HTTP_USER_AGENT: curl/7.47.0 – 403 error

[Mohamad Hegazy]

hello
i’m receiving the bellow error log since 2 days and it keep going
can you help me identify what’s that exactly

thank you !

[403 GET Request: 9  2017 - 4:46 ]
BPS Pro: 12.8
WP: 4.7.3
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 88.198.57.242
Host Name: static.88-198-57-242.clients.your-server.de
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /
QUERY_STRING: 
HTTP_USER_AGENT: curl/7.47.0

[AITpro Admin]

The User Agent string is being blocked since “curl” is in the UA String. Do the steps below and let me know if this works.

1. Copy the modified BPS Query String Exploits code below (curl has been removed from the code below) to this BPS Root Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
2. Click the Save Root Custom Code button.
3. Go to the BPS Setup Wizard page, run the Pre-Installation Wizard and Setup Wizard

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

[Mohamad Hegazy]

first, thanks for fast replay, support and effort,
and at this time i have to say that i truly love bps pro so much, how many i will say that, you cannot imagine how much i love this plugin.
really thank you for bringing such a well made masterpiece.

i submit the code and waiting to see the result, i’ll update you.

hence after latest jetpack update and after i moved my hosting i received those following errors just right now when i was trying to disable jetpack commenting system, and what do you recommend should i use default commenting system to get use of jtc antispam tool.

[403 POST Request: 10  2017 - 12:44 ]
BPS Pro: 12.8
WP: 4.7.3
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 2.49.131.20
Host Name: 2.49.131.20
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: POST
HTTP_REFERER: https://www.mtmrev.com/wp-admin/admin.php?page=jetpack
REQUEST_URI: /wp-json/jetpack/v4/settings
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
REQUEST BODY: {"comments":false}

[403 POST Request: 10  2017 - 12:44 ]
BPS Pro: 12.8
WP: 4.7.3
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 2.49.131.20
Host Name: 2.49.131.20
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: POST
HTTP_REFERER: https://www.mtmrev.com/wp-admin/admin.php?page=jetpack
REQUEST_URI: /wp-json/jetpack/v4/settings
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
REQUEST BODY: {"comments":false}

[403 POST Request: 10  2017 - 12:44 ]
BPS Pro: 12.8
WP: 4.7.3
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 2.49.131.20
Host Name: 2.49.131.20
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: POST
HTTP_REFERER: https://www.mtmrev.com/wp-admin/admin.php?page=jetpack
REQUEST_URI: /wp-json/jetpack/v4/settings
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
REQUEST BODY: {"comments":false}

[403 POST Request: 10  2017 - 12:44 ]
BPS Pro: 12.8
WP: 4.7.3
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 2.49.131.20
Host Name: 2.49.131.20
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: POST
HTTP_REFERER: https://www.mtmrev.com/wp-admin/admin.php?page=jetpack
REQUEST_URI: /wp-json/jetpack/v4/settings
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
REQUEST BODY: {"subscriptions":false}

thanks again! you are amazing!

[AITpro Admin]

Glad you like BPS Pro and thanks for the Kudos.  Very much appreciated.  🙂

I’ve never seen these types of Security Log entries before for Jetpack.  How are you disabling the Jetpack commenting system?  Mabybe this is something new in a new version of Jetpack?  Are you using this BPS Bonus Custom Code:  https://forum.ait-pro.com/forums/topic/wp-rest-api-block-json-requests-to-users-comments-routes/  If so, have you added additional code to block the Jetpack JSON Route?

[AITpro Admin]

Yep, looks like Jetpack released a new version 2 days ago.  So we are testing the new Jetpack version right now.  What “commenting” settings are you using in Jetpack.  So we can test exactly what settings you are using.

[Mohamad Hegazy]

no i didn’t use block REST API codes neither the extra bounce code

http://imageshack.com/a/img924/3559/AOYveh.png”

i was enabling
Let readers use WordPress.com, Twitter, Facebook, or Google+ accounts to comment
and this was replacing wp traditional commenting system
also i was enabling
Allow users to subscribe to your posts and comments and receive notifications via email
and sharing

but in general right now i cannot disable any of what was enabled before update due to the error included in screenshot above.
whenever i try to disable or enable jetpack module i got this error.

[AITpro Admin]

Ok great thanks for the exact details of what to test in Jetpack.  We will post back here after testing is completed.

[Mohamad Hegazy]

great, again thanks for support
best regards.

[AITpro Admin]

Hmm ran into a problem just trying to get Jetpack connected.  Jetpack does not allow connections from Local Development servers.  I then tried to install and connect Jetpack on a Live hosted site and was unable to connect Jetpack.  I thought the problem might be caused by BPS Pro so I deactivated all BPS Pro security features and even completely uninstalled BPS Pro from that test site and Jetpack still will not allow me to connect.  I assume our web host is blocking Jetpack???

Error Details: The Jetpack server was unable to communicate with your site example.com [HTTP 403]. Ask your web host if they allow connections from WordPress.com. If you need further assistance, contact Jetpack Support: http://jetpack.com/support/

Do BPS Pro troubleshooting step #1 to confirm or eliminate that BPS Pro is causing the error on your website.  https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting  The Jetpack Syntax Error error looks specific to Jetpack, but the Security Log entry looks like something BPS Pro might be blocking in the BPS Root htaccess file.  Or maybe some additional custom htaccess code?

[Mohamad Hegazy]

ok here’s what i found i disabled ARQ to make things easier first
i removed jetpack and re installed it
same issue happen
i deactivated root folder bulletproof mode
i tried jetpack again and its functional now

then i start removing custom codes one by one and re activating RBM

i found the issue in that code

# BPS POST Request Attack Protection
RewriteCond %{REQUEST_METHOD} POST [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
# Whitelist the WordPress Theme Customizer
RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
# Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
# Whitelist Network|Multisite Signup POST Form Requests
#RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
# Whitelist Network|Multisite Activate POST Form Requests
#RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
# Whitelist Trackback POST Requests
RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
# Whitelist Comments POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
# Example 1: Whitelist Star Rating Calculator POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/star-rating-calculator.php [NC]
# Example 2: Whitelist Contact Form POST Requests
RewriteCond %{REQUEST_URI} !^.*/contact/ [NC]
# Whitelist Wordfence POST Request by Query String
RewriteCond %{QUERY_STRING} !^_wfsf=(.*) [NC]
# Example 3: Whitelist PayPal IPN API Script POST Requests
RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
RewriteRule ^(.*)$ - [F]

i put all my custom code back without this one
and jetpack is still working

once i put the above code in its proper place jetpack cannot connect

and every time i activate RBM mode i lose WP-ROCKET cache plugin codes but i can manage it any way i don’t disable it that much

[AITpro Admin]

Add your WP Rocket htaccess code to BPS Custom Code:  https://forum.ait-pro.com/forums/topic/wp-rocket-plugin-htaccess-code-where-to-put-it/#post-25441  You can also add your WP Rocket htaccess code directly in the Default Root htaccess file > htaccess File Editor > default.htaccess tab > copy your WP Rocket htaccess code into this file/text area box > click the Update File button.

default.htaccess File Exception: You can create a Custom default.htaccess file that will be saved permanently by editing the default.htaccess file using the htaccess File Editor. Your Custom default.htaccess file will be saved permanently to this folder: /bps-backup/master-backups/default.htaccess. If you have created a Custom default.htaccess file then it will be automatically copied from the /bps-backup/master-backups/ folder during a BPS plugin upgrade and will replace the default BPS default.htaccess Master file.

For the Jetpack POST Attack Protection whitelist rule add this additional line of whitelist code in your POST Attack Protection code in BPS Custom Code, save your changes, click the Save Root Custom Code button and activate Root Folder BulletProof Mode again.

# Whitelist Jetpack POST Request to wp-load.php by Query String
RewriteCond %{QUERY_STRING} !^for=jetpack(.*) [NC]

[Mohamad Hegazy]

for wp-rocket thanks very much for the solution i’ll implement it.

for jetpack post attack protection code it didn’t work
same error happens
and same error log BPS PRO

[403 POST Request: 10  2017 - 4:28 ]
BPS Pro: 12.8
WP: 4.7.3
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 2.49.131.20
Host Name: 2.49.131.20
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: POST
HTTP_REFERER: https://www.mtmrev.com/wp-admin/admin.php?page=jetpack
REQUEST_URI: /wp-json/jetpack/v4/settings
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
REQUEST BODY: {"gravatar-hovercards":false}

[403 POST Request: 10  2017 - 4:28 ]
BPS Pro: 12.8
WP: 4.7.3
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 2.49.131.20
Host Name: 2.49.131.20
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: POST
HTTP_REFERER: https://www.mtmrev.com/wp-admin/admin.php?page=jetpack
REQUEST_URI: /wp-json/jetpack/v4/settings
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
REQUEST BODY: {"subscriptions":true}

thank you again

[AITpro Admin]

Oops. Gave you the wrong whitelist rule for Jetpack.  Try this whitelist rule below.

# Whitelist Jetpack wp-admin JSON POST Request
RewriteCond %{REQUEST_URI} !^.*/wp-json/jetpack/(.*) [NC]

[Mohamad Hegazy]

thank you for speedy assist, unfortunately it didn’t work either but i’m oky to try all solutions with you.

[AITpro Admin]

Hmm I’m out of ideas to try.  So I guess you cannot use the POST Attack Protection Bonus Custom Code with Jetpack.  If we can figure out how to get Jetpack installed and working on our web host then we will try and figure this out at a later time and post a solution back here.  I tried several times to get Jetpack installed and connected on our web host without getting anywhere. 😉

[Author]

Posts