Event Log - Viewstate verification failed
Recently we upgraded our system from .net 1.1 to .net 2.0. Since doing so we have been getting errors in our event logs with the following error about every minute. It's weird but all client ips or user host address seems to be pointing to eastern European countries like Russia or Belarus. Is it a logging problem or is somebody legitimately trying to hack or something? -
Information 8/2/2011 15:02 ASP.NET 2.0.50727.0 1316 Web Event Event code: 4009
Event message: Viewstate verification failed. Reason: Viewstate was invalid.
Event time: 8/2/2011 3:02:36 PM
Event time (UTC): 8/2/2011 7:02:36 PM
Event ID: e25e0918f9e34bda98abcafadc61a0b6
Event sequence: 144401
Event occurrence: 5595
Event detail code: 50204
Application information:
Application domain: OMMITED-OMMITED
Trust level: Full
Application Virtual Path: /DirID
Application Path: W:\SITE\DirID\
Machine name: OMMITED-OMMITED
Process information:
Process ID: 1740
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM
Request information:
Request URL: http://www.mysite.com/DirID/Default.aspx
Request path: /DirID/Default.aspx
User host address: 176.14.136.181
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\SYSTEM
ViewStateException information:
Exception message: Invalid viewstate.
Client IP: 176.14.136.181
Port: 63815
User-Agent: TrackChecker
PersistedState: [KEY1]
Referer: http://www.mysite.com/DirID/Default.aspx
Path: /DirID/Default.aspx
-------------------------
Information 8/2/2011 14:57 ASP.NET 2.0.50727.0 1316 Web Event Event code: 4009
Event message: Viewstate verification failed. Reason: Viewstate was invalid.
Event time: 8/2/2011 2:57:11 PM
Event time (UTC): 8/2/2011 6:57:11 PM
Event ID: 4d814be560f64258b2c926814fdb10c6
Event sequence: 142726
Event occurrence: 5536
Event detail code: 50204
Application information:
Application domain: OMMITED-OMMITED
Trust level: Full
Application Virtual Path: /DirID
Application Path: W:\SITE\DirID\
Machine name: OMMITED-OMMITED
Process information:
Process ID: 1740
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM
Request information:
Request URL: http://www.mysite.com/DirID/Default.aspx
Request path: /DirID/Default.aspx
User host address: 213.87.131.86
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\SYSTEM
ViewStateException information:
Exception message: Invalid viewstate.
Client IP: 213.87.131.86
Port: 21441
User-Agent:
PersistedState: [KEY1]
Referer: http://www.mysite.com/DirID/Default.aspx
Path: /DirID/Default.aspx
-----------
Information 8/2/2011 14:56 ASP.NET 2.0.50727.0 1316 Web Event Event code: 4009
Event message: Viewstate verification failed. Reason: The viewstate supplied failed integrity check.
Event time: 8/2/2011 2:56:10 PM
Event time (UTC): 8/2/2011 6:56:10 PM
Event ID: e20e446446374000bf9ad9c6863192e8
Event sequence: 142476
Event occurrence: 5534
Event detail code: 50203
Application information:
Application domain: OMMITED-OMMITED
Trust level: Full
Application Virtual Path: /DirID
Application Path: W:\SITE\DirID\
Machine name: OMMITED-OMMITED
Process information:
Process ID: 1740
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM
Request information:
Request URL: http://www.mysite.com/DirID/Default.aspx
Request path: /DirID/Default.aspx
User host address: 85.174.246.134
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\SYSTEM
ViewStateException information:
Exception message: Invalid viewstate.
Client IP: 85.174.246.134
Port: 3957
User-Agent: TrackChecker
PersistedState: dDwxNTA2NDg4MjAzO3Q8O2w8aTwzPjs+O2w8dDw7bDxpPDE+O2k8OT47aTwxMT47aTwxMz47aTwxNT47aTwxNz47aTwxOT47aTwyMT47aTwyMz47aTwyND47aTwyNT47aTwyNj47aTwzMj47aTwzND47PjtsPHQ8O2w8aTwzPjtpPDE5PjtpPDQxPjs+O2w8dDxwPH开发者_JAVA百科A8bDxWaXNpYmxlOz47bDxvPGY+Oz4+Oz47Oz47dDxwPHA8bDxOYXZpZ2F0ZVVybDtGb250X0JvbGQ7XyFTQjs+O2w8XGU7bzx0PjtpPDIwNDg+Oz4+Oz47Oz47dDxwPHA8bDxWaXNpYmxlOz47bDxvPGY+Oz4+Oz47Oz47Pj47dDxwPHA8bDxWaXNpYmxlOz47bDxvPGY+Oz4+Oz47Oz47dDxwPHA8bDxWaXNpYmxlOz47bDxvPGY+Oz4+Oz47Oz47dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjt0PHA8O3A8bDxvbmtleXByZXNzOz47bDxyZXR1cm4gS2V5UHJlc3NIYW5kbGVyKGV2ZW50KTs+Pj47Oz47dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjt0PDtsPGk8MT47aTwzPjtpPDU+O2k8Nz47aTw5Pjs+O2w8dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjt0PHA8O3A8bDxvbmtleXByZXNzOz47bDxyZXR1cm4gS2V5UHJlc3NIYW5kbGVyKGV2ZW50KTs+Pj47Oz47dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjs+Pjt0PDtsPGk8MT47aTwzPjtpPDU+O2k8Nz47aTw5Pjs+O2w8dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjt0PHA8O3A8bDxvbmtleXByZXNzOz47bDxyZXR1cm4gS2V5UHJlc3NIYW5kbGVyKGV2ZW50KTs+Pj47Oz47dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjs+Pjt0PDtsPGk8MT47aTwzPjtpPDU+O2k8Nz47aTw5Pjs+O2w8dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjt0PHA8O3A8bDxvbmtleXByZXNzOz47bDxyZXR1cm4gS2V5UHJlc3NIYW5kbGVyKGV2ZW50KTs+Pj47Oz47dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjs+Pjt0PDtsPGk8MT47aTwzPjtpPDU+O2k8Nz47aTw5Pjs+O2w8dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjt0PHA8O3A8bDxvbmtleXByZXNzOz47bDxyZXR1cm4gS2V5UHJlc3NIYW5kbGVyKGV2ZW50KTs+Pj47Oz47dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjs+Pjt0PHA8O3A8bDxvbmNsaWNrOz47bDxTaG93SGlkZVNlY3Rpb24oJ1VQU01JX1Byb2Nlc3NfTG9uZycpXDs7Pj4+Ozs+O3Q8cDw7cDxsPG9uY2xpY2s7PjtsPFNob3dIaWRlU2VjdGlvbignVVBTTUlfUHJvY2Vzc19Mb25nJylcOzs+Pj47Oz47Pj47Pj47bDxidG5UcmFjazs+PgqCqg5dK4H3lAraES3/cf/YlkUD
Referer: http://www.mysite.com/DirID/Default.aspx
Path: /DirID/Default.aspx
The first 2 requests have caused the viewstate verification/validation issues because of this: PersistedState: [KEY1] - this is a validation error straight away.
Also - you say you've upgraded from .Net 1.1 to 2.0 But the viewstate supplied in the 3rd request starts with "dDw" - this is a .Net 1.1 viewstate (for .Net 2.0 it starts with "/wE")
Seeing "TrackChecker" in the user agent tells me that some kind of bot/crawler saved older versions of your pages (when they were generated by .Net 1.1 - including the viewstate) and now it is re-checks your content and submits invalid viewstates (.Net 1.1 viewstates will fail validation on .Net 2.0 for obvious reasons)
I get a lot of these Viewstate errors on one of my sites, and it's normally a bot trying its luck to post something nefarious.
I suspect the same here - unless you have a lot of users from Belarus?
If you amend your logs to also capture the query string and other request params, that can give you some clues as to what the (alleged) attacker - or unfortunate user - was trying to achieve.
加载中,请稍侯......
精彩评论