Hack Attempt?

[Jeffrey]

My ASP.NET Web app has a "global error handler" (http module) that catches
any exceptions not caught in any try/catch handlers. It logs details about
every exception. I got this strange one today and I'm wondering what it
means.

I'm wondering if someone tried to hack into the site. Check out the RAW URL
value. That querystring value isn't anything I have set - did someone put
that in there explicitly? If so, what could it possibly do for them. Also
check out the "INNER INNER EXCEPTION STACK TRACE" value. It apparently
involves a call to something called LoadPageStateFromPersistenceMedium().
What is this "persistence medium"?

RAW URL:
/Default.aspx?__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=dDwtMjM5NTgxOTgwOzs+gtQlX8GJplxnKs1bJgUnSYlxTxs=&_ctl0__ctl0_menuCA_ContextData=/

USER AGENT:
Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 4.0)

ERROR MESSAGE:
Exception of type System.Web.HttpUnhandledException was thrown.

STACK TRACE:
at System.Web.UI.Page.HandleError(Exception e) at
System.Web.UI.Page.ProcessRequestMain() at
System.Web.UI.Page.ProcessRequest() at
System.Web.UI.Page.ProcessRequest(HttpContext context) at
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously)

INNER EXCEPTION STACK TRACE:
at System.Web.UI.Page.LoadPageStateFromPersistenceMedium() at
System.Web.UI.Page.LoadPageViewState() at
System.Web.UI.Page.ProcessRequestMain()

INNER INNER EXCEPTION STACK TRACE:
at System.Convert.FromBase64String(String s) at
System.Web.UI.LosFormatter.Deserialize(String input) at
System.Web.UI.Page.LoadPageStateFromPersistenceMedium()

Other data logged for this exception indicates that this user was not logged
on to the site at the time the exception occurred.

I'd appreciate any insight into what this is all about.

Thanks!

 

[Hans Kesting]

My ASP.NET Web app has a "global error handler" (http module) that
catches any exceptions not caught in any try/catch handlers. It logs
details about every exception. I got this strange one today and I'm
wondering what it means.

I'm wondering if someone tried to hack into the site. Check out the
RAW URL value. That querystring value isn't anything I have set - did
someone put that in there explicitly? If so, what could it possibly
do for them. Also check out the "INNER INNER EXCEPTION STACK TRACE"
value. It apparently involves a call to something called
LoadPageStateFromPersistenceMedium(). What is this "persistence
medium"?

The URL looks like a regular postback, except that "GET" is used, instead of "POST".

The call to LoadPageStateFromPersistenceMedium is standard: viewstate is read from
the (post) variable __VIEWSTATE and decoded. Maybe this failed because that
variable was not present in the POST variables.

Find out if the "method=post" is missing from your "/default.aspx"

Hans Kesting

 

[Jeffrey]

POST is in default.aspx. In fact, here is the relevant portion of
default.aspx.

<body class="bodyBg" bottommargin="0" topmargin="0" leftmargin="0"
rightmargin="0">
<form id="Form1" method="post" runat="server">
<asplaceHolder EnableViewState="false" id="PageTemplatePlaceHolder"
runat="server"></asplaceHolder>
</form>
</body>

Since the OP, this exception happened again. Same user agent; and given the
HostAddress, I suspect these exceptions are happening for the same user:

222.134.160.176 (first occurrance)
222.134.164.165 (second occurrance)

Also, default.aspx has not been modified in any way since May 10 of this
year, and the site routinely gets 50-100 unique visitors per day (sometimes
spiking much higher); and this exception has never occurred until yesterday
(August 04).

Any additional ideas?

-Jeffrey