Loads of 403 GET or Other Request Error

[Vilmondes]

Hi,

The site is generating loads of 403 errors. I keep clearing the BPS security log on the site otherwise it gets clogged up. Right now I have a 11MB .txt file with loads of errors and most of them a related to files in the uploads folder. I’ve already checked the permissions and they are set as 755. There’s also a few 403 errors related to pages. Here are some examples:

>>>>>>>>>>> 403 GET or Other Request Error Logged - April 8, 2013 - 11:06 am <<<<<<<<<<<
REMOTE_ADDR: 1.202.218.133
Host Name: 133.218.202.1.static.bjtelecom.net
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /recruitment
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; JikeSpider; +http: //shoulu.jike.com/spider.html)

>>>>>>>>>>> 403 GET or Other Request Error Logged - April 8, 2013 - 11:09 am <<<<<<<<<<<
REMOTE_ADDR: 50.23.239.111
Host Name: cs2-dallas.accountservergroup.com
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http: //www.emoderation.com
REQUEST_URI: /not-just-athlete-social-media-expert-too
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

>>>>>>>>>>> 403 GET or Other Request Error Logged - April 8, 2013 - 11:09 am <<<<<<<<<<<
REMOTE_ADDR: 50.23.239.111
Host Name: cs2-dallas.accountservergroup.com
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http: //www.emoderation.com
REQUEST_URI: /wp-content/uploads/2012/09/followersgained.jpg
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Any idea of what may be causing this?

Thanks,
Vilmondes

[AITpro Admin]

The Jikespider bot is probably making a HEAD Request.  You can either whitelist it.  See the link below…
http://forum.ait-pro.com/forums/topic/whitelist-bots-allow-good-bots-to-make-a-head-request/

Or you can remove HEAD from the Request Method filter shown in the Link above.
Or you can go to the Security Log page and add this bot to ignore logging errors.
If you are blocking HotLinking to images then you will see 403 errors when someone is trying to HotLink to your images.
99% of security log errors are some bot/user agent doing something like scraping or some other nasty thing against your site.
If your log file is so large it is freezing your site:  http://forum.ait-pro.com/forums/topic/security-log-page-hangs-or-freezes/

Security Log read me first:  http://forum.ait-pro.com/forums/topic/security-log-http-error-log-read-me-first/

[Ramon Llueca]

Dear Mr

Please I read your post help and I do have 127 in my file , but what I shod have to do? here is the log file / I have no experience so please talk to me in easy mode thank you so much

[code removed]

[AITpro Admin]

The most important error is this one.  Are you using HotLink Protection code or are you blocking HotLinking in your Host control panel?

403 GET or Other Request Error Logged - April 20, 2013 - 2:09 pm
REMOTE_ADDR: 184.168.164.1
Host Name: p3nlhg222c1222.shr.prod.phx3.secureserver.net
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/uploads/2013/02/lapatrona.jpg
QUERY_STRING:
HTTP_USER_AGENT: WordPress/3.5.1; http: //www.gossipidols.com

[AITpro Admin]

Ok I think I see what might be causing these.  You have a lightbox plugin that is calling the admin-ajax.php file.  Your images are loading fine in the lightbox, but I believe that this is also triggering 403 errors due to way the lightbox plugin is calling admin-ajax.php.

1. Add the admin-ajax.php skip/bypass rule below to this wp-admin Custom Code text box: CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
2. Click the Save wp-admin Custom Code button.
3. Go to the Security Modes page and Activate wp-admin Folder BulletProof Mode.

Note:  The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1].  If you have other wp-admin skip/bypass rules already then either combine them or add this skip/bypass rule separately above the other rules and change the skip #.  Example:  If you already have skip #’s 2 and 3 then this rule would be skip rule #4.

# admin-ajax.php skip/bypass rule
RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
RewriteRule . - [S=2]

[Ramon Llueca]

I don’t know what I did but I apologize if I did something wrong

so here is the log file i, if I did this is because i have this message all time on my Dashboard and I like to have some help, if you can , so I see the message that you say that

[irrelevant/misinterpreted – removed]

Security Log File Size is: 509.84 KB
Your Security Log file is very large which will cause the BPS Options page to load much slower.
To Fix this issue to go to the Security Log page and copy and paste the Security Log file contents into a Notepad text file on your computer and save it.
Then click the Delete Log button to delete the contents of this Log file.
If you are unable to view the Security Log page, then FTP to your website and download the Security Log file from /wp-content/bps-backup/logs/http_error_log.txt to your computer and delete it from your website.
If you have BPS Pro your Log files are zipped, emailed and deleted automatically.

>>>>>>>>>>> 403 GET or Other Request Error Logged - April 17, 2013 - 11:01 am <<<<<<<<<<<
REMOTE_ADDR: 150.70.172.101
Host Name: wtp-gd-maya1.iad1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 127.0.0.1
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/themes/Avenue/fonts/BebasNeue-webfont.eot?iefix)%20format(\"eot\"),%20url(fonts/BebasNeue-webfont.woff)%20format(\"woff\"),%20url(fonts/BebasNeue-webfont.ttf)%20format(\"truetype\"),%20url(fonts/BebasNeue-webfont.svg
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

[AITpro Admin]

Please contact the Theme author for your Theme so that they can fix the coding mistakes in your Theme.

You should not be seeing backslashes and should instead be seeing ONLY outputted HTML.  The backslashes are a coding mistake.  And there are several of them – all of them need to be fixed in your Theme.  The 403 errors are being caused by these coding mistakes in your Theme.

(\"eot\")

 

[Vilmondes]

Hi again,

I apologize for the very late response.

I’ve managed to get rid of some of those 403 errors, but there’s one that I’m not sure of why it’s on the log. Please see below:

>>>>>>>>>>> 403 GET or Other Request Error Logged - July 10, 2013 - 8:05 am <<<<<<<<<<<
REMOTE_ADDR: 50.23.239.111
Host Name: cs2-dallas.accountservergroup.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http: //www.emoderation.com
REQUEST_URI: /wp-content/uploads/2013/07/rehearsing-managing-crisis.jpg
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

>>>>>>>>>>> 403 GET or Other Request Error Logged - July 10, 2013 - 8:07 am <<<<<<<<<<<
REMOTE_ADDR: 50.23.239.111
Host Name: cs2-dallas.accountservergroup.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http: //www.emoderation.com
REQUEST_URI: /emoderation-and-carrot-communications-launch-social-media-crisis-management-service
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

>>>>>>>>>>> 403 GET or Other Request Error Logged - July 10, 2013 - 8:08 am <<<<<<<<<<<
REMOTE_ADDR: 50.23.239.111
Host Name: cs2-dallas.accountservergroup.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http: //www.emoderation.com
REQUEST_URI: /town-planning-simcitys-social-media-crisis/e1804c2cefbd0a0175e89b3b90fb65a2
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

cs2-dallas.accountservergroup.com is where our website is hosted.

Do you have any idea on why it’s been flagged by BPS?

Thanks,

Vilmondes

[AITpro Admin]

This error was occurring on July 10, 2013.  Is it still occurring now?  The Security Log file is a plain text log file.

[Roger Moerdijk]

Hi,

I’m having the same issue with a 403. Logged error is below:

>>>>>>>>>>> 403 GET or Other Request Error Logged - 20 september 2013 - 13:44 <<<<<<<<<<<
REMOTE_ADDR: 84.107.10.165
Host Name: 546B0AA5.cm-12-4a.dynamic.ziggo.nl
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http: //www.elliott-lykle.nl/wp-admin/post.php?post=7731&action=edit
REQUEST_URI: /wp-content/plugins/dm-albums/wp-dm-albums-ajax.php?photo=DSC09518.jpg&album_name=woensdag&value=het%20is%20altijd%20leuk%20om%20naar%20de%20%22cavinaia%27s%22%20van%20Arne%20te%20gaan%20kijken!&type=caption
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 5.1; rv:23.0) Gecko/20100101 Firefox/23.0

The error happens when I try to add a caption to an album in my weblog. The specific plugin used is DM-Albums.
Editing the post in general works just fine but adding the caption does not stick.
What should I change in wich file to get rid of the error and -more important- be able to add caption to the pictures?
I noticed that it only happens when I use text and/or sings like: ” ‘ … I use these a lot… (see, I told you!) bladiebla is fine,
bladiebla… is not, as is “bladiebla”.

THX!

[AITpro Admin]

If you would like to allow these coding characters on your website then do these steps:

1.  Copy this wp-admin .htaccess file code (already modified to allow these coding characters) to this wp-admin Custom Code text box:  CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS: Modify Query String Exploit code here
2.  Click the save wp-admin Custom Code button.
3.  Go to the Security Modes page and activate wp-admin BulletProof Mode again.

IMPORTANT NOTE:  This is the wp-admin .htaccess file code and not the Root .htaccess file code.  There are slight differences between the root .htaccess file and wp-admin .htaccess file Query String Exploits code.

This Forum Topic link below shows the Root .htaccess file Query String Exploits code with apostrophe/single quote modifications made to the Root .htaccess file BPS Query String Exploits code.
http://forum.ait-pro.com/forums/topic/apostrophe-single-quote-code-character/#post-6939

# BEGIN BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
# WORDPRESS WILL BREAK IF ALL THE BPSQSE FILTERS ARE DELETED
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]
# END BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS

[imxproducts]

RE: 403 GET or HEAD Request Error Logged. After upgrading to the pro version I am having a similar issue. It seems to be referencing a Java call from my browser. Even if I reset the log time the error immediately shows up again, so I constantly have an error alert at the top of my dashboard. I Uninstalled Java, then reinstalled, uninstalled FireFox and reinstalled it, now I am trying Water Fox an a browser and I continue to get the same error in the log. Amy idea what this could be?? I would appreciate any help you could give. Here is what shows up in the error log

>>>>>>>>>>> 403 GET or HEAD Request Error Logged - December 9, 2013 - 1:26 pm <<<<<<<<<<<
REMOTE_ADDR: 98.165.137.127
Host Name: ip98-165-137-127.ph.ph.cox.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 98.165.137.127
HTTP_X_CLUSTER_CLIENT_IP: 98.165.137.127
REQUEST_METHOD: GET
HTTP_REFERER: http: //ignitespayments.com/wp-admin/admin.php?page=bulletproof-security/admin/security-log/security-log.php
REQUEST_URI: /wp-content/plugins/bulletproof-security/admin/js/bulletproof-security-admin-4.js?ver=3.7.1
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:18.0) Gecko/20130119 Firefox/18.0

>>>>>>>>>>> 403 GET or HEAD Request Error Logged - December 9, 2013 - 1:26 pm <<<<<<<<<<<
REMOTE_ADDR: 98.165.137.127
Host Name: ip98-165-137-127.ph.ph.cox.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 98.165.137.127
HTTP_X_CLUSTER_CLIENT_IP: 98.165.137.127
REQUEST_METHOD: GET
HTTP_REFERER: http: //ignitespayments.com/wp-admin/admin.php?page=bulletproof-security/admin/security-log/security-log.php
REQUEST_URI: /wp-content/plugins/wordfence/js/tourTip.js?ver=3.8.8
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:18.0) Gecko/20130119 Firefox/18.0

>>>>>>>>>>> 403 GET or HEAD Request Error Logged - December 9, 2013 - 1:26 pm <<<<<<<<<<<
REMOTE_ADDR: 98.165.137.127
Host Name: ip98-165-137-127.ph.ph.cox.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 98.165.137.127
HTTP_X_CLUSTER_CLIENT_IP: 98.165.137.127
REQUEST_METHOD: GET
HTTP_REFERER: http: //ignitespayments.com/wp-admin/admin.php?page=bulletproof-security/admin/security-log/security-log.php
REQUEST_URI: /wp-content/plugins/bulletproof-security/admin/js/bulletproof-security-admin-4.js?ver=3.7.1
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:18.0) Gecko/20130119 Firefox/18.0

Thank You

[AITpro Admin]

Since you are seeing this BPS Pro js script:  bulletproof-security-admin-4.js in your Security log then this means the Plugin Firewall either has a blank space or an invalid rule or you are using a Minify plugin, which is causing the Plugin Firewall to malfunction.  If you are using a Minify plugin then most likely you will not be able to use the Plugin Firewall or you can create exceptions/exclusions in your Minify plugin for all frontloading plugin scripts if you want to use the Plugin Firewall.

Go to the Plugin Firewall and copy and paste the plugin scripts/rules in the Plugins Script/File Whitelist Text Area and post them here.  If the Whitelist Text Area is blank then click the Save Whitelist Options button and activate the Plugin Firewall again.  A blank space was accidently saved in the Plugin Firewall master text file in the last BPS Pro release.  That issue has been corrected.

[imxproducts]

Ok

Went to the Plugin Firewall –  plugin scripts/rules – File Whitelist Text Area. It was blank.
Save Whitelist Options button.
This is a brand new installation and the only plugin I have active is Word Fence.
This looks like the requests are coming from my ip address. My IP – 70.162.104.246. Here is the error log

>>>>>>>>>>> 403 GET or HEAD Request Error Logged - December 11, 2013 - 5:53 am <<<<<<<<<<<
REMOTE_ADDR: 70.162.104.246
Host Name: ip70-162-104-246.ph.ph.cox.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 70.162.104.246
HTTP_X_CLUSTER_CLIENT_IP: 70.162.104.246
REQUEST_METHOD: GET
HTTP_REFERER: http://ignitespayment.com/wp-admin/admin.php?page=bulletproof-security/admin/security-log/security-log.php
REQUEST_URI: /wp-content/plugins/wordfence/js/tourTip.js?ver=3.8.8
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:18.0) Gecko/20130119 Firefox/18.0

>>>>>>>>>>> 403 GET or HEAD Request Error Logged - December 11, 2013 - 5:53 am <<<<<<<<<<<
REMOTE_ADDR: 70.162.104.246
Host Name: ip70-162-104-246.ph.ph.cox.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 70.162.104.246
HTTP_X_CLUSTER_CLIENT_IP: 70.162.104.246
REQUEST_METHOD: GET
HTTP_REFERER: http://ignitespayment.com/wp-admin/admin.php?page=bulletproof-security/admin/security-log/security-log.php
REQUEST_URI: /wp-content/plugins/bulletproof-security/admin/js/bulletproof-security-admin-4.js?ver=3.7.1
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:18.0) Gecko/20130119 Firefox/18.

[AITpro Admin]

Did you activate the Plugin Firewall again after clicking the Save Whitelist Options button?  If so, and the problem is still occurring then create a temporary WordPress Admin login to this website and send it to edward at ait-pro dot com so that I can log in and see what is the issue/problem is.  Thanks.

[Author]

Posts