Plugin Author
AITpro
(@aitpro)
Paste one of the POST 404 erorrs from your BPS Security Log so I can take a look at it. Most likely the POST 404 errors are just hacker/spammer probes looking for exploitable files on your website that do not actually exist on your website.
Yes, they are non existent files, but as I read the code (and correct me if I am misreading it) it is supposed to take ALL post requests and only allow the whitelisted ones.
TIME: July 7th 2016, 07:03pm
*404: https://www.example.com/cron.php
SITE: https://www.example.com/
THEME: Modularity
REFERRER: undefined
QUERY STRING:
REMOTE ADDRESS: 202.150.209.178
REMOTE IDENTITY: undefined
REQUEST METHOD: POST
SERVER PROTOCOL: HTTP/1.1
USER AGENT: Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0
Plugin Author
AITpro
(@aitpro)
Correct the code uses an explicit whitelisting method, but this BPS htaccess code in the root htaccess file: ErrorDocument 404 /404.php will send 404 Requests to your 404.php template file. You could change that and have 404 errors be sent to the BPS 403.php template file. You would not really want to do that because legitimate 404 errors made by legitimate visitors would be logged as 403 errors instead of what they are which is 404 errors.
So since a 404 errors means that the URI used does not point to a valid file or URI then BPS just logs that. There is no point in blocking that 404 Request because an actual file or URI does not really exist so there is nothing to block.
Plugin Author
AITpro
(@aitpro)
So if a file or URI does exist and a hacker or spammer sends a POST Request to that URI then it will be handled as a 403 Request error, sent to the 403.php logging template and blocked.
Plugin Author
AITpro
(@aitpro)
Additional explanation with examples:
The test file post-form.php has a POST Form and since it is not whitelisted then the POST Request is blocked when submitting the form back to itself. Note the Request Body form values: REQUEST BODY: foo=bar&Submit-test=Submit
The test file post-form.php has another POST Form that sends a POST Request to a non-existent file post-bogus.php. Note: There are no Request Body form values captured when submitting the form to post-bogus.php because a form does not actually exist in the post-bogus.php file. If a form did exist in the post-bogus.php file then it would logged as a 403 error and blocked and the Request Body form values would be captured.
[403 POST Request: July 10, 2016 - 10:45 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 127.0.0.1
Host Name: Z666P-HP
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: POST
HTTP_REFERER: http://aitpro-blog.local/post-form.php
REQUEST_URI: /post-form.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
REQUEST BODY: foo=bar&Submit-test=Submit
[404 POST Not Found Request: July 10, 2016 - 10:49 am]
Event Code: The server has not found anything matching the Request-URI.
Solution: N/A - 404 Not Found
REMOTE_ADDR: 127.0.0.1
Host Name: Z666P-HP
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: POST
HTTP_REFERER: http://aitpro-blog.local/post-form.php
REQUEST_URI: /post-bogus.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Makes sense. Looks like I just needed to read the code a little better and see that. I just assumed it took all POST requests and filtered them.
Plugin Author
AITpro
(@aitpro)
Yeah its confusing and I had to double check everything to make sure I was not posting bad info here. 😉 The primary concern with 404 errors was to NOT interfere with any 404 Requests because that could cause major headaches and folks to get pretty pissed off since it is important to know about “legit” 404 errors. ie a broken link or similar scenario (error checking basically).
