G
Gery D. Dorazio
Hi,
In the design of web sites that I build there is a reporting mechanism that
sends me an email with failure information when an exception occurs. Lately
I have seen what I think is attempted hacks into the web server in order to
discover if there is an email system set up on the web server presumably to
try and find a mail server to use for spamming. Here are some of the
characteristics of the failures:
About 8 emails corresponding to 8 Invalid_Viewstate page errors occur. The
first several emails have the view state set to an invalid (garbage) email
address with the domain of the website. The referrer is the web site. There
is no user agent. Browser and platform information is unknown. Then it shows
a 'Content-Type: multipart/mixed...' was inserted which is followed by what
appears to be an email message. This message has a TO and FROM field of the
invalid email address (same one in both fields) with this web site domain
and a bcc showing an email address at AOL. I don't know if that is valid.
I am thinking that this may be a good time to start architecting an
HttpModule to filter this type of non-sense and any other type of attacks or
hacks which try to break into the server in undesirable ways. The first
possibility is to use this Invalid_Viewstate page error.
One issue though is that agents such as search engine spiders should not be
prevented from indexing the site.
So the architectural question here is what are valid mechanisms to test for
which can indicate that a hacker is attempting to break into an ASP.NET web
site which can be used to filter out these attempts? A desired result is
that the hacking software is not provided any failure information and also
the filter mechanism should set up an IP filter list that does not allow
request from that IP for a period of time. (This is because the IPs are
probably spoofed and they can change from attempt set to attempt set but be
from the same hacker.)
Feedback on thoughts in this post are most welcome. Also, if you have any
links to existing code or modules that have addressed some of this it would
be very helpful.
Thanks,
Gery
--
Gery D. Dorazio
Development Engineer
EnQue Corporation
1334 Queens Road
Charlotte, NC 28207
(704) 377-3327
In the design of web sites that I build there is a reporting mechanism that
sends me an email with failure information when an exception occurs. Lately
I have seen what I think is attempted hacks into the web server in order to
discover if there is an email system set up on the web server presumably to
try and find a mail server to use for spamming. Here are some of the
characteristics of the failures:
About 8 emails corresponding to 8 Invalid_Viewstate page errors occur. The
first several emails have the view state set to an invalid (garbage) email
address with the domain of the website. The referrer is the web site. There
is no user agent. Browser and platform information is unknown. Then it shows
a 'Content-Type: multipart/mixed...' was inserted which is followed by what
appears to be an email message. This message has a TO and FROM field of the
invalid email address (same one in both fields) with this web site domain
and a bcc showing an email address at AOL. I don't know if that is valid.
I am thinking that this may be a good time to start architecting an
HttpModule to filter this type of non-sense and any other type of attacks or
hacks which try to break into the server in undesirable ways. The first
possibility is to use this Invalid_Viewstate page error.
One issue though is that agents such as search engine spiders should not be
prevented from indexing the site.
So the architectural question here is what are valid mechanisms to test for
which can indicate that a hacker is attempting to break into an ASP.NET web
site which can be used to filter out these attempts? A desired result is
that the hacking software is not provided any failure information and also
the filter mechanism should set up an IP filter list that does not allow
request from that IP for a period of time. (This is because the IPs are
probably spoofed and they can change from attempt set to attempt set but be
from the same hacker.)
Feedback on thoughts in this post are most welcome. Also, if you have any
links to existing code or modules that have addressed some of this it would
be very helpful.
Thanks,
Gery
--
Gery D. Dorazio
Development Engineer
EnQue Corporation
1334 Queens Road
Charlotte, NC 28207
(704) 377-3327