Log Entries

This topic contains 94 replies, has 19 voices, and was last updated by  Amit 1 year, 7 months ago.

Viewing 15 posts - 31 through 45 (of 95 total)
  • Author
    Posts
  • #15043

    AITpro Admin
    Keymaster

    [Topic was manually moved/merged into this Topic]
    Hi. New here. Please be gentle!  I just got my first BPS log. I’m getting lots of 403s from seemingly innocent requests referred by Google. They are all requests for JPEGs.  Can anyone explain why I’m getting these, and if it’s a good thing / by design?  I am using an edited copy of the BPS hotlinking blocker, but I’m not sure if this is the cause.

    [403 GET / HEAD Request: 25th April, 2014 - 1.08am]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 211.253.60.18
    Host Name: mail3.seoul.go.kr
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: https://www.google.com/
    REQUEST_URI: /wp-content/uploads/2011/09/f-stops2.gif
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36
    
    I also just noticed that some of the errors are from the web server itself...
    
    [403 GET / HEAD Request: 25th April, 2014 - 8.12am]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: A.B.C.D
    Host Name: server.domain.com
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /wp-content/uploads/2010/12/tree-explanada-alicante.jpg
    QUERY_STRING: 
    HTTP_USER_AGENT: WordPress/3.9; http://mydomain.co.uk
    
    Before you ask, here's my hotlinking blocking code...("mydomain" used as placeholder for real name)
    
    # CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
    # BLOCK HOTLINKING TO IMAGES
    RewriteCond %{HTTP_REFERER} !^https?://(www\.)?mydomain\.co\.uk [NC]
    RewriteCond %{HTTP_REFERER} !^$
    RewriteRule .*\.(jpeg|jpg|gif|bmp|png)$ - [F]
    
    #15045

    AITpro Admin
    Keymaster

    Replace the older Hotlink protection code with the newer Hotlink protection code here:  http://forum.ait-pro.com/forums/topic/hotlink-protection-do-not-block-google-bing-or-yahoo/

    Manually physically check that your images are are loading correctly by going to the image URL’s and viewing the images. The second log entry you posted shows that SERVER_PROTOCOL: HTTP/1.0 was used. If you are using the Brute Force protection code that blocks Server Protocol HTTP/1.0 then you may not be able to use that code on your particular website/server.  Server Protocol HTTP/1.0 may be used in older Proxy software that you have installed on your particular server.

    #15046

    Keith
    Participant

    Thanks for the suggestion.

    I still don’t understand what’s happening though. If I clear my browser’s cache, and google the image myself, I can see the preview and larger version fine in Google Images. So what’s happening to the other hosts?

    #15047

    AITpro Admin
    Keymaster

    Maybe your site is being scraped or something like that in the first log entry.  The second log entry shows Server Protocol HTTP/1.0 which was phased out in 1999 – 15 years ago.  The new Server Protocol is HTTP/1.1.  If your server has an old Proxy software installed then it may be using the old Server protocol.  Try using the newer Hotlink protection code and see what happens.

    The general rule of thumb is if everything is actually working fine after checking things then you can assume that the log entries are being created because of some shady activity.  Unfortunately the log entries cannot tell you exactly what that shady activity is.  For example when someone is trying to scrape your website you will see your own domain name listed in the log entry.  That is just the nature of scraping and mirroring.

    #16184

    Gary M. Gordon
    Participant

    [Topic Merged into this relevant Topic]
    k4-nagios.servint.net -BFHS – Blocked/Forbidden Hacker or Spammer
    The below code appeared in my Security Log.  I was just curious if you can tell what this is and if I need to be concerned. It indicates the host name is from   k4-nagios.servint.net My hosting company is  Servint.net. I don’t have a plugin installed on my WordPress site for Nagios. I was curious if you could tell (from what I provided) if this is anything to be concerned about since it says “Hacker/Spammer”. What (if anything) might you recommend I do (or not do).

    [403 GET / HEAD Request: July 11, 2014 - 3:18 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 209.50.225.135
    Host Name: k4-nagios.servint.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /
    QUERY_STRING: 
    HTTP_USER_AGENT: check_http/v1.4.15 (nagios-plugins 1.4.15)

    Thanks,
    Gary

    #16188

    AITpro Admin
    Keymaster

    Nagios looks like a legitimate monitoring service.  A logical guess would be that your Host has installed Nagios to monitor websites.  If Nagios is making a HEAD Request then the Nagios bot will be blocked.  I guess check with ServInt to see what they say.

    #16189

    Gary M. Gordon
    Participant

    Thanks for your clarification .. oh wise one.  🙂
    Gary

    #16491

    Terry Thornton
    Participant

    I am seeing some 403 errors in the log and I am seeing the 403 Forbidden page even though I am logged into the site as admin.  See below.  This example was generated when I tried to trash a comment in my forum.  The REMOTE_ADDR: 71.236.214.5 value is my ip.

    [403 GET / HEAD Request: July 31, 2014 - 12:45]
    Event Code: WPADMIN-SBR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 71.236.214.5
    Host Name: c-71-236-214-5.hsd1.or.comcast.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://www.cleanreach.com/wp-admin/edit.php?post_type=reply
    REQUEST_URI: /wp-admin/post.php?post=1926&action=trash&_wpnonce=55f6b6b491&_wp_http_referer=http://www.cleanreach.com/wp-admin/edit.php?post_type=reply
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
    #16495

    AITpro Admin
    Keymaster

    The solution is here:  http://forum.ait-pro.com/forums/topic/bbpress-sending-a-topic-to-trash-gives-403/#post-6442 You need to add a wp-admin skip/bypass rule for the post.php file.

    #16505

    Terry Thornton
    Participant

    Now that I have your attention 🙂  I am seeing some other possible false blocks.  The REMOTE_ADDR: 162.251.84.188 is my site’s IP

    [403 GET / HEAD Request: July 31, 2014 - 11:47]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 162.251.84.188
    Host Name: vps.cleanreach.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://www.cleanreach.com
    REQUEST_URI: /?p=1799
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
    #16507

    AITpro Admin
    Keymaster

    When I use the shortlink I am redirected to your /forums/forum/general/ page without seeing any errors.

    /?p=1799 is the shortlink for your /forums/forum/general/ page
    #18657

    Guillermo
    Participant

    Hello,

    One of my sites is getting bombarded by this brute force attack at a rate of about 50-60 attempts per minute for the past 8 hours.  I know the logs mean that the plugin is working, but is there anything else I can do other that just watch them keep trying?  I added a deny entry to my htaccess file with the IP below (it is not changing.)

    50-60 ATTEMPTS PER MINUTE FOR OVER 8 HOURS!!!

    [403 GET / HEAD Request: October 23, 2014 - 5:40 am]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 189.28.177.50
    Host Name: ns1.lancaperfume.com.br
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 189.28.177.50
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-login.php
    QUERY_STRING:
    HTTP_USER_AGENT:
    #18666

    AITpro Admin
    Keymaster

    The Security Log is a plain text file that requires an insignificant amount of website/server resources to log attacks.  Blocking and logging attacks does not slow down your website since your WordPress database is not involved and database Queries are not being used.  WordPress database queries are expensive and will slow down a website if excessive queries are being made.  50-60 attacks per minute is a bit high, but is nowhere near a DoS/DDoS attack so you should not be seeing any slowness whatsoever due to these attacks.

    BPS is doing its job so you do not need to do anything else.  FYI – by denying/blocking IP addresses you will see those blocked IP addresses in your BPS Security Log.  The thing to remember is the Security Log is just a plain text log file just like your Host Server’s log file that logs activity.  The log is just logging things.

    #18990

    Marty
    Participant

    Whenever I create a post designed to generate traffic from the site of the post to my primary site I get thousands of the following BPS error log entries:
    The abc.com site is the site containing the post which has only links to the primary site.  This error log entry is from the primary site.  Is BPS blocking blocking this inbound traffic which we desperately want because there is absolutely no reason for it to be doing so? I would whitelist the posting sites we use but there are hundreds of subdomains.  Is there any acceptable use of a wildcard in this situation ex.  http://*.abc.com ?

    >>>>>>>>>>> 403 GET or Other Request Error Logged – November 7, 2014 9:36 pm <<<<<<<<<<<
    REMOTE_ADDR: 198.101.10.154
    Host Name: 198.101.10.154
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /quantum-super-food/
    QUERY_STRING:
    HTTP_USER_AGENT: WordPress/3.8.3; http:/abc.com
    #18994

    AITpro Admin
    Keymaster

    I see that the Server Protocol is HTTP/1.0 which is normally used by hackers and spammers since it allows them to do things that they cannot do with the new Server Protocol HTTP/1.1 which was started back in 1999 – 15 years ago.  So I think that should be looked at first.  If your server is using outdated Proxy software then that may be where the old Server Protocol is coming from or this may just me a typical blocked hacker, spammer, scraper, miner, bad bot, etc etc etc.  We get around 500,000 blocked hackers/spammers logged in our Security Log file per month and this is just what is nowadays on the Internet.  I see that IP Address 198.101.10.154 is in the CIDR block for CLOUD-SOUTH – Cloud South,US:  http://whois.domaintools.com/198.101.10.154  Is this your server’s IP address?

    It may be that there is not really any sort of problem going on and just the normal stuff is being blocked.  I don’t have enough information to make that kind of assessment.  If you do not want to post your domain name in the forum then send it to info at ait-pro dot com and we will check your website to see if there are any problems.

Viewing 15 posts - 31 through 45 (of 95 total)

You must be logged in to reply to this topic.