Is an Invalid Viewstate a good indicator of attempted hacking?

Discussion in 'ASP .Net Security' started by Gery D. Dorazio, Sep 8, 2005.

  1. Hi,

    In the design of web sites that I build there is a reporting mechanism that
    sends me an email with failure information when an exception occurs. Lately
    I have seen what I think is attempted hacks into the web server in order to
    discover if there is an email system set up on the web server presumably to
    try and find a mail server to use for spamming. Here are some of the
    characteristics of the failures:

    About 8 emails corresponding to 8 Invalid_Viewstate page errors occur. The
    first several emails have the view state set to an invalid (garbage) email
    address with the domain of the website. The referrer is the web site. There
    is no user agent. Browser and platform information is unknown. Then it shows
    a 'Content-Type: multipart/mixed...' was inserted which is followed by what
    appears to be an email message. This message has a TO and FROM field of the
    invalid email address (same one in both fields) with this web site domain
    and a bcc showing an email address at AOL. I don't know if that is valid.

    I am thinking that this may be a good time to start architecting an
    HttpModule to filter this type of non-sense and any other type of attacks or
    hacks which try to break into the server in undesirable ways. The first
    possibility is to use this Invalid_Viewstate page error.

    One issue though is that agents such as search engine spiders should not be
    prevented from indexing the site.

    So the architectural question here is what are valid mechanisms to test for
    which can indicate that a hacker is attempting to break into an ASP.NET web
    site which can be used to filter out these attempts? A desired result is
    that the hacking software is not provided any failure information and also
    the filter mechanism should set up an IP filter list that does not allow
    request from that IP for a period of time. (This is because the IPs are
    probably spoofed and they can change from attempt set to attempt set but be
    from the same hacker.)

    Feedback on thoughts in this post are most welcome. Also, if you have any
    links to existing code or modules that have addressed some of this it would
    be very helpful.


    Gery D. Dorazio
    Development Engineer

    EnQue Corporation
    1334 Queens Road
    Charlotte, NC 28207
    (704) 377-3327
    Gery D. Dorazio, Sep 8, 2005
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. cameron
    Steven Cheng[MSFT]
    Feb 24, 2004
  2. Charles Herring
    bruce barker
    Sep 13, 2004
  3. =?Utf-8?B?VGF5bG9yIEguIE1heHdlbGw=?=

    Attempted EventLog Trace triggers error

    =?Utf-8?B?VGF5bG9yIEguIE1heHdlbGw=?=, Jun 3, 2005, in forum: ASP .Net
    Jun 3, 2005
  4. humbleaptience
    Feb 22, 2006
  5. e.expelliarmus
    A. Sinan Unur
    Sep 25, 2007

Share This Page