403 GET|HEAD Request Log Entries

Home Forums BulletProof Security Pro 403 GET|HEAD Request Log Entries

  • This topic has 95 replies, 20 voices, and was last updated 2 months ago by x.
Viewing 15 posts - 61 through 75 (of 96 total)
  • Author
    Posts
  • #22433
    jenni101
    Participant

    OK, thanks – all clear now!

    #24504
    Krzysztof
    Participant

    Hello!

    Today in the morning I got a strange security log entry:

    [403 GET / HEAD Request: 18 sierpnia 2015 - 09:38]
    Event Code: PFWR-PSBR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 162.158.93.54
    Host Name: 162.158.93.54
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 37.24.213.203
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://xxxxxxxxx/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Fphp%2Fphp-options.php
    REQUEST_URI: /wp-content/plugins/bulletproof-security/admin/php/bps-phpinfo.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36
    #24506
    AITpro Admin
    Keymaster

    When you click the View PHPINFO button on the PHP Info Viewer tab page in P-Security and your server blocks the PHP Info page then you will see a 403 error.  I have seen some web hosts block or disable the PHP phpinfo() function on the server.  Or the problem could be with the additional X-forwarded-for IP address indicating a Proxy.

    #24508
    Krzysztof
    Participant

    Here is a new one:

    [403 GET / HEAD Request: 18 sierpnia 2015 - 10:27]
    Event Code: PFWR-PSBR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 162.158.93.9
    Host Name: 162.158.93.9
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 37.24.213.203
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: xxxx/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Fsecurity-log%2Fsecurity-log.php&settings-updated=true
    REQUEST_URI: /wp-content/plugins/bulletproof-security/admin/js/bps-ui-accordion.js?ver=4.2.4
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36
    #24510
    AITpro Admin
    Keymaster

    Looks like your Proxy is not configured correctly:  HTTP_X_FORWARDED_FOR: 37.24.213.203
    The general format of the field is: X-Forwarded-For: client, proxy1, proxy2

    #24511
    Krzysztof
    Participant

    Could this be cloudflare?

    #24517
    AITpro Admin
    Keymaster

    Maybe, not really sure?  The IP address points to this host: http://whois.domaintools.com/37.24.213.203

    #24518
    Krzysztof
    Participant

    I have turned on cloudflare yesterday and untill than all worked well. I have the same issues as described here: http://forum.ait-pro.com/forums/topic/security-errors-from-cloudflare-and-a-broken-bps-pro/ All menus are broken, and I et tons of security entries in my log as the one above. Any hints what to do excpet turning off cloudflare?

    #24520
    AITpro Admin
    Keymaster

    Hint:  uninstall Cloudflare.  😉  Just kidding, but unfortunately the last time I tested Cloudflare was a couple of years ago so cannot offer any suggestions.  What I commonly hear is that Cloudflare Rocket breaks a lot of things.  Other than that I do not have any advice or suggestions and you will have to check with Cloudflare support.

    #24580
    Krzysztof
    Participant

    Confirmed – CloudFlare off – everyone happy and everything working. I presuem that the system didn’t like the fact that probably some scripts were transfered via cloudflare and BPS didn’t like it.

    One way or the other – my second take on cloudflare ended faster than the first one.

    #24585
    AITpro Admin
    Keymaster

    Yep, the HTTP_X_FORWARDED_FOR Header was not valid whatsoever so I imagine lots of things would be broken on this site.

    #25427
    popljubo
    Participant

    Hi!
    I have received this kind of  error, but strange is that the line HTTP_X_FORWARDED_FOR have my own IP:

    [403 GET / HEAD Request: 02.10.2015 - 12:22]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 66.249.93.233
    Host Name: google-proxy-66-249-93-233.google.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: my IP
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-login.php
    QUERY_STRING:
    HTTP_USER_AGENT: Google favicon
    #25429
    AITpro Admin
    Keymaster

    Google crawlers (bots, spiders): https://support.google.com/webmasters/answer/1061943?hl=en  I do not see “Google favicon” listed as a valid Google bot.  The IP address and hostname are valid.  What is unusual/suspicious is the bot crawled your Login page.  When your site is scraped or mirrored your website’s IP address will be listed in the log entry.  If your ISP IP address (Public IP address) was shown in HTTP_X_FORWARDED_FOR then that would probably mean you have something installed in your Browser (add-on, extension) or on your computer that is causing this security log entry.

    #25601
    popljubo
    Participant

    Thank you. It was a browser extension: Chrome Logger

    #26899
    MMBCB
    Participant

    Multiple 403 errors greeted me this morning.  They are all from the same IP which I cannot identify.  The plugins are indeed real plugins that I installed.  I recently updated the buddypress plugin, but the “/wp-content/plugins/js_composer/assets/js/js_composer_front.js?ver=4.8.1” has not been modified since website install, Nov.17th.

    This is my first post here and I may need just a little hand holding please as I wrap my head around WP security.

    [403 GET|HEAD Request: December 5, 2015 - 7:32 am]
    Event Code: PFWR-PSBR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 98.15.139.186
    Host Name: cpe-98-15-139-186.hvc.res.rr.com
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: https://mainstreammediaboycott.com/
    REQUEST_URI: /wp-content/plugins/buddypress/bp-groups/js/widget-groups.min.js?ver=2.4.2
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
    
    [403 GET|HEAD Request: December 5, 2015 - 7:32 am]
    Event Code: PFWR-PSBR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 98.15.139.186
    Host Name: cpe-98-15-139-186.hvc.res.rr.com
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: https://mainstreammediaboycott.com/
    REQUEST_URI: /wp-content/plugins/buddypress/bp-activity/js/mentions.min.js?ver=2.4.2
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
    
    [403 GET|HEAD Request: December 5, 2015 - 7:32 am]
    Event Code: PFWR-PSBR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 98.15.139.186
    Host Name: cpe-98-15-139-186.hvc.res.rr.com
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: https://mainstreammediaboycott.com/
    REQUEST_URI: /wp-content/plugins/buddypress/bp-core/js/jquery.caret.min.js?ver=2.4.2
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
    
    [403 GET|HEAD Request: December 5, 2015 - 7:32 am]
    Event Code: PFWR-PSBR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 98.15.139.186
    Host Name: cpe-98-15-139-186.hvc.res.rr.com
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: https://mainstreammediaboycott.com/
    REQUEST_URI: /wp-content/plugins/js_composer/assets/js/js_composer_front.js?ver=4.8.1
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
    
    [403 GET|HEAD Request: December 5, 2015 - 7:32 am]
    Event Code: PFWR-PSBR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 98.15.139.186
    Host Name: cpe-98-15-139-186.hvc.res.rr.com
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: https://mainstreammediaboycott.com/
    REQUEST_URI: /wp-content/plugins/buddypress/bp-core/js/jquery.atwho.min.js?ver=2.4.2
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
    
Viewing 15 posts - 61 through 75 (of 96 total)
  • You must be logged in to reply to this topic.