Security Log – valid plugin js files are being blocked

[Timbo]

Hi there,

I have noticed the following in my Security Log:

>>>>>>>>>>> 403 GET or Other Request Error Logged - June 19, 2013 - 4:49 pm <<<<<<<<<<<
REMOTE_ADDR: xxx.xxx.xxx.xxx
Host Name: xxxxx
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: xxxxx
REQUEST_URI: /wp-content/plugins/contact-form-7/includes/js/jquery.form.min.js?ver=3.32.0-2013.04.03
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

>>>>>>>>>>> 403 GET or Other Request Error Logged - June 19, 2013 - 4:49 pm <<<<<<<<<<<
REMOTE_ADDR: xxx.xxx.xxx.xxx
Host Name: xxxxx
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: xxxxxx
REQUEST_URI: /wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=3.4.1
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

The following exceptions exist in my Plugin Firewall Whitelist:

/contact-form-7/includes/js/jquery.form.min.js, /contact-form-7/includes/js/scripts.js

The “403 GET or Other Request Error” only appear intermittently, and I have not found a way to replicate, just to wait for usual web traffic to trigger the error.

You thoughts would be very much appreciated.

-Timbo

[AITpro Admin]

Most likely what is occurring is that someone is doing something shady if this is an intermittent issue/problem.  Logically if something is not configured correctly or setup correctly with the Plugin Firewall then this would be a constant problem and not intermittent.  Another possibility could have something to do with form processing from a specific page to another page – ie multi-part form processing.  Post the last part of the HTTP_REFERER log entry, which I think was something like /business-profile or /business-contact or something like that.

[Timbo]

I don’t think anything shady is happening. It’s a VERY low traffic website, and I can identify the IP addresses triggering the errors (i.e. myself or someone I know). The form isn’t even located on the pages that are generating the errors, the form is located on the Contact Us page.

Also, it is not a multi-part form, just a simple (single page) Contact Us form.

-Timbo

[AITpro Admin]

The poplularity or level of traffic of a website is never a factor with websites being targeted/probed/reconned or hacked.  Bots, crawlers, spiders, etc. are automated scripts that go wherever they go randomly.  The entire process is automated.  Even the process of hacking a website is automated most of the time.  A human hacker might visit a hacked website after it has been automatically hacked or may never visit the hacked website.

Your IP may be included in blocked hacking attempt depending on the method of attack.  IP addresses can never be trusted since they are very easily faked.

Without more information I cannot really tell you what is going on, but the fact that it is intermittent would typically mean one of these things:

Intermittent NS or other Server Connectivity problems.

Intermittent MySQL Server problems.

Memory is maxing out on this website intermittently.

Hacker, spammer, scraper bot is probing, reconnning, etc.

If this was a consistent problem then it would most likely be either BPS Pro blocking something or another plugin conflict issue.  Since it is intermittent then it cannot be a BPS Pro issue because it would be consistently happening.

[Author]

Posts