Example of Error Reporting from Error 403:Permission Denied

Here are some actual error messages I received, triggered by hackers or spammers. I’ve only edited them to not disclose my server secrets.

Definitely read the main post Error Reporting from .htaccess.

Here’s the error log entry:

htaccess Errors = badRequestString:.asp--asp | 220.161.96.101 Accessing: lcblog.lernerconsult.com, /bokeindex.asp Tue Sep 3 2013 10:44:23 am MST 

Here is the email subject:

403 lcblog.lernerconsult.com /bokeindex.asp

Right away, I know a hacker got blocked, I don’t need to read the email. Delete.

Here’s what the email contains: What triggered the 403:Permission Denied error (the use of .asp), who tried to load what, info about them including what cookies they have and browser type. Then I can see the system PHP error log, so I know the status of my site; yeah I know I’m sending that via an insecure email. (The 403 Errors are logged in a different file, not cluttering my system error log.) Then the PHP system variables, $__SERVER and $_ENV (these I usually keep commented out of the emails, now that I’ve made sure I have the info I need, and if I’m tracking a big problem, it’s really nice to have).

I keep the system PHP error log cleaned out as I fix problems. The 3 lines displayed were so useful I left them in the log. WordPress was dying, with “500 Server” errors, but my custom error page not the default one, an entry in $_SERVER gave the clue: “Premature end of script headers” (usually in PHP that means you forgot to close a parenthesis or curly brace or quote marks), which turned out to be a bad plugin update. The “administrator” line showed a WordPress post that was getting blocked, my security script blocks “administrator” and the post was about the WindowsXP administrator login; I renamed the URL of the post and added an exception to the security script so the old URL could get redirected to the new one.

htaccess Errors = badRequestString:.asp--asp

220.161.96.101 tried to load 
 lcblog.lernerconsult.com/bokeindex.asp 

Remote Host = 

Query string =  

HTTP Referer = 

User Agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;) 

Tue Sep 3 2013 10:44:23 am MST 

Cookies = 
	wordpress_test_cookie: WP Cookie check 
 

Browser detected as: IE version 6.0

[Error Log]: /home/username/public_html/error_log
htaccess Errors = Error Notes:Premature end of script headers: wp-cron.php | 74.50.3.225 Accessing: yourdomain.com, /wp-cron.php?doing_wp_cron=1376826435.8446071147918701171875 Sun Aug 18 2013 4:47:16 am MST 
htaccess Errors = Error Notes:Premature end of script headers: wp-cron.php | 74.50.3.225 Accessing: yourdomain.com, /wp-cron.php?doing_wp_cron=1376828002.6863470077514648437500 Sun Aug 18 2013 5:13:23 am MST 
htaccess Errors = badRequestString:administrator | 66.249.73.201 Accessing: lcblog.lernerconsult.com, /2012-winxp-added-a-user-where-did-administrator-go/ Sun Aug 18 2013 6:07:06 pm MST 

[End of Error Log]
Array
(
    [DOCUMENT_ROOT] => /home/username/public_html
    [GATEWAY_INTERFACE] => CGI/1.1
    [HTTP_ACCEPT] => */*
    [HTTP_ACCEPT_ENCODING] => gzip
    [HTTP_ACCEPT_LANGUAGE] => zh-cn
    [HTTP_CONNECTION] => keep-alive
    [HTTP_COOKIE] => wordpress_test_cookie=WP+Cookie+check
    [HTTP_HOST] => lcblog.lernerconsult.com
    [HTTP_USER_AGENT] => Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)
    [PATH] => /bin:/usr/bin
    [PHPRC] => /home/username/public_html
    [QUERY_STRING] => 
    [REDIRECT_REQUEST_METHOD] => GET
    [REDIRECT_STATUS] => 403
    [REDIRECT_UNIQUE_ID] => UiYf9koyA@EAACBeNpIAAAAP
    [REDIRECT_URL] => /bokeindex.asp
    [REDIRECT_badRequestString] => .asp--asp
    [REMOTE_ADDR] => 220.161.96.101
    [REMOTE_PORT] => 54777
    [REQUEST_METHOD] => GET
    [REQUEST_URI] => /bokeindex.asp
    [SCRIPT_FILENAME] => /home/username/public_html/shared/403.php
    [SCRIPT_NAME] => /shared/403.php
    [SERVER_ADDR] => 74.50.3.225
    [SERVER_ADMIN] => webmaster@lernerconsult.com
    [SERVER_NAME] => lcblog.lernerconsult.com
    [SERVER_PORT] => 80
    [SERVER_PROTOCOL] => HTTP/1.1
    [SERVER_SIGNATURE] => 
    [SERVER_SOFTWARE] => [Sorry, secret...]
    [TZ] => America/Phoenix
    [UNIQUE_ID] => UiYf9koyA@EAACBeNpIAAAAP
    [PHP_SELF] => /shared/403.php
    [REQUEST_TIME] => 1378230263
    [argv] => Array
        (
        )

    [argc] => 0
)
Array
(
    [DOCUMENT_ROOT] => /home/username/public_html
    [GATEWAY_INTERFACE] => CGI/1.1
    [HTTP_ACCEPT] => */*
    [HTTP_ACCEPT_ENCODING] => gzip
    [HTTP_ACCEPT_LANGUAGE] => zh-cn
    [HTTP_CONNECTION] => keep-alive
    [HTTP_COOKIE] => wordpress_test_cookie=WP+Cookie+check
    [HTTP_HOST] => lcblog.lernerconsult.com
    [HTTP_USER_AGENT] => Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)
    [PATH] => /bin:/usr/bin
    [PHPRC] => /home/username/public_html
    [QUERY_STRING] => 
    [REDIRECT_REQUEST_METHOD] => GET
    [REDIRECT_STATUS] => 403
    [REDIRECT_UNIQUE_ID] => UiYf9koyA@EAACBeNpIAAAAP
    [REDIRECT_URL] => /bokeindex.asp
    [REDIRECT_badRequestString] => .asp--asp
    [REMOTE_ADDR] => 220.161.96.101
    [REMOTE_PORT] => 54777
    [REQUEST_METHOD] => GET
    [REQUEST_URI] => /bokeindex.asp
    [SCRIPT_FILENAME] => /home/username/public_html/shared/403.php
    [SCRIPT_NAME] => /shared/403.php
    [SERVER_ADDR] => 74.50.3.225
    [SERVER_ADMIN] => webmaster@lernerconsult.com
    [SERVER_NAME] => lcblog.lernerconsult.com
    [SERVER_PORT] => 80
    [SERVER_PROTOCOL] => HTTP/1.1
    [SERVER_SIGNATURE] => 
    [SERVER_SOFTWARE] => [Sorry, secret...]
    [TZ] => America/Phoenix
    [UNIQUE_ID] => UiYf9koyA@EAACBeNpIAAAAP
)

Posted

in

,

by

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.