Unusual request URL in ASP.NET health monitoring event

Question

I’m seeing a rather strange occurrence in the request information section of an ASP.NET health monitoring email I hope someone can shed some light on. This is a publicly facing website which runs on infrastructure at an Indian hosting provider. Health monitoring is notifying us of server errors via automated email but every now and then the requested URL appears as a totally different website. For example:

Request information:
    Request URL: http://www.baidu.com/Default.aspx
    Request path: /Default.aspx
    User host address: 221.13.128.175
    User: 
    Is authenticated: False
    Authentication Type: 
    Thread account name: NT AUTHORITY\NETWORK SERVICE

Obviously the site in question is not Baidu and obviously this attribute is not the referrer either; the “Request URL” value is the path which has generated the error. The IP address is located in Beijing (coincidental given the Baidu address?) and in this instance it looks like the SQL server backend was not accessible (I haven't included the entire error message for security's sake).

What would cause the request URL attribute to be arbitrarily changed to that of another site? I’ve never seen this occur in a health monitoring event before. Thanks!

Edit: For those not familiar with Baidu, it's China's largest search engine and is absolutely, positively not running on the same Indian infrastructure as this particular site.

Answer 1

You can cause this to happen by changing your hosts file to include an entry to www.baidu.com at your server's IP address then requesting http://www.baidu.com/Default.aspx.

It would presumably end up at the default website if the HostHeaders in IIS for this are blank. This may be different from your usual website which might explain the SQL error message you were getting.

Why someone would do this I'm not sure. Maybe an innocent DNS error somewhere or a badly written bot?