Tracking down hacking/malware attempts

Question

I currently have a .net web application on a cluster based system (Rackspace cloud). In web config I have set up the following machine key.

<machineKey validationKey='DE0...etc' 
decryptionKey='A97...etc' 
validation='SHA1'/>

We were getting a quite a few of the following errors on a daily basis:

Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

I did a bit of Googling and added the following. This has stopped all the previous errors. However it may open the door for various hacking attacks.

<pages enableViewStateMac="false">

However I am finding now that I get the following errors

The state information is invalid for this page and might be corrupted.

I am trying to work out what may be causing these two types of errors. Are they bots? Are they genuine web users? Are they hacking/malware attempts? Is this a normal occurrence and I should just ignore them...

Can anyone shed any light on this?

Answer 1

I don't think they are Malware/hacking attempts - I have sometimes seen those myself when browsing sites.

The general cause I've seen is that the page hasn't completed loading before the user initiates a postback - there is a hidden field that is rendered at the bottom of the form, and if that hasn't been rendered to the browser when the user clicks a button, the server will reject the viewstate.

There's quite an in-depth post about the issue, and some work-arounds here:

Validation of viewstate MAC failed error