New Reconnaissance Signature: Sitecore.Services.GraphQL.NetFxHost/site

> A public action method 'site' was not found on controller 'Sitecore.Services.GraphQL.Hosting.Mvc.GraphQLController'

April 9, 2026

Index

Overview
Request Details
Error Message
Request Time Stamps
Assessment

Overview

Once in a while I like to share strange errors that I see in customer logs to increase awareness of potential threats, particularly when I can't find any information about the signatures on Google.

This client is running Sitecore 10.2.1, with a CM and CD instance, along with a Next.js head application hosted on Vercel. Based on what I know about this client and their infrastructure, I would deem the requests detailed below suspicious and likely to be reconnaissance.

Request Details

The requests were targeting the a GraphQL endpoint and supposedly originated from from Sri Lanka.

client_City: Colombo
client_StateOrProvince: Kolamba
client_CountryOrRegion: Sri Lanka
operation_Name: GET Sitecore.Services.GraphQL.Hosting.Mvc.GraphQLController, Sitecore.Services.GraphQL.NetFxHost/site
LoggerName: Sitecore.Web.HttpModule
Role: CD

Error Message

The error message indicates that the request threw an exception, meaning that a successful response was not returned.

Application error.
Exception: System.Web.HttpException
Message: A public action method 'site' was not found on controller 'Sitecore.Services.GraphQL.Hosting.Mvc.GraphQLController'.
Source: System.Web.Mvc
at System.Web.Mvc.Controller.HandleUnknownAction(String actionName)
at System.Web.Mvc.Controller.<>c.<BeginExecuteCore>b__152_1(IAsyncResult asyncResult, ExecuteCoreState innerState)
at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult)
at System.Web.Mvc.MvcHandler.<>c.<BeginProcessRequest>b__20_1(IAsyncResult asyncResult, ProcessRequestState innerState)
at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult)
at Sitecore.Mvc.Routing.RouteHttpHandler.EndProcessRequest(IAsyncResult result)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Request Time Stamps

10 total requests hit the CD server at the following times:

4/9/2026, 10:10:42.875 AM
4/9/2026, 10:07:27.764 AM
4/9/2026, 10:07:23.924 AM
4/9/2026, 10:01:21.418 AM
4/9/2026, 10:01:19.683 AM
4/9/2026, 9:58:00.172 AM
4/9/2026, 9:57:58.360 AM
4/9/2026, 9:57:58.110 AM
4/9/2026, 9:57:57.813 AM
4/9/2026, 9:57:57.469 AM

The pattern of request time stamps shows multiple probing attempts over a period of about 13 minutes, with bursts of activity and a few longer pauses. The initial cluster of five rapid-fire requests (between 9:57:57 and 9:58:00) suggests automated scanning or script-driven enumeration. Later, additional attempts are spaced out by several minutes, possibly indicating manual follow-up or further exploration after the automated sweeps failed. This spread suggests persistence in the reconnaissance effort, with the attacker adjusting tactics or checking for changes in system behavior.

Assessment

The threat actor was likely trying to discover whether the Sitecore instance exposed an accessible GraphQL endpoint that would let them enumerate the schema, retrieve site config, or query published content.

Interestingly, I didn't find any requests to the head application that corresponded with these requests, so it seems that the threat actor was making requests directly to the content delivery server.

Keep your eyes peeled,

-MG