2

A short series of errors just came in from Elmah. They are very peculiar, and I'm unsure as to what they represent and whether they might be malicious.

It amounted to a series of 16 sequential calls to a non-existent web address. In each case the call takes the form /Extranet/Account/non-existent-[seemingly random 10 digit number]. /Extranet/Account is a valid path on the site, but there's nothing which maps to anything like non-existent-[number].

The calls were not hugely rapid, coming in over the course of just over a minute. So it's hard to tell if they were automated

Elmah tells me that the user agent was Mozilla/5.0 [en] (X11, U; OpenVAS 7.0.10) and that the calls originated at an IP in France. OpenVAS is a piece of vulnerability scanning software. I can see nothing in google which suggests it's commonly used for malicious purposes, although I can see how it might be.

If it was malicious, I'm at a loss to explain what they were trying to achieve by making a short series of calls to a non-existent address with a random number appended to the end.

Should I be worried? Does the short duration suggest the responsible parties found something of interest and may be back? If so, is there anything I can do to stop them since I only have the IP of the scanning service itself?

Bob Tway
  • 549
  • 1
  • 4
  • 12

1 Answers1

3

Yes, it probably is malicious. If you are hosting anything on a public IP then scans such as these are an everyday occurrence.

The fact that the user agent hasn't been changed to hide the fact that it is a scanner suggests that it is either a novice or a University research project that ethically is required to advertise scanner use.

The best protection against attacks like these is a multilayered defense involving Web Application Firewalls (WAF), locked down http servers and whole host of other approaches.

Hexdump
  • 31
  • 3