Search code examples
routesasp.net-mvc-3-areas

MVC3 route errors / hacking attempts with invalid routes?

In the Global.asax's Application_Error() method in my MVC3 application, I have the following code to send out system error notifications:

    protected void Application_Error()
    {
        string ip = Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
        string userAgent = string.Empty;
        string currentPageUrl = "";
        if (Request.ServerVariables["HTTPS"].ToString() == "")
        {
            currentPageUrl = Request.ServerVariables["SERVER_PROTOCOL"].ToString().ToLower().Substring(0, 4).ToString() + "://" + Request.ServerVariables["SERVER_NAME"].ToString() + ":" + Request.ServerVariables["SERVER_PORT"].ToString() + Request.ServerVariables["SCRIPT_NAME"].ToString();
        }
        else
        {
            currentPageUrl = Request.ServerVariables["SERVER_PROTOCOL"].ToString().ToLower().Substring(0, 5).ToString() + "://" + Request.ServerVariables["SERVER_NAME"].ToString() + ":" + Request.ServerVariables["SERVER_PORT"].ToString() + Request.ServerVariables["SCRIPT_NAME"].ToString();
        } 

        if (!string.IsNullOrEmpty(ip))
        {
            string[] ipRange = ip.Split(',');
            string trueIP = ipRange[0];
        }
        else
        {
            ip = Request.ServerVariables["REMOTE_ADDR"];
        }

        string urlReferrer = string.Empty;

        try
        {
            urlReferrer = Request.UrlReferrer.ToString();
        }
        catch (Exception ex)
        {
            // do nothing
        }

        try
        {
            // get user Agent
            userAgent = System.Net.Dns.GetHostEntry(ip).HostName; //.GetHostByAddress(ip).HostName;

        }
        catch (Exception ex)
        {
            userAgent = Request.UserAgent;
            // do nothing
        }

        string userDetails = "IP Address: " + ip + 
                                "<br /><br />Url Referrer: " + urlReferrer
                                + "<br /><br />Current Page: " + currentPageUrl + "<br /><br />";


        try
        {
            Exception exception = Server.GetLastError();
            Response.Clear();


            Controllers.ControllerBaseClass.SendSystemNotification("System Error", userDetails + exception.Message + "<br /><br />" + exception.StackTrace);


        }
        catch (Exception ex)
        {
            Controllers.ControllerBaseClass.SendSystemNotification("System Error", userDetails + ex.Message + "<br /><br />" + ex.StackTrace);
        }

    }

So far it has been successfully sending notifications of mostly route errors when attempts like:

www.mysite.com/phpadmin/somephpfile.php

Since there's no route matching that, a file not found exception is thrown. Fine.

The email sent contains the current page that was attempted which resides on my site, and associated text indicating that the controller path for '/[whatever invalid path]/' was not found or does not implement IController.

Recently,however, I've been seeing attacks where the Current page does not exist on my server,

ie. www.etorrent.co.kr:80/js/filter.js

I'm curious as to why I'm not seeing the current page as that of one on my server, and if I need to add additional security features / missed something?

Thanks.

Solution

  • In hack attempts, the potential hacker will create a copy of your site/forms on their server and attempt to launch your processes from those locations. The URL Referrer captures the source of the originating request and that is what appears.