Tom, So do you think this is a DoS attack? I have seen DoS attacks before but I have never seen one that uses over 2,000 machines. I do not think that the packets are spoffed, because 1) I can ping them, 2) They appear to primarily originate from about 8 different countries only, 3) If I stop the server (I did that for one full day), they keep going even after a day- most DoS attacks stop when the system crashes or stops responding. Anyway, if it not related to zope, what do you think this flood is related to? And why from all over the world. The attack started September 15 and the customer has no idea why they would single out his site. Pretty low volume site. This system is on a shared hosting machine, and the attacks are only focused on this one customer and not the whole machine. Any thoughts? We thought that there might be a database in a CMF servers and all of sudden, someone put this customers site down as one of them and all zope users started trying to access it. We do not use CMF and I had never heard of it before so please excuse my ignorance as to what it actually does. Like you mentioned,it probably has nothing to do with CMF. The only reference in google that we could fine was to zope, so we thought there might be a link. I am thinking about calling CERT to see if this is from a virus, but wanted to make sure I understood the cause more before notifying CERT. P.S. If zope@zope.org is a mailling list,please let me know so that I do not bore everyone with our problem. Thanks. Juan "Passin, Tom" wrote:
[ Juan Lorenzana]
My name is Juan Lorenzana and I am a system administrator for an ISP in Brazil. They offer virtual servers and virtual hosting. The reason I am sending you this email is that one of our virtual hosting customer's web site is being flooded with requests that appear to be related to zope. An excerpt of the log files appear below:
Access Log file: 168.226.70.160 - - [24/Sep/2003:11:34:50 -0600] "GET /put?ver=01&task=newzad&first=1 HTTP/1.1" 404 285 216.244.197.250 - - [24/Sep/2003:11:35:55 -0600] "GET /put?ver=01&task=newzad&first=1 HTTP/1.0" 404 273 200.63.144.150 - - [24/Sep/2003:11:36:10 -0600] "GET /put?ver=01&task=newzad&first=1 HTTP/1.0" 404 273
The same thing has also been seen in a php context, so it is probably nothing to do with Zope -
"The server farm is being hit by about 30,000 of these per minute along with all of your valid requests :
from http://forum.mydomain.com/viewtopic.php?t=2241&start=15 -
-- begin log snip --
4.35.208.254 [27/Aug/2003:14:13:46 -0700] "\x87\x92\xdc\xecf\xaa\xb8,i\x99?\xd7\xe1\xff\xe3\xabi\x9a\xb9tl\xba\"#\ xe7\ xf5\xaa\x1fp\x1b0\xe0xmH\xb9\xcd\t\xdd\xf5b\xa9\x1b&S\x8d\x8b\xba$\xb6\x 80\xcfJU\xb3I\xec\x83*!\xea2^\xff\x1fd\x9c\x0c\xe3\x9b\xac\x01\xd4\x90\x b1\x8\xd7'P\xb5Y\xa3\x14\x04\xdb\x16\x11E\xad\x1c\xc8\x06\xf9\xc9K \x04\xe0\xa2\x8c\xb1FlxG\xb6\xc9\x9as\xb5x\xc5\x91\xc9=\xba'\xe6\x86@\xb 2)Mw\xa6\xc9@i" 400 371
200.67.219.5 www.Gustavo.com [27/Aug/2003:14:13:46 -0700] "GET http://www.instituto.com.br/attackDoS.php?ver=01&task=newzad&first=1 HTTP/1.1" 404 5
-- end log snip -- "
There are other php examples too.
The Zope Hot Patch does not look like the query string. the only part that has a name starting with "z" is this -
from zLOG import LOG, INFO
I doubt that this has anything to do with zope per se, given the above.
Anyone else know anything more concrete than speculation?
Cheers,
Tom P