How to exclude specific address or part of address from logs

Hmm actually the Timthumb / MISC skip/bypass rule should be allowing/whitelisting the timthumb.php file/script already, but I have seen that for some Themes for whatever reason the Timthumb skip/bypass rule is not working. Clear your plugin cache and browser cache after adding/using either of these skip/bypass rules.

See this Forum post (1 of the 2 whitelist rules will work): https://forum.ait-pro.com/forums/topic/images-not-displaying-after-bulletproof-security-free-plugin-was-enabled-and-configured/#post-3828

Thanks for quick replay will check it out ??
Btw hm… seams that is happening only when making new post or I’m not sure will have to investigate little more because today didnt saw any log so far about timthumb… will check the forum first thanks again for quick replay ??

thanks i added img\.php and now all is ok

hmm the img.php file is specific to the themify theme and your particular timthumb error has timthumb.php in the error so adding img\.php would not have any effect on your particular site. What I suspect is that what actually happened was this was just some sort of intermittent issue/problem that occurred June 2 and the timthumb skip/bypass rule is actually already working correctly on your site since timthumb is a standard file that is already being skipped/bypassed.

hm maybe, I’m not sure but I’m glad its working and not making my log file so big. but still I’m getting from time to time error log when msn and google bots try to access image… still not sure should i try to fix that ? Bots manage to crawl pictures on my pages it’s seams like they cant crawl only pictures that timthumb generate at category pages.

Most likely what is happening is that the image retrieval script is doing several different things and one of those things is causing a 403 error, but image retrieval is actually working perfectly fine. See this link below.

https://www.ads-software.com/support/topic/does-bps-block-goodlegitimate-botsuser-agents?replies=1

Also there is always this possibility too – the User Agent is being faked/spoofed by a spammer, scraper or hacker…

https://forum.ait-pro.com/forums/topic/googlebot-403/

yea i check ip address when i look at logs like it says ip address belongs to microsoft.

REMOTE_ADDR: 199.30.20.70
Host Name: msnbot-199-30-20-70.search.msn.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/themes/themename/Timthumb.php?src=https://mywebsite.com/wp-content/uploads/2013/05/image1.jpg&w=200&h=200&zc=1&q=80
QUERY_STRING:
HTTP_USER_AGENT: msnbot-media/1.1 (+https://search.msn.com/msnbot.htm)

———-

But this might be attack ( they say secureserver is hacked ):

>>>>>>>>>>> 403 GET or Other Request Error Logged - June 10, 2013 - 4:21 am <<<<<<<<<<<
REMOTE_ADDR: 37.148.206.1
Host Name: n1nlhg638c1638.shr.prod.ams1.secureserver.net
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/uploads/2013/06/image1.jpg
QUERY_STRING:
HTTP_USER_AGENT: WordPress/3.5.1; https://mywebsite.com

PS: edited sensitive data in logs

Yep, but always keep in mind that IP Addresses, User Agents, Host names can all be faked. We had a hacker attempting several different attack methods for about a week. The IP address, User Agent and Host name were all valid Google info. The last time I checked Google does not do much hacking. LOL

The MSN bot 403 error does not show that an attack is being done so you can safely say that this is probably the real msnbot.

The second error is suspicious. Server Protocol 1.0 typically indicates a spammer, scraper or hacker. The new legitimate Server Protocol since 1997-1999 is HTTP/1.1. If someone is scraping your site then in a lot of cases you will see your own website’s information logged in the error due to the way that some scraping apps work.
SERVER_PROTOCOL: HTTP/1.0

In general, what you want to do is check that your image files are actually being retrieved successfully. If everything is fine then you can ignore any further log entries since they are either hacking, scraping or spammers that were blocked by BPS or it is some kind of error due to whatever additional thing that the image retrieval script is doing.

In other words, as long is everything is working fine and hackers, scrapers and spammers are being successfully blocked/forbidden by BPS then you go on about your business. ??

Yep, you never know whos is “behind” and they can always fake host and ofc msg / google they have so many pc’s someone can always hack some of those and attack from it lol

About the 2nd one like long list of hack attempt and BulletProof Security block it all ??

Well they do not even need to actually have hacked any google equipment to fake that they are google or anyone else. The IP addresses, User Agents and host names can be added to hacking, spamming or scraping scripts so that it appears that that is who they are. This is a very simple thing to do. ??

Yep, if you see that the Server Protocol is HTTP/1.0 then this is a bad guy – 99.99%. So far the only legitimate thing that is being blocked is older versions of Squid Proxy. Squid Proxy is used by good guys and bad guys and the good guys just need to upgrade to the latest version of Squid Proxy. The bad guys of course will continue to use older versions because it allows them to do bad stuff with it.

Issue is resolved.