[ Juan Lorenzana]
My name is Juan Lorenzana and I am a system administrator for an ISP in Brazil. They offer virtual servers and virtual hosting. The reason I am sending you this email is that one of our virtual hosting customer's web site is being flooded with requests that appear to be related to zope. An excerpt of the log files appear below:
Access Log file: 168.226.70.160 - - [24/Sep/2003:11:34:50 -0600] "GET /put?ver=01&task=newzad&first=1 HTTP/1.1" 404 285 216.244.197.250 - - [24/Sep/2003:11:35:55 -0600] "GET /put?ver=01&task=newzad&first=1 HTTP/1.0" 404 273 200.63.144.150 - - [24/Sep/2003:11:36:10 -0600] "GET /put?ver=01&task=newzad&first=1 HTTP/1.0" 404 273
The same thing has also been seen in a php context, so it is probably nothing to do with Zope - "The server farm is being hit by about 30,000 of these per minute along with all of your valid requests : from http://forum.mydomain.com/viewtopic.php?t=2241&start=15 - -- begin log snip -- 4.35.208.254 [27/Aug/2003:14:13:46 -0700] "\x87\x92\xdc\xecf\xaa\xb8,i\x99?\xd7\xe1\xff\xe3\xabi\x9a\xb9tl\xba\"#\ xe7\ xf5\xaa\x1fp\x1b0\xe0xmH\xb9\xcd\t\xdd\xf5b\xa9\x1b&S\x8d\x8b\xba$\xb6\x 80\xcfJU\xb3I\xec\x83*!\xea2^\xff\x1fd\x9c\x0c\xe3\x9b\xac\x01\xd4\x90\x b1\x8\xd7'P\xb5Y\xa3\x14\x04\xdb\x16\x11E\xad\x1c\xc8\x06\xf9\xc9K \x04\xe0\xa2\x8c\xb1FlxG\xb6\xc9\x9as\xb5x\xc5\x91\xc9=\xba'\xe6\x86@\xb 2)Mw\xa6\xc9@i" 400 371 200.67.219.5 www.Gustavo.com [27/Aug/2003:14:13:46 -0700] "GET http://www.instituto.com.br/attackDoS.php?ver=01&task=newzad&first=1 HTTP/1.1" 404 5 -- end log snip -- " There are other php examples too. The Zope Hot Patch does not look like the query string. the only part that has a name starting with "z" is this - from zLOG import LOG, INFO I doubt that this has anything to do with zope per se, given the above. Anyone else know anything more concrete than speculation? Cheers, Tom P