Image file 403 error, Images 403 error

Home Forums BulletProof Security Pro Image file 403 error, Images 403 error

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #15680
    Krzysztof
    Participant

    Hello,

    If I upload a photo BPS is registering things like this:

    [403 GET / HEAD Request: 18/06/2014 - 12:52]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 185.5.98.32
    Host Name: vz13304.dahost.pl
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/uploads/2014/06/southampton-hamburg.jpg
    QUERY_STRING:
    HTTP_USER_AGENT: WordPress/3.9.1; https://www.infolotnicze.pl
    

    This very strange. What can I do about it?

    #15682
    AITpro Admin
    Keymaster

    When I check the image URL the image is displayed to me without any problems.
    https://www.infolotnicze.pl/wp-content/uploads/2014/06/southampton-hamburg.jpg

    Troubleshooting: Check that your image files are actually displaying fine and you can ignore these 403 errors if they are displaying fine.

    Possible causes:

    A common known issue when retrieving images/image files is that something else that an image retrieval script is doing  is blocked, but image retrieval is working fine.  ie images are displayed fine and the only thing that is affected/blocked is whatever additional things are being done in the image retrieval script that may be in a plugin or theme.  You would check that your image files are displaying correctly and if they are you can ignore these 403 errors.

    The Server Protocol is HTTP/1.0 which usually indicates that an outdated Proxy is being used on your server.  The new Server Protocol since 1999 is HTTP/1.1.

    Your website/image files are being scraped/mirrored/mined.  When image files are being scraped/mirrored/mined the 403 error will show all of your website information in the 403 error.  That is just the nature of how scraping/mining/mirroring is done.

    Your site’s DNS information indicates a that your site may be using a Proxy or Load Balancer.

    Result = Array
    (
        [0] => Array
            (
                [host] => infolotnicze.pl
                [type] => A
                [ip] => 185.5.98.32
                [class] => IN
                [ttl] => 3600
            )
    
        [1] => Array
            (
                [host] => infolotnicze.pl
                [type] => NS
                [target] => dns3.home.pl
                [class] => IN
                [ttl] => 86400
            )
    
        [2] => Array
            (
                [host] => infolotnicze.pl
                [type] => NS
                [target] => dns2.home.pl
                [class] => IN
                [ttl] => 86400
            )
    
        [3] => Array
            (
                [host] => infolotnicze.pl
                [type] => NS
                [target] => dns.home.pl
                [class] => IN
                [ttl] => 86400
            )
    
        [4] => Array
            (
                [host] => infolotnicze.pl
                [type] => SOA
                [mname] => dns.home.pl
                [rname] => admin.home.pl
                [serial] => 1367518678
                [refresh] => 10800
                [retry] => 3600
                [expire] => 604800
                [minimum-ttl] => 3600
                [class] => IN
                [ttl] => 86400
            )
    
        [5] => Array
            (
                [host] => infolotnicze.pl
                [type] => MX
                [pri] => 10
                [target] => serwer1318169.home.pl
                [class] => IN
                [ttl] => 3600
            )
    
    )
    Auth NS = Array
    (
        [0] => Array
            (
                [host] => infolotnicze.pl
                [type] => NS
                [target] => dns2.home.pl
                [class] => IN
                [ttl] => 86399
            )
    
        [1] => Array
            (
                [host] => infolotnicze.pl
                [type] => NS
                [target] => dns.home.pl
                [class] => IN
                [ttl] => 86399
            )
    
        [2] => Array
            (
                [host] => infolotnicze.pl
                [type] => NS
                [target] => dns.home.pl
                [class] => IN
                [ttl] => 86399
            )
    
        [3] => Array
            (
                [host] => infolotnicze.pl
                [type] => NS
                [target] => dns2.home.pl
                [class] => IN
                [ttl] => 86399
            )
    
        [4] => Array
            (
                [host] => infolotnicze.pl
                [type] => NS
                [target] => dns2.home.pl
                [class] => IN
                [ttl] => 86398
            )
    
        [5] => Array
            (
                [host] => infolotnicze.pl
                [type] => NS
                [target] => dns.home.pl
                [class] => IN
                [ttl] => 86398
            )
    
        [6] => Array
            (
                [host] => infolotnicze.pl
                [type] => NS
                [target] => dns3.home.pl
                [class] => IN
                [ttl] => 86397
            )
    
        [7] => Array
            (
                [host] => infolotnicze.pl
                [type] => NS
                [target] => dns.home.pl
                [class] => IN
                [ttl] => 86397
            )
    
        [8] => Array
            (
                [host] => infolotnicze.pl
                [type] => NS
                [target] => dns2.home.pl
                [class] => IN
                [ttl] => 86397
            )
    
    )
    Additional = Array
    (
        [0] => Array
            (
                [host] => dns2.home.pl
                [type] => A
                [ip] => 62.129.252.40
                [class] => IN
                [ttl] => 36819
            )
    
        [1] => Array
            (
                [host] => dns.home.pl
                [type] => A
                [ip] => 62.129.252.30
                [class] => IN
                [ttl] => 71540
            )
    
        [2] => Array
            (
                [host] => dns2.home.pl
                [type] => A
                [ip] => 62.129.252.40
                [class] => IN
                [ttl] => 2411
            )
    
        [3] => Array
            (
                [host] => dns2.home.pl
                [type] => A
                [ip] => 62.129.252.41
                [class] => IN
                [ttl] => 2411
            )
    
        [4] => Array
            (
                [host] => dns.home.pl
                [type] => A
                [ip] => 62.129.252.30
                [class] => IN
                [ttl] => 59098
            )
    
        [5] => Array
            (
                [host] => dns3.home.pl
                [type] => A
                [ip] => 95.211.105.225
                [class] => IN
                [ttl] => 54363
            )
    
        [6] => Array
            (
                [host] => dns2.home.pl
                [type] => A
                [ip] => 62.129.252.40
                [class] => IN
                [ttl] => 36819
            )
    
        [7] => Array
            (
                [host] => dns.home.pl
                [type] => A
                [ip] => 62.129.252.30
                [class] => IN
                [ttl] => 71540
            )
    
        [8] => Array
            (
                [host] => dns2.home.pl
                [type] => A
                [ip] => 62.129.252.40
                [class] => IN
                [ttl] => 36818
            )
    
        [9] => Array
            (
                [host] => dns.home.pl
                [type] => A
                [ip] => 62.129.252.30
                [class] => IN
                [ttl] => 71539
            )
    
        [10] => Array
            (
                [host] => dns.home.pl
                [type] => A
                [ip] => 62.129.252.30
                [class] => IN
                [ttl] => 71538
            )
    
        [11] => Array
            (
                [host] => dns2.home.pl
                [type] => A
                [ip] => 62.129.252.40
                [class] => IN
                [ttl] => 36817
            )
    
        [12] => Array
            (
                [host] => dns3.home.pl
                [type] => A
                [ip] => 95.211.105.225
                [class] => IN
                [ttl] => 71538
            )
    
    )
    #15686
    Krzysztof
    Participant

    The situation is like this:

    one company is responsible for domain -nazwa.pl
    one company is responsible for VPS server – the server IP is shown there I think
    one company is responsible for mail service – home.pl

    The system is set like that so if there is an attack on the server like DDOS the mail service will still work normal – that is what I was told.

    The images are shown properly – the message is registered only during uploading a photo while creating a post and puting that image into te post and as post miniature.

    I can ask about the server protocol but whom should I ask? The people from the domain, server or the mail service?

    #15688
    AITpro Admin
    Keymaster

    Ok let me rephrase this so that you see that there is not a problem at all.  You are able to upload image files.  You are able to view image files.  You are seeing a 403 error logged.  The 403 error can be ignored because everything is working correctly.  The 403 error is what I refer to/call a “nuisance” error since everything is working correctly.  You can just ignore these 403 errors – they do not affect or negatively impact anything.

    #15693
    Krzysztof
    Participant

    Roger! 😉

    #20217
    Riccardo
    Participant

    [Topic has been merged into this similar relevant Topic]

    Hi! I found in my security log that BPS blocked the access for  some images in a webpage. This is the code:

    [403 GET / HEAD Request: dicembre 24, 2014 - 10:01 am]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 92.107.221.221
    Host Name: 221-221.107-92.cust.bluewin.ch
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /wp-content/uploads/2012/05/star.png
    QUERY_STRING: 
    HTTP_USER_AGENT: OpenOffice/4.0.1

    I also founded this thread where is said to ignore the errors if the images are displaying fine: http://forum.ait-pro.com/forums/topic/bps-thinks-my-own-server-is-an-attacker/

    My images are displaying fine, so I’ll ignore this errors, but I wonder if there is a method to avoid this sort of false-alerts, because I want be alerted only for real problems. Is there a sort of whitelist or something else to filter this messages?

    Thanks.

    #20227
    AITpro Admin
    Keymaster

    @ Ricarrdo – I may split this into a separate OpenOffic Topic at some point depending on if I find other similar cases of this.  Taking the general logic in this forum topic a step further here is the scenario that is occurring.  Besides image retrieval several other things may be happening and one of those things is being blocked for whatever reason.  The Security Log entry does not show exactly what that might be, but since image retrieval is actually working correctly then just ignore these log entries.

    #20374
    Vamsi
    Participant

    [Topic has been merged into this relevant Topic]

    Hi

    I am using 2 custom icons (png files) for a plugin of mine from the uploads folder. Everytime the page with the plugin is activated, it is being logged as a security error. Can you please tell me how to configure the tool to plugin to ignore access to these 2 files.

    [403 GET / HEAD Request: January 9, 2015 - 8:14 am]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: xxx.xxx.xxx.xxx
    Host Name: xxx.xxx.xxx.xxx
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://xxx.com/office-locations/
    REQUEST_URI: /wp-content/uploads/location-icon.png
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
    
    [403 GET / HEAD Request: January 9, 2015 - 8:14 am]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: xxx.xxx.xxx.xxx
    Host Name: xxx.xxx.xxx.xxx
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://xxx.com/office-locations/
    REQUEST_URI: /wp-content/uploads/Doctor-icon.png
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

    Thanks
    Vamsi

    #20377
    AITpro Admin
    Keymaster

    @ Vamsi – Are the images displaying correctly or are they actually being blocked?  The BPS root htaccess file and BPS UAEG do not block .png file types.  If the images are displaying correctly then that means that something in the method used to retrieve the image files is doing something that is being blocked, but image retrieval is working fine.

    #20378
    Vamsi
    Participant

    Thank You Admin.

    The images are being displayed as expected. Is there anything you can suggest on how I can find out what is causing this error?

    Thanks
    Vamsi

    #20380
    AITpro Admin
    Keymaster

    This would be considered a nuisance error and you can just ignore it, but if you want to find out what code is causing the error then you would need to look at whatever code is used for displaying the image.  ie if the code is in a plugin then you would look at the plugin’s code and find the specific code that is used for displaying the icon image files.  Most likely the code is doing something that is not a WordPress standard method for displaying icon image files or some method that is not a good coding standard practice in general.  Typically plugins have their own image folder within the plugin itself and then use standard link code for images displayed on pages and for the WordPress menu icons you would use standard WordPress menu code like this below.

    add_menu_page(__('BulletProof Pro Security Settings', 'bulletproof-security'), __('BPS Pro', 'bulletproof-security'), 'manage_options', 'bulletproof-security/admin/login/login.php', '', plugins_url('bulletproof-security/admin/images/bps-icon-small.png') );
Viewing 11 posts - 1 through 11 (of 11 total)
  • You must be logged in to reply to this topic.