HTTP_USER_AGENT: curl/7.47.0 – 403 error

Home Forums BulletProof Security Pro HTTP_USER_AGENT: curl/7.47.0 – 403 error

Tagged: ,

This topic contains 22 replies, has 2 voices, and was last updated by  Mohamad Hegazy 1 year, 2 months ago.

Viewing 15 posts - 1 through 15 (of 23 total)
  • Author
    Posts
  • #32941

    Mohamad Hegazy
    Participant

    hello
    i’m receiving the bellow error log since 2 days and it keep going
    can you help me identify what’s that exactly

    thank you !

    [403 GET Request: 9  2017 - 4:46 ]
    BPS Pro: 12.8
    WP: 4.7.3
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 88.198.57.242
    Host Name: static.88-198-57-242.clients.your-server.de
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /
    QUERY_STRING: 
    HTTP_USER_AGENT: curl/7.47.0
    
    #32942

    AITpro Admin
    Keymaster

    The User Agent string is being blocked since “curl” is in the UA String. Do the steps below and let me know if this works.

    1. Copy the modified BPS Query String Exploits code below (curl has been removed from the code below) to this BPS Root Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker. 
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE BPS QUERY STRING EXPLOITS
    #32943

    Mohamad Hegazy
    Participant

    first, thanks for fast replay, support and effort,
    and at this time i have to say that i truly love bps pro so much, how many i will say that, you cannot imagine how much i love this plugin.
    really thank you for bringing such a well made masterpiece.

    i submit the code and waiting to see the result, i’ll update you.

    hence after latest jetpack update and after i moved my hosting i received those following errors just right now when i was trying to disable jetpack commenting system, and what do you recommend should i use default commenting system to get use of jtc antispam tool.

    [403 POST Request: 10  2017 - 12:44 ]
    BPS Pro: 12.8
    WP: 4.7.3
    Event Code: WPADMIN-SBR
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 2.49.131.20
    Host Name: 2.49.131.20
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: POST
    HTTP_REFERER: https://www.mtmrev.com/wp-admin/admin.php?page=jetpack
    REQUEST_URI: /wp-json/jetpack/v4/settings
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
    REQUEST BODY: {"comments":false}
    
    [403 POST Request: 10  2017 - 12:44 ]
    BPS Pro: 12.8
    WP: 4.7.3
    Event Code: WPADMIN-SBR
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 2.49.131.20
    Host Name: 2.49.131.20
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: POST
    HTTP_REFERER: https://www.mtmrev.com/wp-admin/admin.php?page=jetpack
    REQUEST_URI: /wp-json/jetpack/v4/settings
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
    REQUEST BODY: {"comments":false}
    
    [403 POST Request: 10  2017 - 12:44 ]
    BPS Pro: 12.8
    WP: 4.7.3
    Event Code: WPADMIN-SBR
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 2.49.131.20
    Host Name: 2.49.131.20
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: POST
    HTTP_REFERER: https://www.mtmrev.com/wp-admin/admin.php?page=jetpack
    REQUEST_URI: /wp-json/jetpack/v4/settings
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
    REQUEST BODY: {"comments":false}
    
    [403 POST Request: 10  2017 - 12:44 ]
    BPS Pro: 12.8
    WP: 4.7.3
    Event Code: WPADMIN-SBR
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 2.49.131.20
    Host Name: 2.49.131.20
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: POST
    HTTP_REFERER: https://www.mtmrev.com/wp-admin/admin.php?page=jetpack
    REQUEST_URI: /wp-json/jetpack/v4/settings
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
    REQUEST BODY: {"subscriptions":false}
    

    thanks again! you are amazing!

    #32944

    AITpro Admin
    Keymaster

    Glad you like BPS Pro and thanks for the Kudos.  Very much appreciated.  🙂

    I’ve never seen these types of Security Log entries before for Jetpack.  How are you disabling the Jetpack commenting system?  Mabybe this is something new in a new version of Jetpack?  Are you using this BPS Bonus Custom Code:  https://forum.ait-pro.com/forums/topic/wp-rest-api-block-json-requests-to-users-comments-routes/  If so, have you added additional code to block the Jetpack JSON Route?

    #32945

    AITpro Admin
    Keymaster

    Yep, looks like Jetpack released a new version 2 days ago.  So we are testing the new Jetpack version right now.  What “commenting” settings are you using in Jetpack.  So we can test exactly what settings you are using.

    #32946

    Mohamad Hegazy
    Participant

    no i didn’t use block REST API codes neither the extra bounce code

    http://imageshack.com/a/img924/3559/AOYveh.png

    i was enabling
    Let readers use WordPress.com, Twitter, Facebook, or Google+ accounts to comment
    and this was replacing wp traditional commenting system
    also i was enabling
    Allow users to subscribe to your posts and comments and receive notifications via email
    and sharing

    but in general right now i cannot disable any of what was enabled before update due to the error included in screenshot above.
    whenever i try to disable or enable jetpack module i got this error.

    #32947

    AITpro Admin
    Keymaster

    Ok great thanks for the exact details of what to test in Jetpack.  We will post back here after testing is completed.

    #32948

    Mohamad Hegazy
    Participant

    great, again thanks for support
    best regards.

    #32949

    AITpro Admin
    Keymaster

    Hmm ran into a problem just trying to get Jetpack connected.  Jetpack does not allow connections from Local Development servers.  I then tried to install and connect Jetpack on a Live hosted site and was unable to connect Jetpack.  I thought the problem might be caused by BPS Pro so I deactivated all BPS Pro security features and even completely uninstalled BPS Pro from that test site and Jetpack still will not allow me to connect.  I assume our web host is blocking Jetpack???

    Error Details: The Jetpack server was unable to communicate with your site example.com [HTTP 403]. Ask your web host if they allow connections from WordPress.com. If you need further assistance, contact Jetpack Support: http://jetpack.com/support/

    Do BPS Pro troubleshooting step #1 to confirm or eliminate that BPS Pro is causing the error on your website.  https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting  The Jetpack Syntax Error error looks specific to Jetpack, but the Security Log entry looks like something BPS Pro might be blocking in the BPS Root htaccess file.  Or maybe some additional custom htaccess code?

    #32950

    Mohamad Hegazy
    Participant

    ok here’s what i found i disabled ARQ to make things easier first
    i removed jetpack and re installed it
    same issue happen
    i deactivated root folder bulletproof mode
    i tried jetpack again and its functional now

    then i start removing custom codes one by one and re activating RBM

    i found the issue in that code

    # BPS POST Request Attack Protection
    RewriteCond %{REQUEST_METHOD} POST [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
    # Whitelist the WordPress Theme Customizer
    RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
    # Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
    RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
    # Whitelist Network|Multisite Signup POST Form Requests
    #RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
    # Whitelist Network|Multisite Activate POST Form Requests
    #RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
    # Whitelist Trackback POST Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
    # Whitelist Comments POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
    # Example 1: Whitelist Star Rating Calculator POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/star-rating-calculator.php [NC]
    # Example 2: Whitelist Contact Form POST Requests
    RewriteCond %{REQUEST_URI} !^.*/contact/ [NC]
    # Whitelist Wordfence POST Request by Query String
    RewriteCond %{QUERY_STRING} !^_wfsf=(.*) [NC]
    # Example 3: Whitelist PayPal IPN API Script POST Requests
    RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
    RewriteRule ^(.*)$ - [F]
    

    i put all my custom code back without this one
    and jetpack is still working

    once i put the above code in its proper place jetpack cannot connect

    and every time i activate RBM mode i lose WP-ROCKET cache plugin codes but i can manage it any way i don’t disable it that much

    #32951

    AITpro Admin
    Keymaster

    Add your WP Rocket htaccess code to BPS Custom Code:  https://forum.ait-pro.com/forums/topic/wp-rocket-plugin-htaccess-code-where-to-put-it/#post-25441  You can also add your WP Rocket htaccess code directly in the Default Root htaccess file > htaccess File Editor > default.htaccess tab > copy your WP Rocket htaccess code into this file/text area box > click the Update File button.

    default.htaccess File Exception: You can create a Custom default.htaccess file that will be saved permanently by editing the default.htaccess file using the htaccess File Editor. Your Custom default.htaccess file will be saved permanently to this folder: /bps-backup/master-backups/default.htaccess. If you have created a Custom default.htaccess file then it will be automatically copied from the /bps-backup/master-backups/ folder during a BPS plugin upgrade and will replace the default BPS default.htaccess Master file.

    For the Jetpack POST Attack Protection whitelist rule add this additional line of whitelist code in your POST Attack Protection code in BPS Custom Code, save your changes, click the Save Root Custom Code button and activate Root Folder BulletProof Mode again.

    # Whitelist Jetpack POST Request to wp-load.php by Query String
    RewriteCond %{QUERY_STRING} !^for=jetpack(.*) [NC]
    #32952

    Mohamad Hegazy
    Participant

    for wp-rocket thanks very much for the solution i’ll implement it.

    for jetpack post attack protection code it didn’t work
    same error happens
    and same error log BPS PRO

    [403 POST Request: 10  2017 - 4:28 ]
    BPS Pro: 12.8
    WP: 4.7.3
    Event Code: WPADMIN-SBR
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 2.49.131.20
    Host Name: 2.49.131.20
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: POST
    HTTP_REFERER: https://www.mtmrev.com/wp-admin/admin.php?page=jetpack
    REQUEST_URI: /wp-json/jetpack/v4/settings
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
    REQUEST BODY: {"gravatar-hovercards":false}
    
    [403 POST Request: 10  2017 - 4:28 ]
    BPS Pro: 12.8
    WP: 4.7.3
    Event Code: WPADMIN-SBR
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 2.49.131.20
    Host Name: 2.49.131.20
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: POST
    HTTP_REFERER: https://www.mtmrev.com/wp-admin/admin.php?page=jetpack
    REQUEST_URI: /wp-json/jetpack/v4/settings
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
    REQUEST BODY: {"subscriptions":true}
    

    thank you again

    #32953

    AITpro Admin
    Keymaster

    Oops. Gave you the wrong whitelist rule for Jetpack.  Try this whitelist rule below.

    # Whitelist Jetpack wp-admin JSON POST Request
    RewriteCond %{REQUEST_URI} !^.*/wp-json/jetpack/(.*) [NC]
    #32954

    Mohamad Hegazy
    Participant

    thank you for speedy assist, unfortunately it didn’t work either but i’m oky to try all solutions with you.

    #32955

    AITpro Admin
    Keymaster

    Hmm I’m out of ideas to try.  So I guess you cannot use the POST Attack Protection Bonus Custom Code with Jetpack.  If we can figure out how to get Jetpack installed and working on our web host then we will try and figure this out at a later time and post a solution back here.  I tried several times to get Jetpack installed and connected on our web host without getting anywhere. 😉

Viewing 15 posts - 1 through 15 (of 23 total)

You must be logged in to reply to this topic.