Security Log – REQUEST URI: sitemap.xml

Home Forums BulletProof Security Pro Security Log – REQUEST URI: sitemap.xml

Tagged: 

Viewing 12 posts - 1 through 12 (of 12 total)
  • Author
    Posts
  • April 28, 2013 at 7:31 am #5041
    protection
    Participant

    Hello –

    I’m getting the following in my PHP Error log:

    >>>>>>>>>>> 403 GET or Other Request Error Logged - April 28, 2013 - 9:18 am
<<<<<<<<>>>>>>>> 
REMOTE_ADDR: 213.171.223.35
Host Name: server213-171-223-35.live-servers.net
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /sitemap.xml
QUERY_STRING:
HTTP_USER_AGENT:

    At first I assumed it was google while trying to crawl my site, but am not positive. Any suggestions?

    April 28, 2013 at 8:21 am #5046
    AITpro Admin
    Keymaster

    The User Agent is blank this means that this is either a Spammer or a Hacker.  All respectable/legitimate User Agents/Bots and humans will have a User Agent.  You can ignore any log entries where the User Agent is blank – BPS Pro is stopping the scrape, hack or whatever other shady activity is occurring by this Spammer of Hacker.

    April 28, 2013 at 8:22 am #5048
    protection
    Participant

    Update – I’m also getting 403 errors when clicking on a link that has been shortened by bitly.com. Do you think this is related?

    April 28, 2013 at 8:25 am #5049
    AITpro Admin
    Keymaster

    Please do not change the Topic tags for the topic if I have changed them to something that suits the topic better – better for searchability.  Thanks.

    Please search the Forum before posting a new Topic.  There are numerous Forum Topics regarding what Security Log errors mean.  What matters, what does not matter, what to ignore, what not to ignore, etc.  Thanks.

    http://forum.ait-pro.com/forums/topic/security-log-http-error-log-read-me-first/

     

    April 28, 2013 at 12:18 pm #5054
    protection
    Participant

    Sorry about that. I’ll do more searching/reading from now on before posting.
    When you say:

    You can ignore any log entries where the User Agent is blank

    Are you suggesting that I can somehow add a blank value to “Add User Agents/Bots to Ignore/Not Log” or are you just saying I should ignore it in the sense that I can just disregard it?

    April 28, 2013 at 2:19 pm #5056
    AITpro Admin
    Keymaster

    We want to maintain good relevant search results in the Forum instead of what you find on some sites where there are so many similar posts that you end up wading through all kinds of very similar posts before you finally find exactly what you were looking for or you never find it because there are so many similar posts/topics.  So yep we appreciate it if folks do a search first before posting.  Thanks.  😉

    Also if your question is very similar to an existing post/topic, but you have a slightly different scenario occurring then you can always add to an existing topic/post.  We go through all the topics/posts after a period of time and weed out or combine similar topics/posts, which is not a big deal, but would of course like to keep that number as low as possible.  😉

    If the User Agent is already blank then this is a hacker or spammer and BPS is doing its job.  There really is not anything else you need to do at that point. We log somewhere between 1,500 to 2,000 spam or hacking attempts per day.  It would be a full time job going through the logs every day so instead we scan them for anything unusual.  99% of the log entries are repeat spamming or hacking methods used by other spammers or hackers.  Or in other words, nothing original and the same old crap day in and day out.

    I hope this gives you a clearer picture of error logging in general.  Thanks.

    April 28, 2013 at 6:07 pm #5070
    protection
    Participant

    Got it, will be more mindful of the etiquette within the forum 🙂

    Hmmm…..are you saying that there’s no way to ignore/suppress security alerts when the user agent is blank?  Sorry, I’m kind of a security noob lol.  Would http://forum.ait-pro.com/forums/topic/htaccess-block-ip-address-block-access-to-files-by-ip-address/ be a way to remedy the problem?

    April 28, 2013 at 6:35 pm #5073
    AITpro Admin
    Keymaster

    If you feel like blocking things then be my guest, but what you will most likely discover is that as soon as you block 1 ip address the spammer/hacker will switch to another ip address.  These are automated spammer and hacker bot programs.  99.99% of spamming and hacking is completely automated by bot programs.

    Example:  The bot script will does this.  If ip address X is blocked then automatically switch to one of the other 100,000 ip addresses that are available to the script.

    In the recent WordPress and Joomla attacks there were 90,000+ ip addresses being used in those automated bot attack programs.  😉

    April 28, 2013 at 6:42 pm #5077
    AITpro Admin
    Keymaster

    If BPS is already blocking something and you have log entries telling you that BPS already blocked something then you really don’t need to do anything else.  The problem/attack/etc. has already taken care of so you can ignore those log entries.

    April 28, 2013 at 7:00 pm #5080
    protection
    Participant

    Got it, thanks 🙂  I’m half-tempted to turn off error logging so I don’t keep getting the security log alert at the top….I’ll see how things look over the next few days.

    April 28, 2013 at 7:05 pm #5081
    AITpro Admin
    Keymaster

    Or  >>> Go to S-Monitor and choose Turn Off Displayed Alerts for 

    April 29, 2013 at 4:45 am #5093
    protection
    Participant

    Got it, thanks again

  • Author
    Posts
Viewing 12 posts - 1 through 12 (of 12 total)
  • You must be logged in to reply to this topic.