Odd YSOD messages

Discussion in 'General troubleshooting' started by rlcraven, Oct 22, 2014.

  1. Hello,

    My MVC site often sends me YSOD messages (through the error logger) that apparently reference an attempt to access a nonexistent route, such as:

    System.Web.HttpException: The controller for path '/wp-login.php' was not found or does not implement IController.

    Sometimes I get hundreds of these daily referencing routes/pages such as:

    /DataBackup/222.asp
    /Create_New.asp
    /DataBackup/111.asp
    /DataBackup/1.asp
    htmledit
    saveupload.asp
    post_upload.asp
    /js/mage/cookies.js
    /wp-admin/admin-post.php
    /browserconfig.xml

    Does anyone know why this happens?

    Thanks!
    Randy
     
  2. It's an unfortunate side effect of script kiddy automated hacker scripts crawling the internet looking for vulnerabilities in any website urls that the script / hacker is aware of. e.g. if the script was to detect a HTTP 200 response from a request to wp-login.php, it then conclusively knows that the website being probed is at least running both word press and PHP. Armed with that knowledge the script can then move onto to the next stage of probing for vulnerabilities against that website for known issues in word press and PHP.

    It's a never ending battle and there's little you can do except work to ensure your site code is as secure as it can be. If you're able to improve the exception handling in your website, you might be able to capture the IP address of the caller in the request to enable you to add that IP address to the block list in "IP Address and Domain Restrictions" in IIS manager. However doing that is sort of futile because hacker IP addresses constantly change because their requests often source from botnets.
     
    Last edited: Oct 22, 2014
    martino likes this.
  3. Thanks Joe!

    I wonder if anyone has a security checklist for MVC sites to share? I feel like I have things fairly well covered bit as you say it's a never ending battle.

    Randy
     
  4. martino and mjp like this.
  5. Troy Hunt does (PluralSite course, requires trial signup or paid membership): http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks

    You can check most of what he discusses in the course using the site he created (free): https://asafaweb.com/

    I'd highly recommend installing his NWebSec package (free, Github link: https://github.com/NWebsec/NWebsec) - it pretty much takes care of most of what you need to lock down an ASP.NET site, with the rest being configurable. It's in my list of packages I install in every MVC app I build.
     
    martino and mjp like this.

Share This Page