Home › Forums › BulletProof Security Pro › 403 GET|HEAD Request Log Entries
Tagged: 403 error, CAPTCHA, captcha log entries
- This topic has 95 replies, 20 voices, and was last updated 1 year, 9 months ago by
x.
-
AuthorPosts
-
jenni101
ParticipantOK, thanks – all clear now!
Krzysztof
ParticipantHello!
Today in the morning I got a strange security log entry:
[403 GET / HEAD Request: 18 sierpnia 2015 - 09:38] Event Code: PFWR-PSBR-HPR Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 162.158.93.54 Host Name: 162.158.93.54 SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: 37.24.213.203 HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: http://xxxxxxxxx/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Fphp%2Fphp-options.php REQUEST_URI: /wp-content/plugins/bulletproof-security/admin/php/bps-phpinfo.php QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36
AITpro Admin
KeymasterWhen you click the View PHPINFO button on the PHP Info Viewer tab page in P-Security and your server blocks the PHP Info page then you will see a 403 error. I have seen some web hosts block or disable the PHP phpinfo() function on the server. Or the problem could be with the additional X-forwarded-for IP address indicating a Proxy.
ParticipantHere is a new one:
[403 GET / HEAD Request: 18 sierpnia 2015 - 10:27] Event Code: PFWR-PSBR-HPR Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 162.158.93.9 Host Name: 162.158.93.9 SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: 37.24.213.203 HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: xxxx/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Fsecurity-log%2Fsecurity-log.php&settings-updated=true REQUEST_URI: /wp-content/plugins/bulletproof-security/admin/js/bps-ui-accordion.js?ver=4.2.4 QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36
KeymasterLooks like your Proxy is not configured correctly: HTTP_X_FORWARDED_FOR: 37.24.213.203
The general format of the field is: X-Forwarded-For: client, proxy1, proxy2ParticipantCould this be cloudflare?
KeymasterMaybe, not really sure? The IP address points to this host: http://whois.domaintools.com/37.24.213.203
ParticipantI have turned on cloudflare yesterday and untill than all worked well. I have the same issues as described here: http://forum.ait-pro.com/forums/topic/security-errors-from-cloudflare-and-a-broken-bps-pro/ All menus are broken, and I et tons of security entries in my log as the one above. Any hints what to do excpet turning off cloudflare?
KeymasterHint: uninstall Cloudflare. 😉 Just kidding, but unfortunately the last time I tested Cloudflare was a couple of years ago so cannot offer any suggestions. What I commonly hear is that Cloudflare Rocket breaks a lot of things. Other than that I do not have any advice or suggestions and you will have to check with Cloudflare support.
ParticipantConfirmed – CloudFlare off – everyone happy and everything working. I presuem that the system didn’t like the fact that probably some scripts were transfered via cloudflare and BPS didn’t like it.
One way or the other – my second take on cloudflare ended faster than the first one.
KeymasterYep, the HTTP_X_FORWARDED_FOR Header was not valid whatsoever so I imagine lots of things would be broken on this site.
popljubo
ParticipantHi!
I have received this kind of error, but strange is that the line HTTP_X_FORWARDED_FOR have my own IP:[403 GET / HEAD Request: 02.10.2015 - 12:22] Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 66.249.93.233 Host Name: google-proxy-66-249-93-233.google.com SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: my IP HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-login.php QUERY_STRING: HTTP_USER_AGENT: Google favicon
KeymasterGoogle crawlers (bots, spiders): https://support.google.com/webmasters/answer/1061943?hl=en I do not see “Google favicon” listed as a valid Google bot. The IP address and hostname are valid. What is unusual/suspicious is the bot crawled your Login page. When your site is scraped or mirrored your website’s IP address will be listed in the log entry. If your ISP IP address (Public IP address) was shown in HTTP_X_FORWARDED_FOR then that would probably mean you have something installed in your Browser (add-on, extension) or on your computer that is causing this security log entry.
ParticipantThank you. It was a browser extension: Chrome Logger
MMBCB
ParticipantMultiple 403 errors greeted me this morning. They are all from the same IP which I cannot identify. The plugins are indeed real plugins that I installed. I recently updated the buddypress plugin, but the “/wp-content/plugins/js_composer/assets/js/js_composer_front.js?ver=4.8.1” has not been modified since website install, Nov.17th.
This is my first post here and I may need just a little hand holding please as I wrap my head around WP security.
[403 GET|HEAD Request: December 5, 2015 - 7:32 am] Event Code: PFWR-PSBR-HPR Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 98.15.139.186 Host Name: cpe-98-15-139-186.hvc.res.rr.com SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: https://mainstreammediaboycott.com/ REQUEST_URI: /wp-content/plugins/buddypress/bp-groups/js/widget-groups.min.js?ver=2.4.2 QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 [403 GET|HEAD Request: December 5, 2015 - 7:32 am] Event Code: PFWR-PSBR-HPR Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 98.15.139.186 Host Name: cpe-98-15-139-186.hvc.res.rr.com SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: https://mainstreammediaboycott.com/ REQUEST_URI: /wp-content/plugins/buddypress/bp-activity/js/mentions.min.js?ver=2.4.2 QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 [403 GET|HEAD Request: December 5, 2015 - 7:32 am] Event Code: PFWR-PSBR-HPR Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 98.15.139.186 Host Name: cpe-98-15-139-186.hvc.res.rr.com SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: https://mainstreammediaboycott.com/ REQUEST_URI: /wp-content/plugins/buddypress/bp-core/js/jquery.caret.min.js?ver=2.4.2 QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 [403 GET|HEAD Request: December 5, 2015 - 7:32 am] Event Code: PFWR-PSBR-HPR Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 98.15.139.186 Host Name: cpe-98-15-139-186.hvc.res.rr.com SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: https://mainstreammediaboycott.com/ REQUEST_URI: /wp-content/plugins/js_composer/assets/js/js_composer_front.js?ver=4.8.1 QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 [403 GET|HEAD Request: December 5, 2015 - 7:32 am] Event Code: PFWR-PSBR-HPR Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 98.15.139.186 Host Name: cpe-98-15-139-186.hvc.res.rr.com SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: https://mainstreammediaboycott.com/ REQUEST_URI: /wp-content/plugins/buddypress/bp-core/js/jquery.atwho.min.js?ver=2.4.2 QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
-
AuthorPosts
- You must be logged in to reply to this topic.