事件日志 - 视图状态验证失败
最近我们将系统从.net 1.1 升级到.net 2.0。自从这样做以来,我们的事件日志中几乎每分钟都会出现以下错误。这很奇怪,但所有客户端 IP 或用户主机地址似乎都指向东欧国家,如俄罗斯或白俄罗斯。这是日志记录问题还是有人合法地试图进行黑客攻击或其他什么? -
Information 8/2/2011 15:02 ASP.NET 2.0.50727.0 1316 Web Event Event code: 4009
Event message: Viewstate verification failed. Reason: Viewstate was invalid.
Event time: 8/2/2011 3:02:36 PM
Event time (UTC): 8/2/2011 7:02:36 PM
Event ID: e25e0918f9e34bda98abcafadc61a0b6
Event sequence: 144401
Event occurrence: 5595
Event detail code: 50204
Application information:
Application domain: OMMITED-OMMITED
Trust level: Full
Application Virtual Path: /DirID
Application Path: W:\SITE\DirID\
Machine name: OMMITED-OMMITED
Process information:
Process ID: 1740
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM
Request information:
Request URL: http://www.mysite.com/DirID/Default.aspx
Request path: /DirID/Default.aspx
User host address: 176.14.136.181
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\SYSTEM
ViewStateException information:
Exception message: Invalid viewstate.
Client IP: 176.14.136.181
Port: 63815
User-Agent: TrackChecker
PersistedState: [KEY1]
Referer: http://www.mysite.com/DirID/Default.aspx
Path: /DirID/Default.aspx
-------------------------
Information 8/2/2011 14:57 ASP.NET 2.0.50727.0 1316 Web Event Event code: 4009
Event message: Viewstate verification failed. Reason: Viewstate was invalid.
Event time: 8/2/2011 2:57:11 PM
Event time (UTC): 8/2/2011 6:57:11 PM
Event ID: 4d814be560f64258b2c926814fdb10c6
Event sequence: 142726
Event occurrence: 5536
Event detail code: 50204
Application information:
Application domain: OMMITED-OMMITED
Trust level: Full
Application Virtual Path: /DirID
Application Path: W:\SITE\DirID\
Machine name: OMMITED-OMMITED
Process information:
Process ID: 1740
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM
Request information:
Request URL: http://www.mysite.com/DirID/Default.aspx
Request path: /DirID/Default.aspx
User host address: 213.87.131.86
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\SYSTEM
ViewStateException information:
Exception message: Invalid viewstate.
Client IP: 213.87.131.86
Port: 21441
User-Agent:
PersistedState: [KEY1]
Referer: http://www.mysite.com/DirID/Default.aspx
Path: /DirID/Default.aspx
-----------
Information 8/2/2011 14:56 ASP.NET 2.0.50727.0 1316 Web Event Event code: 4009
Event message: Viewstate verification failed. Reason: The viewstate supplied failed integrity check.
Event time: 8/2/2011 2:56:10 PM
Event time (UTC): 8/2/2011 6:56:10 PM
Event ID: e20e446446374000bf9ad9c6863192e8
Event sequence: 142476
Event occurrence: 5534
Event detail code: 50203
Application information:
Application domain: OMMITED-OMMITED
Trust level: Full
Application Virtual Path: /DirID
Application Path: W:\SITE\DirID\
Machine name: OMMITED-OMMITED
Process information:
Process ID: 1740
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM
Request information:
Request URL: http://www.mysite.com/DirID/Default.aspx
Request path: /DirID/Default.aspx
User host address: 85.174.246.134
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\SYSTEM
ViewStateException information:
Exception message: Invalid viewstate.
Client IP: 85.174.246.134
Port: 3957
User-Agent: TrackChecker
PersistedState: dDwxNTA2NDg4MjAzO3Q8O2w8aTwzPjs+O2w8dDw7bDxpPDE+O2k8OT47aTwxMT47aTwxMz47aTwxNT47aTwxNz47aTwxOT47aTwyMT47aTwyMz47aTwyND47aTwyNT47aTwyNj47aTwzMj47aTwzND47PjtsPHQ8O2w8aTwzPjtpPDE5PjtpPDQxPjs+O2w8dDxwPHA8bDxWaXNpYmxlOz47bDxvPGY+Oz4+Oz47Oz47dDxwPHA8bDxOYXZpZ2F0ZVVybDtGb250X0JvbGQ7XyFTQjs+O2w8XGU7bzx0PjtpPDIwNDg+Oz4+Oz47Oz47dDxwPHA8bDxWaXNpYmxlOz47bDxvPGY+Oz4+Oz47Oz47Pj47dDxwPHA8bDxWaXNpYmxlOz47bDxvPGY+Oz4+Oz47Oz47dDxwPHA8bDxWaXNpYmxlOz47bDxvPGY+Oz4+Oz47Oz47dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjt0PHA8O3A8bDxvbmtleXByZXNzOz47bDxyZXR1cm4gS2V5UHJlc3NIYW5kbGVyKGV2ZW50KTs+Pj47Oz47dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjt0PDtsPGk8MT47aTwzPjtpPDU+O2k8Nz47aTw5Pjs+O2w8dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjt0PHA8O3A8bDxvbmtleXByZXNzOz47bDxyZXR1cm4gS2V5UHJlc3NIYW5kbGVyKGV2ZW50KTs+Pj47Oz47dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjs+Pjt0PDtsPGk8MT47aTwzPjtpPDU+O2k8Nz47aTw5Pjs+O2w8dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjt0PHA8O3A8bDxvbmtleXByZXNzOz47bDxyZXR1cm4gS2V5UHJlc3NIYW5kbGVyKGV2ZW50KTs+Pj47Oz47dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjs+Pjt0PDtsPGk8MT47aTwzPjtpPDU+O2k8Nz47aTw5Pjs+O2w8dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjt0PHA8O3A8bDxvbmtleXByZXNzOz47bDxyZXR1cm4gS2V5UHJlc3NIYW5kbGVyKGV2ZW50KTs+Pj47Oz47dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjs+Pjt0PDtsPGk8MT47aTwzPjtpPDU+O2k8Nz47aTw5Pjs+O2w8dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjt0PHA8O3A8bDxvbmtleXByZXNzOz47bDxyZXR1cm4gS2V5UHJlc3NIYW5kbGVyKGV2ZW50KTs+Pj47Oz47dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjs+Pjt0PHA8O3A8bDxvbmNsaWNrOz47bDxTaG93SGlkZVNlY3Rpb24oJ1VQU01JX1Byb2Nlc3NfTG9uZycpXDs7Pj4+Ozs+O3Q8cDw7cDxsPG9uY2xpY2s7PjtsPFNob3dIaWRlU2VjdGlvbignVVBTTUlfUHJvY2Vzc19Mb25nJylcOzs+Pj47Oz47Pj47Pj47bDxidG5UcmFjazs+PgqCqg5dK4H3lAraES3/cf/YlkUD
Referer: http://www.mysite.com/DirID/Default.aspx
Path: /DirID/Default.aspx
Recently we upgraded our system from .net 1.1 to .net 2.0. Since doing so we have been getting errors in our event logs with the following error about every minute. It's weird but all client ips or user host address seems to be pointing to eastern European countries like Russia or Belarus. Is it a logging problem or is somebody legitimately trying to hack or something? -
Information 8/2/2011 15:02 ASP.NET 2.0.50727.0 1316 Web Event Event code: 4009
Event message: Viewstate verification failed. Reason: Viewstate was invalid.
Event time: 8/2/2011 3:02:36 PM
Event time (UTC): 8/2/2011 7:02:36 PM
Event ID: e25e0918f9e34bda98abcafadc61a0b6
Event sequence: 144401
Event occurrence: 5595
Event detail code: 50204
Application information:
Application domain: OMMITED-OMMITED
Trust level: Full
Application Virtual Path: /DirID
Application Path: W:\SITE\DirID\
Machine name: OMMITED-OMMITED
Process information:
Process ID: 1740
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM
Request information:
Request URL: http://www.mysite.com/DirID/Default.aspx
Request path: /DirID/Default.aspx
User host address: 176.14.136.181
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\SYSTEM
ViewStateException information:
Exception message: Invalid viewstate.
Client IP: 176.14.136.181
Port: 63815
User-Agent: TrackChecker
PersistedState: [KEY1]
Referer: http://www.mysite.com/DirID/Default.aspx
Path: /DirID/Default.aspx
-------------------------
Information 8/2/2011 14:57 ASP.NET 2.0.50727.0 1316 Web Event Event code: 4009
Event message: Viewstate verification failed. Reason: Viewstate was invalid.
Event time: 8/2/2011 2:57:11 PM
Event time (UTC): 8/2/2011 6:57:11 PM
Event ID: 4d814be560f64258b2c926814fdb10c6
Event sequence: 142726
Event occurrence: 5536
Event detail code: 50204
Application information:
Application domain: OMMITED-OMMITED
Trust level: Full
Application Virtual Path: /DirID
Application Path: W:\SITE\DirID\
Machine name: OMMITED-OMMITED
Process information:
Process ID: 1740
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM
Request information:
Request URL: http://www.mysite.com/DirID/Default.aspx
Request path: /DirID/Default.aspx
User host address: 213.87.131.86
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\SYSTEM
ViewStateException information:
Exception message: Invalid viewstate.
Client IP: 213.87.131.86
Port: 21441
User-Agent:
PersistedState: [KEY1]
Referer: http://www.mysite.com/DirID/Default.aspx
Path: /DirID/Default.aspx
-----------
Information 8/2/2011 14:56 ASP.NET 2.0.50727.0 1316 Web Event Event code: 4009
Event message: Viewstate verification failed. Reason: The viewstate supplied failed integrity check.
Event time: 8/2/2011 2:56:10 PM
Event time (UTC): 8/2/2011 6:56:10 PM
Event ID: e20e446446374000bf9ad9c6863192e8
Event sequence: 142476
Event occurrence: 5534
Event detail code: 50203
Application information:
Application domain: OMMITED-OMMITED
Trust level: Full
Application Virtual Path: /DirID
Application Path: W:\SITE\DirID\
Machine name: OMMITED-OMMITED
Process information:
Process ID: 1740
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM
Request information:
Request URL: http://www.mysite.com/DirID/Default.aspx
Request path: /DirID/Default.aspx
User host address: 85.174.246.134
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\SYSTEM
ViewStateException information:
Exception message: Invalid viewstate.
Client IP: 85.174.246.134
Port: 3957
User-Agent: TrackChecker
PersistedState: dDwxNTA2NDg4MjAzO3Q8O2w8aTwzPjs+O2w8dDw7bDxpPDE+O2k8OT47aTwxMT47aTwxMz47aTwxNT47aTwxNz47aTwxOT47aTwyMT47aTwyMz47aTwyND47aTwyNT47aTwyNj47aTwzMj47aTwzND47PjtsPHQ8O2w8aTwzPjtpPDE5PjtpPDQxPjs+O2w8dDxwPHA8bDxWaXNpYmxlOz47bDxvPGY+Oz4+Oz47Oz47dDxwPHA8bDxOYXZpZ2F0ZVVybDtGb250X0JvbGQ7XyFTQjs+O2w8XGU7bzx0PjtpPDIwNDg+Oz4+Oz47Oz47dDxwPHA8bDxWaXNpYmxlOz47bDxvPGY+Oz4+Oz47Oz47Pj47dDxwPHA8bDxWaXNpYmxlOz47bDxvPGY+Oz4+Oz47Oz47dDxwPHA8bDxWaXNpYmxlOz47bDxvPGY+Oz4+Oz47Oz47dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjt0PHA8O3A8bDxvbmtleXByZXNzOz47bDxyZXR1cm4gS2V5UHJlc3NIYW5kbGVyKGV2ZW50KTs+Pj47Oz47dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjt0PDtsPGk8MT47aTwzPjtpPDU+O2k8Nz47aTw5Pjs+O2w8dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjt0PHA8O3A8bDxvbmtleXByZXNzOz47bDxyZXR1cm4gS2V5UHJlc3NIYW5kbGVyKGV2ZW50KTs+Pj47Oz47dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjs+Pjt0PDtsPGk8MT47aTwzPjtpPDU+O2k8Nz47aTw5Pjs+O2w8dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjt0PHA8O3A8bDxvbmtleXByZXNzOz47bDxyZXR1cm4gS2V5UHJlc3NIYW5kbGVyKGV2ZW50KTs+Pj47Oz47dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjs+Pjt0PDtsPGk8MT47aTwzPjtpPDU+O2k8Nz47aTw5Pjs+O2w8dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjt0PHA8O3A8bDxvbmtleXByZXNzOz47bDxyZXR1cm4gS2V5UHJlc3NIYW5kbGVyKGV2ZW50KTs+Pj47Oz47dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjs+Pjt0PDtsPGk8MT47aTwzPjtpPDU+O2k8Nz47aTw5Pjs+O2w8dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjt0PHA8O3A8bDxvbmtleXByZXNzOz47bDxyZXR1cm4gS2V5UHJlc3NIYW5kbGVyKGV2ZW50KTs+Pj47Oz47dDxwPDtwPGw8b25rZXlwcmVzczs+O2w8cmV0dXJuIEtleVByZXNzSGFuZGxlcihldmVudCk7Pj4+Ozs+O3Q8cDw7cDxsPG9ua2V5cHJlc3M7PjtsPHJldHVybiBLZXlQcmVzc0hhbmRsZXIoZXZlbnQpOz4+Pjs7Pjs+Pjt0PHA8O3A8bDxvbmNsaWNrOz47bDxTaG93SGlkZVNlY3Rpb24oJ1VQU01JX1Byb2Nlc3NfTG9uZycpXDs7Pj4+Ozs+O3Q8cDw7cDxsPG9uY2xpY2s7PjtsPFNob3dIaWRlU2VjdGlvbignVVBTTUlfUHJvY2Vzc19Mb25nJylcOzs+Pj47Oz47Pj47Pj47bDxidG5UcmFjazs+PgqCqg5dK4H3lAraES3/cf/YlkUD
Referer: http://www.mysite.com/DirID/Default.aspx
Path: /DirID/Default.aspx
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
前 2 个请求导致了视图状态验证/验证问题,原因如下:
PersistedState:[KEY1] - 这是一个验证错误。
另外 - 你说你已经从.Net 1.1升级到2.0
但是第三个请求中提供的视图状态以“dDw”开头 - 这是一个 .Net 1.1 视图状态(对于 .Net 2.0,它以“/wE”开头)
在用户代理中看到“TrackChecker”告诉我某种机器人/爬虫保存了您的页面的旧版本(当它们由.Net 1.1生成时 - 包括视图状态),现在它重新检查您的内容并提交无效的视图状态(出于显而易见的原因,.Net 1.1 视图状态将无法在 .Net 2.0 上进行验证)
The first 2 requests have caused the viewstate verification/validation issues because of this:
PersistedState: [KEY1] - this is a validation error straight away.
Also - you say you've upgraded from .Net 1.1 to 2.0
But the viewstate supplied in the 3rd request starts with "dDw" - this is a .Net 1.1 viewstate (for .Net 2.0 it starts with "/wE")
Seeing "TrackChecker" in the user agent tells me that some kind of bot/crawler saved older versions of your pages (when they were generated by .Net 1.1 - including the viewstate) and now it is re-checks your content and submits invalid viewstates (.Net 1.1 viewstates will fail validation on .Net 2.0 for obvious reasons)
我在我的一个网站上遇到了很多这样的 Viewstate 错误,通常是一个机器人试图碰运气发布一些邪恶的内容。
我怀疑这里也是如此 - 除非你有很多来自白俄罗斯的用户?
如果您修改日志以捕获查询字符串和其他请求参数,则可以为您提供一些线索,了解(所谓的)攻击者(或不幸的用户)试图实现什么目标。
I get a lot of these Viewstate errors on one of my sites, and it's normally a bot trying its luck to post something nefarious.
I suspect the same here - unless you have a lot of users from Belarus?
If you amend your logs to also capture the query string and other request params, that can give you some clues as to what the (alleged) attacker - or unfortunate user - was trying to achieve.