[Zope] Urgent: Severe problem

Juan Lorenzana juan at itwest.net
Wed Sep 24 13:57:24 EDT 2003


To Zope,

My name is Juan Lorenzana and I am a system administrator for an ISP in
Brazil.  They offer virtual servers and virtual hosting.  The reason I
am sending you this email is that one of our virtual hosting customer's
web site is being flooded with requests that appear to be related to
zope.  An excerpt of the log files appear below:


Access Log file:
168.226.70.160 - - [24/Sep/2003:11:34:50 -0600] "GET
/put?ver=01&task=newzad&first=1 HTTP/1.1" 404 285
216.244.197.250 - - [24/Sep/2003:11:35:55 -0600] "GET
/put?ver=01&task=newzad&first=1 HTTP/1.0" 404 273
200.63.144.150 - - [24/Sep/2003:11:36:10 -0600] "GET
/put?ver=01&task=newzad&first=1 HTTP/1.0" 404 273

Error Log file:
[Wed Sep 24 11:34:50 2003] [error] [client 168.226.70.160] File does not
exist: /httpd/htdocs/put
[Wed Sep 24 11:35:55 2003] [error] [client 216.244.197.250] File does
not exist: /httpd/htdocs/put
[Wed Sep 24 11:36:10 2003] [error] [client 200.63.144.150] File does not
exist: /httpd/htdocs/put

As you can see, this box is being hit by thousands of machines
requesting a put file with variables similiar to the ones that released
in your patch "CMFHotfix_20030908" found on your website at
http://cmf.zope.org/download/CMFHotfix_20030908/announce-CMFHotfix_20030908

With a little help from google, we were able to track an instance where
someone started experiencing these same put request and the fix pointed
to your website for the CMFHotFix_20030908.

The problem is that this virtual host customer is being hit by thousands
of machines all trying to execute put? with ver=01&task=newzad&first= as
arguments.  I only included a 20 second snap shot fromthe log files, but
we are receiving thousands of requests per second.  The server is being
overloaded and I had to throttle the server to keep it up.  We do not
know exactly what is going on, but suspect that someone, thousands of
machines that use Zope are making put requests to this client.

Not sure why or how,but we suspect that it has to do with zope and
wanted to contact someone to see if they could help us address the
issue.  Currently we wrote a program that blackhole's every ip trying to
connect.  However, we have already blocked over 2000 ip addresses and
they just keep coming.  The log files are over 4 Gigs, and had we not
throttled the server, they would probably be a lot bigger.

Anyway, who can we talk to about finding out what is really happening
and why.  The URL of the site that is being hit is
www.revistaprofashional.com.br

If you can direct me to someone that can help, I would really appreciate
it.  Thanks.

Juan Lorenzana
Techincal Support
juan at itwest.net
602-738-3220





More information about the Zope mailing list