Home › Forums › BulletProof Security Pro › WP Content Copy Protection Pro – 403 error
Tagged: 403 error
- This topic has 1 reply, 1 voice, and was last updated 6 years, 10 months ago by
AITpro Admin.
-
AuthorPosts
-
AITpro Admin
Keymaster[Manually copied from general Forum Topic]
Over the last few days our subscribers have been reporting “403 Forbidden” errors when attempting to access our site. Today, after going through plugin settings and then running BPS Wizard, immediately the entire became 403 Forbidden inaccessible to anyone, including site admins. We’ve already contacted our hosting company and requested sever logs, which points to BPS Security plugin as the 403 issue. Below you will find a small snippet of hosting error reporting logs: (Note: I’ve removed the server configuration path from the hosting error log entries below, replacing the path with “……………………….”)
Please advise and thank you in advance!
~~~~~~~~~~~~~~ Hosting Error Log: ~~~~~~~~~~~~~~ referer: http://www.estatetransformation.com/wx1g [Wed Jan 27 13:08:50 2016] [error] [client 82.85.14.105] client denied by server configuration: /home/...............................................wp-content/plugins/bulletproof-security/403.php
~~~~~~~~~~~~~~ BPS Security Log: (just a few log entries from January 28th only) ~~~~~~~~~~~~~~ [403 GET Request: January 28, 2016 - 4:40 am] Event Code: PSBR-HPR Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 24.140.10.215 Host Name: cable-10-215.sssnet.com SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-content/plugins/wccp-pro/watermark.php?type=dw&position=center- center&text=WATERMARKED&font_color=%23000000&r_text=estatetransformation.com&r_font_color= %23efefef&font_size_factor=90&r_font_size_factor=55&text_transparency=65&rotation=40&imagefilter=None&signa ture=This+image+is+protected&stamp=http://estatetransformation.com/wp-content/plugins/wccp- pro/images/testing-logo.png&src=/Images/template_mid_whitenb.jpg QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko [403 GET Request: January 28, 2016 - 4:50 am] Event Code: PSBR-HPR Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 70.106.227.243 Host Name: pool-70-106-227-243.clppva.fios.verizon.net SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-content/plugins/wccp-pro/watermark.php?type=dw&position=center- center&text=WATERMARKED&font_color=%23000000&r_text=estatetransformation.com&r_font_color= %23efefef&font_size_factor=90&r_font_size_factor=55&text_transparency=65&rotation=40&imagefilter=None&signa ture=This+image+is+protected&stamp=http://estatetransformation.com/wp-content/plugins/wccp- pro/images/testing-logo.png&src=/Images/template_top_favicon.png QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
KeymasterUPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.
Looks like a typical RFI hacker pattern that is being blocked by these root htaccess filters below. Do these steps and let me know if the simulated RFI hacking attempt against your website is allowed and not blocked. Note an additional whitelist rule may be required in the Primary RFI security filter as well is this does not work.
1. Copy the modified BPS Query String Exploits below to this BPS Root Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.# BEGIN BPSQSE BPS QUERY STRING EXPLOITS # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too. # Good sites such as W3C use it for their W3C-LinkChecker. # Use BPS Custom Code to add or remove user agents temporarily or permanently from the # User Agent filters directly below or to modify/edit/change any of the other security code rules below. RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR] RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR] RewriteCond %{THE_REQUEST} etc/passwd [NC,OR] RewriteCond %{THE_REQUEST} cgi-bin [NC,OR] RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR] RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR] RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR] RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR] #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR] #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR] RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR] RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] #RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR] RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR] RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR] RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR] RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR] RewriteCond %{QUERY_STRING} (sp_executesql) [NC] RewriteRule ^(.*)$ - [F] # END BPSQSE BPS QUERY STRING EXPLOITS -
AuthorPosts
- You must be logged in to reply to this topic.