[Zope] Urgent: Severe problem

Passin, Tom tpassin at mitretek.org
Wed Sep 24 16:22:51 EDT 2003


Sorry, my last post get sent by mistake just when I started to write it.
It does sound like a DoS situation.  The large number of coordinated
machines all sending the same peculiar request would fit in perfectly.
You say the attack started Sept. 15, but the log extract I included in
my earlier post happened in August.  I would say that a new wave of
machines got infected, and they were given the signal to wake up and do
this attack
 
You have been contacting a mailing list, BTW.
 
Cheers,
 
Tom P
 
[Juan Lorenzana ]

Tom, 

So do you think this is a DoS attack?  I have seen DoS attacks before
but I have never seen one that uses over 2,000 machines.  I do not think
that the packets are spoffed, because 1) I can ping them, 2) They appear
to primarily originate from about 8 different countries only, 3) If I
stop the server (I did that for one full day), they keep going  even
after a day- most DoS attacks stop when the system crashes or stops
responding. 


Anyway, if it not related to zope, what do you think this flood is
related to?  And why from all over the world.  The attack started
September 15 and the customer has no idea why they would single out his
site. Pretty low volume site.  This system is on a shared hosting
machine, and the attacks are only focused on this one customer and not
the whole machine. 


Any thoughts? 


We thought that there might be a database in a CMF servers and all of
sudden, someone put this customers site down as one of them and all zope
users started trying to access it.  We do not use CMF and I had never
heard of it before so please excuse my ignorance as to what it actually
does.  Like you mentioned,it probably has nothing to do with CMF.  The
only reference in google that we could fine was to zope, so we thought
there might be a link. 


I am thinking about calling CERT to see if this is from a virus, but
wanted to make sure I understood the cause more before notifying CERT. 


P.S. If zope at zope.org is a mailling list,please let me know so that I do
not bore everyone with our problem.  Thanks. 
  


Juan 
  


"Passin, Tom" wrote: 


[ Juan Lorenzana] 
> My name is Juan Lorenzana and I am a system administrator for 
> an ISP in 
> Brazil.  They offer virtual servers and virtual hosting.  The reason I

> am sending you this email is that one of our virtual hosting 
> customer's 
> web site is being flooded with requests that appear to be related to 
> zope.  An excerpt of the log files appear below: 
> 
> 
> Access Log file: 
> 168.226.70.160 - - [24/Sep/2003:11:34:50 -0600] "GET 
> /put?ver=01&task=newzad&first=1 HTTP/1.1" 404 285 
> 216.244.197.250 - - [24/Sep/2003:11:35:55 -0600] "GET 
> /put?ver=01&task=newzad&first=1 HTTP/1.0" 404 273 
> 200.63.144.150 - - [24/Sep/2003:11:36:10 -0600] "GET 
> /put?ver=01&task=newzad&first=1 HTTP/1.0" 404 273 

The same thing has also been seen in a php context, so it is probably 
nothing to do with Zope  - 


"The server farm is being hit by about 30,000 of these per minute 
along with all of your valid requests : 


from http://forum.mydomain.com/viewtopic.php?t=2241
<http://forum.mydomain.com/viewtopic.php?t=2241&start=15> &start=15 - 


-- begin log snip -- 


4.35.208.254 [27/Aug/2003:14:13:46 -0700] 
"\x87\x92\xdc\xecf\xaa\xb8,i\x99?\xd7\xe1\xff\xe3\xabi\x9a\xb9tl\xba\"#\

xe7\ 
xf5\xaa\x1fp\x1b0\xe0xmH\xb9\xcd\t\xdd\xf5b\xa9\x1b&S\x8d\x8b\xba$\xb6\x

80\xcfJU\xb3I\xec\x83*!\xea2^\xff\x1fd\x9c\x0c\xe3\x9b\xac\x01\xd4\x90\x

b1\x8\xd7'P\xb5Y\xa3\x14\x04\xdb\x16\x11E\xad\x1c\xc8\x06\xf9\xc9K 
\x04\xe0\xa2\x8c\xb1FlxG\xb6\xc9\x9as\xb5x\xc5\x91\xc9=\xba'\xe6\x86@\xb

2)Mw\xa6\xc9 at i" 400 371 


200.67.219.5 www.Gustavo.com [27/Aug/2003:14:13:46 -0700] "GET 
http://www.instituto.com.br/attackDoS.php?ver=01
<http://www.instituto.com.br/attackDoS.php?ver=01&task=newzad&first=1>
&task=newzad&first=1 
HTTP/1.1" 404 5 


-- end log snip -- " 


There are other php examples too. 


The Zope Hot Patch does not look like the query string.  the only part 
that has a name starting with "z" is this - 


from zLOG import LOG, INFO 


I doubt that this has anything to do with zope per se, given the above. 


Anyone else know anything more concrete than speculation? 


Cheers, 


Tom P

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.zope.org/pipermail/zope/attachments/20030924/6ee6da92/attachment.html


More information about the Zope mailing list