<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
Tom,
<p>So do you think this is a DoS attack? I have seen DoS attacks
before but I have never seen one that uses over 2,000 machines. I
do not think that the packets are spoffed, because 1) I can ping them,
2) They appear to primarily originate from about 8 different countries
only, 3) If I stop the server (I did that for one full day), they keep
going even after a day- most DoS attacks stop when the system crashes
or stops responding.
<p>Anyway, if it not related to zope, what do you think this flood is related
to? And why from all over the world. The attack started September
15 and the customer has no idea why they would single out his site. Pretty
low volume site. This system is on a shared hosting machine, and
the attacks are only focused on this one customer and not the whole machine.
<p>Any thoughts?
<p>We thought that there might be a database in a CMF servers and all of
sudden, someone put this customers site down as one of them and all zope
users started trying to access it. We do not use CMF and I had never
heard of it before so please excuse my ignorance as to what it actually
does. Like you mentioned,it probably has nothing to do with CMF.
The only reference in google that we could fine was to zope, so we thought
there might be a link.
<p>I am thinking about calling CERT to see if this is from a virus, but
wanted to make sure I understood the cause more before notifying CERT.
<p>P.S. If zope@zope.org is a mailling list,please let me know so that
I do not bore everyone with our problem. Thanks.
<br>
<p>Juan
<br>
<p>"Passin, Tom" wrote:
<blockquote TYPE=CITE>[ Juan Lorenzana]
<br>> My name is Juan Lorenzana and I am a system administrator for
<br>> an ISP in
<br>> Brazil. They offer virtual servers and virtual hosting.
The reason I
<br>> am sending you this email is that one of our virtual hosting
<br>> customer's
<br>> web site is being flooded with requests that appear to be related
to
<br>> zope. An excerpt of the log files appear below:
<br>>
<br>>
<br>> Access Log file:
<br>> 168.226.70.160 - - [24/Sep/2003:11:34:50 -0600] "GET
<br>> /put?ver=01&task=newzad&first=1 HTTP/1.1" 404 285
<br>> 216.244.197.250 - - [24/Sep/2003:11:35:55 -0600] "GET
<br>> /put?ver=01&task=newzad&first=1 HTTP/1.0" 404 273
<br>> 200.63.144.150 - - [24/Sep/2003:11:36:10 -0600] "GET
<br>> /put?ver=01&task=newzad&first=1 HTTP/1.0" 404 273
<p>The same thing has also been seen in a php context, so it is probably
<br>nothing to do with Zope -
<p>"The server farm is being hit by about 30,000 of these per minute
<br>along with all of your valid requests :
<p>from <a href="http://forum.mydomain.com/viewtopic.php?t=2241&start=15">http://forum.mydomain.com/viewtopic.php?t=2241&start=15</a>
-
<p>-- begin log snip --
<p>4.35.208.254 [27/Aug/2003:14:13:46 -0700]
<br>"\x87\x92\xdc\xecf\xaa\xb8,i\x99?\xd7\xe1\xff\xe3\xabi\x9a\xb9tl\xba\"#\
<br>xe7\
<br>xf5\xaa\x1fp\x1b0\xe0xmH\xb9\xcd\t\xdd\xf5b\xa9\x1b&S\x8d\x8b\xba$\xb6\x
<br>80\xcfJU\xb3I\xec\x83*!\xea2^\xff\x1fd\x9c\x0c\xe3\x9b\xac\x01\xd4\x90\x
<br>b1\x8\xd7'P\xb5Y\xa3\x14\x04\xdb\x16\x11E\xad\x1c\xc8\x06\xf9\xc9K
<br>\x04\xe0\xa2\x8c\xb1FlxG\xb6\xc9\x9as\xb5x\xc5\x91\xc9=\xba'\xe6\x86@\xb
<br>2)Mw\xa6\xc9@i" 400 371
<p>200.67.219.5 www.Gustavo.com [27/Aug/2003:14:13:46 -0700] "GET
<br><a href="http://www.instituto.com.br/attackDoS.php?ver=01&task=newzad&first=1">http://www.instituto.com.br/attackDoS.php?ver=01&task=newzad&first=1</a>
<br>HTTP/1.1" 404 5
<p>-- end log snip -- "
<p>There are other php examples too.
<p>The Zope Hot Patch does not look like the query string. the only
part
<br>that has a name starting with "z" is this -
<p>from zLOG import LOG, INFO
<p>I doubt that this has anything to do with zope per se, given the above.
<p>Anyone else know anything more concrete than speculation?
<p>Cheers,
<p>Tom P</blockquote>
</html>